The Education Fellowship Finance Centralisation IT Security Strategy

Transcription

1 The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and systems as part of the finance centralisation strategy. The centralised finance system will be securely hosted on the Capita SIMS Azure servers and accessed through Windows 7 workstations securely protected by Norton 360 technology. Norton 360 This is the Norton's latest security suite. It was released on September 4, 2013, together with the newest Norton Antivirus and Norton Internet Security products. It is updated against potential threats in real time. Norton 360 is an antivirus solution developed on SONAR technology, which detects threats, blocks them, and removes them. This is achieved through three out of five layers of shields: Threat Monitoring, Threat Removal, and Network Defence, the last one dealing with online threats before they can actually reach the user s computer. Protection is also granted through analysing the behaviour of known menaces. Another important aspect derives from stealth capabilities, as the five shields work silently in the background, performing scans, updates and back-ups automatically. Browser Protection and Download Insight also protect against dangerous applications, warning the user about eventual threats before running them on the computer. Norton 360 is configured to manage the following workstation functions: 1. Antivirus (virus, adware, malware etc) 2. Firewall 3. Antispam 4. Identity protection 5. Backup 6. System diagnostics 7. Registry management 1

2 Privacy Privacy is one of the foundations of Microsoft's Trustworthy Computing. Microsoft has guaranteed privacy to The Education Fellowship, which is an integral part of their product and service lifecycle. They have assured transparency in their privacy practices, ensuring meaningful privacy choices and guarantees for the responsible management of the data that they store. The Microsoft Privacy Principles, their specific privacy statements and their internal privacy standards guide how they collect, use and protect The Education Fellowship Data. General information about cloud privacy is available from the Microsoft Privacy website. They have also published a white paper Privacy in the Cloud to explain how Microsoft is addressing privacy in the realm of cloud computing. The Microsoft Azure Privacy Statement describes the specific privacy policy and practices that govern The Education Fellowship s use of Azure. Location of The Education Fellowship Data Microsoft currently operates Azure in data centres around the world. The Education Fellowship data is stored in redundant data centres in Ireland and the Netherlands. These are compliant with International, European and British law. Design and Operational Security On behalf of The Education Fellowship, Microsoft has implemented industryleading best practices in the design and management of online services, including: 1. Security Centres of Excellence. The Microsoft Digital Crimes Unit, Microsoft Cybercrime Centre and Microsoft Malware Protection Centre provide insights into evolving global security threats. 2. Security Development Lifecycle (SDL). Since 2004, all Microsoft products and services have been designed and built from the ground up using its Security Development Lifecycle a comprehensive approach for writing more secure, reliable and privacy-enhanced code. 3. Operational Security Assurance (OSA). The Microsoft OSA programme provides an operational security baseline across all major cloud services, helping ensure that key risks are consistently mitigated. 4. Assume Breach. Specialised teams of Microsoft security engineers use pioneering security practices and operate with an "assume breach" 2

3 mindset to identify potential vulnerabilities and proactively eliminate threats before they become risks to customers. 5. Incident Response. Microsoft operates a global 24/7 event and incident response team to help mitigate threats from attacks and malicious activity. Security Controls and Capabilities Microsoft Azure has delivered a trusted foundation on which The Education Fellowship can design, build and manage its own secure cloud applications and infrastructure. These foundations include: hour monitored physical security. Data centres are physically constructed, managed and monitored to shelter data and services from unauthorised access as well as environmental threats. 2. Monitoring and logging. Security is monitored with the aid of centralised monitoring, correlation and analysis systems that manage the large amount of information generated by devices within the environment and provide timely alerts. In addition, multiple levels of monitoring, logging and reporting are available to provide visibility to The Education Fellowship. 3. Patching. Integrated deployment systems manage the distribution and installation of security patches. The Education Fellowship can apply similar patch management processes for Virtual Machines deployed in Azure. 4. Antivirus/Antimalware protection. Microsoft Antimalware is built into Cloud Services and can be enabled for Virtual Machines to help identify and remove viruses, spyware and other malicious software and provide real-time protection. The Education Fellowship can also run antimalware solutions from partners on Virtual Machines. 5. Intrusion detection and DDoS. Intrusion detection and prevention systems, denial of service attack prevention, regular penetration testing and forensic tools help identify and mitigate threats from both outside and inside of Azure. 6. Zero standing privileges. Access to The Education Fellowship data by Microsoft operations and support personnel is denied by default. When granted, access is carefully managed and logged. Data centre access to the systems that store customer data is strictly controlled via lockbox processes. 7. Isolation. Azure uses network isolation to prevent unwanted communications between deployments and access controls block unauthorised users. Virtual Machines do not receive inbound traffic 3

