DiamondStream Data Security Policy Summary



Similar documents
FileCloud Security FAQ

RFG Secure FTP. Web Interface

Xerox Mobile Print Cloud

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Security Whitepaper. NetTec NSI Philosophy. Best Practices

Security Architecture Whitepaper

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Xerox Mobile Print Cloud

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

State of Wisconsin DET File Transfer Protocol Service Offering Definition (FTP & SFTP)

MOVEIT: SECURE, GUARANTEED FILE DELIVERY BY JONATHAN LAMPE, GCIA, GSNA

How To Create A Virtual Private Cloud In A Lab On Ec2 (Vpn)

Cloud Security:Threats & Mitgations

Network Security Guidelines. e-governance

Famly ApS: Overview of Security Processes

Introweb Remote Backup Client for Mac OS X User Manual. Version 3.20

Tableau Online Security in the Cloud

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

How Reflection Software Facilitates PCI DSS Compliance

319 MANAGED HOSTING TECHNICAL DETAILS

Credit Card Security

Enterprise Security Critical Standards Summary

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

Secret Server Qualys Integration Guide

March

owncloud Architecture Overview

Hacking the WordpressEcosystem

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

LBSEC.

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Blue Jeans Network Security Features

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Acano solution. Security Considerations. August E

Global Client Access Managed Communications Solutions. JPMorgan - Global Client Access. Managed Internet Solutions (EC Gateway)

QUANTIFY INSTALLATION GUIDE

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Security Controls for the Autodesk 360 Managed Services

October P Xerox App Studio. Information Assurance Disclosure. Version 2.0

A Guide to New Features in Propalms OneGate 4.0

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

Virtual Data Centre. User Guide

Server Installation ZENworks Mobile Management 2.7.x August 2013

SaaS Security for the Confirmit CustomerSat Software

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Client Security Risk Assessment Questionnaire

Installation and Setup: Setup Wizard Account Information

White Paper. BD Assurity Linc Software Security. Overview

74% 96 Action Items. Compliance

Cloud Attached Storage 5.0

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

RBackup Server Installation and Setup Instructions and Worksheet. Read and comply with Installation Prerequisites (In this document)

Web Security School Final Exam

Projectplace: A Secure Project Collaboration Solution

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

Kaspersky Lab Mobile Device Management Deployment Guide

Avaya TM G700 Media Gateway Security. White Paper

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

M2M Series Routers. Port Forwarding / DMZ Setup

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

Avaya G700 Media Gateway Security - Issue 1.0

Xerox DocuShare Security Features. Security White Paper

SCOPE OF SERVICE Hosted Cloud Storage Service: Scope of Service

HP ProLiant Essentials Vulnerability and Patch Management Pack Server Security Recommendations

Building A Secure Microsoft Exchange Continuity Appliance

1 Introduction 2. 2 Document Disclaimer 2

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Penetration Testing Report Client: Business Solutions June 15 th 2015

SonicWALL PCI 1.1 Implementation Guide

Remote Deposit Terms of Use and Procedures

IBM Managed Security Services (Cloud Computing) hosted and Web security - express managed Web security

CTS2134 Introduction to Networking. Module Network Security

GE Measurement & Control. Cyber Security for NEI 08-09

Online Backup Client User Manual

Central Agency for Information Technology

Accessing the FTP Server - User Manual

Implementation Guide

1. Product Information

SECURITY DOCUMENT. BetterTranslationTechnology

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

How To Secure An Rsa Authentication Agent

Online Backup Client User Manual Linux

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

Security Overview Enterprise-Class Secure Mobile File Sharing

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Cisco Intercloud Fabric Security Features: Technical Overview

Configuration Guide. BES12 Cloud

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

SITECATALYST SECURITY

Online Backup Client User Manual Mac OS

Online Backup Client User Manual Mac OS

Guidance Regarding Skype and Other P2P VoIP Solutions

Standard: Network Security

Transcription:

