Level I - Public. Technical Portfolio. Revised: July 2015

Transcription

1 Level I - Public Technical Portfolio Revised: July 2015

2 Table of Contents 1. INTRODUCTION About Imaginatik Taking Information Security Seriously 3 2. DATA CENTER SECURITY Data Center Requirements Business Continuity and Backup Physical Security Environmental Controls Fire Suppression Power Management 4 3. SYSTEM DESIGN Security Infrastructure Performance Virus Protection and Patching System Monitoring Change Management 6 4. SECURITY MANAGEMENT Security Framework Regulations Dedicated Information Security Officer User Authentication and Data Security System Access Management Legal Requirements 7

3

4 1. Introduction 1.1 About Imaginatik Imaginatik is the leading provider of innovation management solutions to the world s top organizations. Since 1996 Imaginatik has deployed hundreds of software installations with our proprietary innovation technology, Innovation Central. This platform helps harness an organization s creative minds and helps them collaborate to solve its most pressing issues. As such, Imaginatik is well-versed in managing top-level ideas that will become the next big competitive advantages for an organization. This document provides details about the security practices at Imaginatik that makes this idea management possible. To discover what Imaginatik can do for your organization visit. 1.2 Taking Information Security Seriously Imaginatik regards Information as a major corporate asset, which is to be protected and safeguarded in the same way as more tangible assets such as cash and other forms of intrinsic value. Information and the supporting processes, systems and networks are important business assets. Both the information and the technology are subject to various threats that, if realized, could result in direct financial loss to Imaginatik and its customers. At Imaginatik we have established strong security controls to prevent this. 2. Data Center Security 2.1 Data Center Requirements Imaginatik only uses data centers that are capable of meeting our customers stringent requirements. The data centers that we use are hosted in the US and the UK by organizations that are regularly audited and are either SOC-2 type II certified, SSAE 16 type II (formerly SAS 70) attested or ISO27001:2005 and ISO 9001:2008 certified. These provide us with network connectivity and dedicated servers ensuring that your data is held securely, enabling you to meet any compliance issues you may face in regards to audits your security team may otherwise require. The following is an example of some of the areas tested, examined and documented during the certification audits: Data Control, Security, Environmental Controls, Fire Suppression, UPS and Diesel Generator Backup, Physical Access Controls, Human Resource and Personnel Controls, Infrastructure, Bandwidth.

5 Our US data center is also Safe Harbor compliant. 2.2 Business Continuity and Backup Imaginatik has two data center providers, which allows us many options when it comes to disaster recovery. Daily off-site backups ensure that we have the ability to recover and rebuild customer environments even in the event of total loss of one data center. Interruptions to our service are extremely rare, most commonly being caused by network issues between the customer network and the Imaginatik data center concerned. In the event of a problem affecting a customer server, we will do everything possible to recover the service as quickly as possible. If this takes longer than a few minutes, the customer concerned will be notified and kept informed until normal service is resumed. If the service interruption looks likely to be extended then we will start to restore the existing environment on a server in the other data center. This will then normally be available for use within 72 hours of the disaster, although the annual Disaster Recovery test consistently shows restoration could be 24 hours, or less. The data used will be no more than one day out of date. 2.3 Physical Security The entire data center is monitored 24x7 by security cameras and on-site staff. Cameras are positioned at every entrance, each and every rack isle and customer cage areas. All security cameras are recorded. Card access controls, biometric identification and security guards are also in place to prevent unauthorized access. 2.4 Environmental Controls Indoor cooling systems provide precise, reliable control of the data center temperature, humidity, and airflow that improves operating conditions for sensitive electronic equipment. 2.5 Fire Suppression To prevent accidental sprinkler discharge, the data center is equipped with a zoned, dry-pipe, pre-action sprinkler system that requires two or more sensors to activate. 2.6 Power Management The US data center building is served by three ultra reliable underground grids configured in a spot network that allows any one grid to drop without interruption to the building power supply. An uninterruptible power supply (UPS) is maintained that insures against short-term interruptions of power. UPS's also regulate the quality of power so that all equipment receives constant line voltage.