4 from the Internet unless The Education Fellowship configures them to do so. 8. Azure Virtual Networks. The Education Fellowship may choose to assign multiple deployments to an isolated Virtual Network and allow those deployments to communicate with each other through private IP addresses. 9. Encrypted communications. Built-in SSL and TLS cryptography enables The Education Fellowship to encrypt communications within and between deployments, from Azure to on-premises data centres and from Azure to administrators and users. 10. Private connection. The Education Fellowship can use ExpressRoute to establish a private connection to Azure data centres, keeping their traffic off the Internet, if required. 11. Data encryption. Azure offers a wide range of encryption capabilities up to AES-256, giving The Education Fellowship the flexibility to implement the methods that best meet its needs. 12. Identity and access. Azure Active Directory enables The Education Fellowship to manage access to Azure, Office 365 and many other other cloud apps. Multi-Factor Authentication and access monitoring offer enhanced security. Penetration Testing Microsoft conducts regular penetration testing to improve Azure security controls and processes. Microsoft acknowledges that security assessment is also an important part of The Education Fellowship s application development and deployment. Therefore, they have established a policy for The Education Fellowship to carry out authorised penetration testing on its centralised Finance applications hosted in Azure. Because such testing can be indistinguishable from a real attack, it is critical that The Education Fellowship conducts penetration testing only after obtaining approval in advance from Azure Customer Support. Penetration testing must be conducted in accordance with Microsoft s terms and conditions. Requests for penetration testing should be submitted with a minimum of 7 days' advanced notice. Compliance By providing The Education Fellowship with compliant, independently verified cloud services, Microsoft has assured compliance for the infrastructure and applications that are run in Azure. Microsoft provides The Education Fellowship with detailed information about security and compliance 4

5 programmes, including audit reports and compliance packages, to help The Education Fellowship to assess services against its own legal and regulatory requirements. In addition, Microsoft has developed an extensible compliance framework that enables it to design and build services using a single set of controls to speed up and simplify compliance across a diverse set of regulations and rapidly adapt to changes in the regulatory landscape. The Education Fellowship has checked and is assured of security compliance against the following relevant legal and regulatory requirements. Please note that these include British, European and International (including US) protocols as potential threats could be global ISO 27001/ SOC 1/SSAE 16/ISAE 3402 and SOC 2 3. Cloud Security Alliance CCM 4. FedRAMP 5. FISMA 6. FBI CJIS (Azure Government) 7. PCI DSS Level 1 8. United Kingdom G-Cloud 9. Australian Government IRAP 10. Singapore MTCS Standard 11. HIPAA 12. EU Model Clauses 13. Food and Drug Administration 21 CFR Part FERPA 15. FIPS CCCPPF 17. MLPS Regulated environments of Office 365 Current versions of Office 365 are robust and offer a number of enterprisegrade features and functions. In addition, Microsoft has made Office 365 compatible with a number of important international standards and other requirements as verified by various third parties, further enhancing its potential for use by enterprise customers including: 1. The US federal Information Security Management Act (FISMA) 2. Business Associate Agreements under the Health Insurance Portability and Accountability ACT (HIPAA) 3. The Gramm-Leach-Billey Act (GLBA) 4. The Family Educational Rights and Privacy Act (FERPA) 5. Title 21 CFR Part 11 of the US Code of Federal Regulations

6 6. The US federal Information Processing Standard (FIPS) Trusted Internet Connections (TIC) 8. International Organisation for Standardisation (ISO) European Union (EU) Safe Harbour and Data Protection Directive Model Clauses The result is that our Education Fellowship systems may be used in regulated environments within the UK and the more widely in the European Union. 6