DiamondStream Data Security Policy Summary Overview This document describes DiamondStream s standard security policy for accessing and interacting with proprietary and third-party client data. This covers the handling of data within DiamondStream s cloudbased data architecture environment, as well as on DiamondStream work stations. Protect Data in Transfer and Data at Rest Encryptions applied to data in transfer provide assurance that the communication between the client, cloud storage and webservers cannot be intercepted, as well as validating the intended recipient of the data. Encryptions applied to data at rest protect from (highly unlikely) security breaches in cases where the physical disk containing the data is removed from the cloud services data center. Amazon Web Services I. Data at Rest 1. All data is encrypted using AES 256-bit server-side transparent encryption. II. Data in Transit 1. Clients should ensure that a secure SSL connection is used for file uploads. One such utility is s3cmd: http://s3tools.org/s3cmd. 2. The transfer of data between storage, web services and database are done via SSL AES 256-bit encryption. 3. File transfers within the virtual private cloud are protected from interception and no additional encryption is applied. 4. Processed files sent outside of the DiamondStream Cloud a. From the DiamondStream Cloud to an external cloud distribution site are sent via SSL AES 256-bit encryption. b. From the DiamondStream Cloud to Secure FTP. Patron data is sent quarterly to outside vendors SFTP for National Change of Address (NCOA) updates and demographic appends via Secure Shell connection (SSH). c. BI application webservers to DiamondStream/clients to view dashboards and reports based on client data are SSL-secured via HTTPS i. All reports and data files which BI clients download from BI dashboards are downloaded over an SSL connection via HTTPS. ii. All reports and data files which BI clients schedule for delivery via email are SSL-protected if the client email server is able to receive encrypted data. 1

DiamondStream Work Stations and External Clouds I. Data at Rest 1. The entire volume of any DiamondStream work station which stores client data is encrypted via an encryption software which uses AES 256-bit encryption. 2. Cloud backup -- all DiamondStream work stations have automatic file backup to the cloud and encrypted using 128-bit Blowfish transparent encryption. 3. File sharing applications DiamondStream uses cloud based file sharing solutions to share files internally which apply AES-256 bit encryption. 4. External cloud distribution sites the Online File Folder server is partitioned to create a mount point that only contains DiamondStream data and that only DiamondStream users can access. II. Data in Transit 1. Cloud backup data is encrypted using 128-bit Blowfish encryption prior to transfer, and then is sent to the cloud via SSL. 2. File sharing applications data is sent to the cloud via SSL AES 256-bit encryption. 3. Connections from DiamondStream workstations to DiamondStream cloud based webservers remote connections are required to kick off processing, query data, etc. All such connections are made via SSH and RDP. 4. All data files outside of BI dashboards which must be shared with clients, vendors, or any other authorized third-parties may only be shared through password-protected external cloud distribution site external links; shared links are created using a unique hash such that there is no way to manipulate the link to get to another portion of the data stored on the site s Online File Folder. 5. Very large data files which cannot easily be shared via the external cloud distribution site may be shared via DiamondStream-authorized memory cards. Memory cards must be wiped clean after each use. Strong Access Control Measures DiamondStream puts restrictions in place to ensure that only authorized users have access to the data at any stage of the DiamondStream data ecosystem. This includes source traffic controls via VPC and firewalls and user access restrictions on the DiamondStream cloud and DiamondStream work stations. VPC and Firewalls Most components of the DiamondStream cloud are inside a VPC. The VPC restricts traffic to and from each webserver and databases to other machines inside the VPC only. Exceptions which enable DiamondStream to connect remotely to these machines are governed by route tables, subnets and security groups. Usernames and Passwords I. Amazon Web Services: Identity Access Management (IAM) 1. Privileges 2. Users receive only the privileges required to perform their daily tasks. Authentication 2