6 The UK data center gets its power from dual independent power feeds, backed up by dual battery string Uninterrupted Power Supplies (UPS) systems (deployed as standard). It also features 6 x DELPHYS MX 3 phase 500 kva UPS from Socomec, providing fault tolerant architecture with built in N+1 redundancy. Put simply, if the world were to end, the data centers could still function for another 2 days! 3. SYSTEM DESIGN 3.1 Security Infrastructure Imaginatik offers a very comprehensive platform that makes use of the latest security features including: Continuous Availability - All customer environments use clustered servers with automatic failover, so that any outage on one server won t cause an interruption to your service. Optimized Performance - We make extensive use of load balancers to ensure consistently fast response times especially during peak usage. Network Security - Our networks are protected by powerful firewalls configured to follow industry best practices for network ingress/egress security. We also implement intrusion detection / prevention systems to protect our service. Advanced Content Distribution A huge network of over 95,000 servers deployed worldwide provide a secure, fast and reliable path to our data centers, ensuring that you get the fastest possible response times wherever your users are located. In addition, a monitoring system analyzes all activities on servers and triggers notifications to our engineers to quickly assess and respond to any service disruption issues or other events. Powerful encryption is utilized ensuring data within Innovation Central is protected both in transit and rest. 3.2 Performance Service availability for Innovation Central is an impressive 99.9%, excluding scheduled maintenance periods. We measure end-to-end response times not just as measured in our data centers, but right out to the end user on your network. Our target is to have key pages in Innovation Central load in less than two seconds on average. Our technology allows us to identify those customers whose networks are most in need of improvement, compared to those customers who are achieving very fast response times. This improves participation and enables those customers to get better results from their challenges.

7 3.3 Virus Protection and Patching Virus protection is enabled on all servers and is updated on a daily basis. Operating System patches are installed at least monthly. Application server patches are promptly installed, to allow our customers to benefit from improvements to the core software. 3.4 System Monitoring Network and server infrastructure is monitored for performance and outages. Technical staff are automatically notified if and when an outage or performance problem occurs. Customers are immediately notified of any incidents affecting their data. 3.5 Change Management All modifications to the production environment follow a documented change control procedure that describes the migration path from development to test to production. 4. SECURITY MANAGEMENT 4.1 Security Framework Regulations Our Policies and Procedures are based on ISO Standard 27002, which is a set of best practices to be adopted by organizations in order to implement proper information security. All members of Imaginatik staff have a responsibility to ensure the data they are exposed to is protected to the best of their abilities. The Information Security Policies that provide directions on how to achieve this are written in line with ISO This demonstrates to your security team that adequate safeguards and controls are in place to an international recognized standard for managing and processing data belonging to our customers. 4.2 Dedicated Information Security Officer Imaginatik employs a dedicated Information Security Officer who has over nine years experience of information security within a financially regulated environment. The Information Security Officer is responsible for advising the Company on all security matters, managing the overall strategic security program, performing security reviews, and ensuring non public client and company data is adequately protected. A key part of the Information Security Officer s role is the education of staff. This is achieved by performing security training which includes password management, secure management of client data, physical security of company equipment, management, internet usage and mobile computing.

8 4.3 User Authentication and Data Security Security has always been an integral part of Imaginatik s system design and quality assurance. The key security principles of Innovation Central include: Detailed role-based data security and authorization model. We have eight different roles available, allowing program administrators to configure access privileges to exactly the way they want them. User access management is fully delegated to the Innovation Central program administrators, ensuring that someone from your organization can configure security settings at any time. Password management (also configurable within Innovation Central) is based on bestpractice requirements and can be set to match your policies. User Administration. The administrator can manage user accounts directly. Users may also self-register. Self-registration can be limited to only individuals whose address domain matches a pre-selected list or it can be wide open. After a user self-registers; a validation is sent the user instructing them to click on a secured link which activates their account. If desired, we can establish a Single-Sign-On (SSO) access scheme that will allow you to use the login information in your own directory. Imaginatik has extensive experience in implementing SSO for Innovation Central with various systems. In most implementations, SAML 2.0 is used to provide SSO. 4.4 System Access Management Only Imaginatik employees who have a valid business reason (along with the clients approval when required) are granted access to client data. This is controlled by two-factor authentication using a One Time Password (OTP) and end-to end encryption. This gives the user access to a Secure Management Console (SMC) where client data can be accessed but cannot be downloaded onto the users computer or any other type of removal media device. 4.5 Legal Requirements Information in all its forms, particularly information about our clients, is one of the Company s most valuable assets. The security of that information and the adherence to the legal requirements around its storage and use is of paramount importance. In addition to regulatory requirements, Imaginatik has a strict information-protection policy to which every employee is required to adhere. Employees are also bound by a contract and Non Disclosure Agreement (NDA) and undergo full background checks during the new hire on-boarding process.