II. a. User passwords are set according to best practice policies. b. Root and admin users Access Keys and Secret Keys are not directly used by any processes. Instead, separate users with minimum permissions required to establish a remote connection and perform the processing steps are used for additional security. DiamondStream Work Stations & Other Portals 1. All DiamondStream work stations are password-protected and all passwords must satisfy best practice standards. 2. All DiamondStream employee phones have password protection enabled. 3. Customer passwords for accessing BI dashboards through the DiamondStream website portal must satisfy the Wordpress secure password policy and best practices. 4. All other passwords for DiamondStream-related accounts or communications containing sensitive information are auto-generated by password management software and must satisfy the best practice criteria (no vendor-supplied defaults are allowed). Maintain a Vulnerability Management Program This section discusses DiamondStream s policies and practices for ensuring ongoing protection of data from security threats. This includes utilizing anti-virus software, keeping all software updated, storing keys and passwords in a safe place, rotating them regularly, and managing the archival and destruction of stored data. I. All DiamondStream work stations and webservers have anti-virus software installed. II. Software updates 1. All anti-virus software to be updated regularly and new licenses to be purchased no later than 30 days before expiration of current license. 2. All database software to be updated as updates are released. 3. Java plug-ins to be disabled on all browsers. 4. All other software (e.g. browsers) also to be updated as new releases become available to leverage the latest security patches. III. Password, Access/Secret Key and Web Server Private Key Storage and Rotation 1. Storage of access keys and secret keys, web server private keys, and other DiamondStream system/account passwords a. All DiamondStream login details are stored in password vaults which is protected via a master password, except web server private keys. Each DiamondStream employee must have a password vault account and create their own master password which is not to be shared with anyone. Login details are locally encrypted using AES 256-bit encryption prior to being sent to the password vault. b. Webserver private keys are saved on DiamondStream work stations of employees working directly with the webservers only. In such cases, the keys are encrypted as indicated above. 3

c. Browser settings which save login details for future use must be disabled. Usernames and passwords must be entered manually each time a login is required; alternatively, password vault auto-fill may be used, but the vault must be locked between browser sessions. 2. Password and key rotation a. The following types of keys require yearly rotation: Transparent encryption keys which are stored in the DiamondStream cloud and used to encrypt data at rest. Webserver Private Keys for remote connection from DiamondStream work stations via SSH/RDP. All Access Keys/Secret Keys except root account. PGP keys used to share data with authorized third-party vendors for National Change of Address updates and demographic appends. Encryption software private keys for DiamondStream work stations. b. All other DiamondStream passwords on active require rotation every 90 days. Note that this excludes client passwords to the DiamondStream website portal. While DiamondStream auto-generates the original password for new clients, it is each client s responsibility to enforce a secure password storage and rotation policy going forward. Client password breaches will only expose that client s data, but unauthorized users cannot gain access to any other clients information via this method. IV. Archival and Destruction of Stored Data. Data will be archived and destroyed per the following: 1. Data files stored on external cloud distribution sites and shared via password-protected public links these files will be available at the link provided for one month from upload; subsequently, they will be deleted from the distribution site. 2. Data files shared with vendors for specific contracts must be destroyed upon termination of said contracts via over-write, and proof of data destruction must be provided to DiamondStream. The latter will require the vendor to provide DiamondStream access to sample data from the device where the data was previously stored. Regularly Monitor and Test Networks; Enforce Security Standards This section discusses ongoing best practices which must be applied to ensure data systems remain secure and all DiamondStream employees and partners are in compliance with the DiamondStream Data Security Policy. I. Testing User and Firewall Access Points 1. A password policy simulator will be applied to all users whose permissions have been altered in any way, to ensure the changes continue to provide the appropriate level of access for the user s purposes. 4

II. 2. Firewall/Security Groups: Security Group settings will be tested via NMAP (a security scanner which is used to discover hosts and services on a network) to verify that only the necessary ports are open on each machine and that only authorized IP addresses have inbound access. Related security policies In addition to the DiamondStream Data Security Policy, the following documents define security standards for employees and vendors, respectively. 1. DiamondStream Employee Security Agreement covers use of work stations, data, security best practices, and ethics. Requires employee signature. 2. DiamondStream Vendor Security Agreement covers requirements for the vendor to protect the information, to limit access to those who must access it in order to perform the tasks under contract, to destroy data and provide proof of destruction at the end of the contract, and to notify DiamondStream if there is a potential security breach. Requires vendor signature. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information