Fact Sheet FOR PHARMA & LIFE SCIENCES



Similar documents
How To Secure An Rsa Authentication Agent

WebEx Security Overview Security Documentation

How To Secure Your Data Center From Hackers

White Paper. BD Assurity Linc Software Security. Overview

Security Controls for the Autodesk 360 Managed Services

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Healthcare Security and HIPAA Compliance with A10

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Sygate Secure Enterprise and Alcatel

QuickBooks Online: Security & Infrastructure

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

How To Secure Your Business

Developing Network Security Strategies

Firewalls Overview and Best Practices. White Paper

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Autodesk Streamline Achieve maximum project visibility.

Projectplace: A Secure Project Collaboration Solution

SCADA SYSTEMS AND SECURITY WHITEPAPER

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

Dionseq Uatummy Odolorem Vel Layered Security Approach

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

WS_FTP: The smarter way to transfer files

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%

LAB FORWARD. WITH PROService REMOTE SERVICE APPLICATION. Frequently Asked Questions

Sync Security and Privacy Brief

Introduction to the HP Server Automation system security architecture

Managed Security Services for Data

ShareFile Security Overview

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

Basics of Internet Security

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM

Portal Administration. Administrator Guide

SECURITY DOCUMENT. BetterTranslationTechnology

Cornerstones of Security

eztechdirect Backup Service Features

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

Sophos for Microsoft SharePoint startup guide

Security Overview Introduction Application Firewall Compatibility

Xerox DocuShare Security Features. Security White Paper

BOLDCHAT ARCHITECTURE & APPLICATION CONTROL

HIPAA Privacy & Security White Paper

Autodesk PLM 360 Security Whitepaper

Security Policy Revision Date: 23 April 2009

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Famly ApS: Overview of Security Processes

IBX Business Network Platform Information Security Controls Document Classification [Public]

GiftWrap 4.0 Security FAQ

SSL SSL VPN

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

Guideline on Auditing and Log Management

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

DreamFactory Security Whitepaper Customer Information about Privacy and Security

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Cisco Advanced Services for Network Security

TeamViewer Security Information

Hong Kong Baptist University

Security Architecture Whitepaper

Web Plus Security Features and Recommendations

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Information security controls. Briefing for clients on Experian information security controls

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

IBM Connections Cloud Security

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Security & Infra-Structure Overview

Tech Brief. Enterprise Secure and Scalable Enforcement of Microsoft s Network Access Protection in Mobile Networks

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Protecting systems and patient privacy

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Did you know your security solution can help with PCI compliance too?

Common Remote Service Platform (crsp) Security Concept

Injazat s Managed Services Portfolio

FileCloud Security FAQ

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

SonicWALL PCI 1.1 Implementation Guide

MIGRATIONWIZ SECURITY OVERVIEW

Lotus Domino Security

Avaya G700 Media Gateway Security - Issue 1.0

Corporate and Payment Card Industry (PCI) compliance

INSIDE. Malicious Threats of Peer-to-Peer Networking

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

How To Secure An Emr-Link System Architecture

Virtual Private Networks

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Securing an IP SAN. Application Brief

TeamViewer Security Information

Transcription:

Fact Sheet PATHWAY STUDIO WEB SECURITY OVERVIEW Pathway Studio Web is a comprehensive collection of information with powerful security features to ensure that your research is safe and secure.

FOR PHARMA & LIFE SCIENCES Security Overview of Pathway Studio Web The security and integrity of information that transits the Pathway Studio interface and server are of critical importance for our customers. Elsevier is committed to providing strong, industry-standard security systems to ensure the availability, confidentiality, and integrity of data, including intellectual property and sensitive personal information. Well-established information security policies, processes, and standards are in place within Elsevier, with systems that are maintained at a secured site to ensure around-the-clock protection. Fact Sheet PATHWAY STUDIO ENVIRONMENT Pathway Studio is hosted at the LexisNexis Computing Complex in Dayton, Ohio, one of the largest data centers of its kind in the United States. That leadingedge facility contains some of the most sophisticated servers, software, and telecommunications equipment in the world. Support is provided 24 / 7 year round, and covers everything from automatic system updates to routine and emergency maintenance. Access to the data centers is restricted to cleared individuals with an approved business need. Elsevier office locations, and specifically data centers within these locations, are built with physical security in place that may include roaming security guards. PATHWAY STUDIO MONITORING AND SUPPORT The data center is constantly monitored by a team of system specialists and sophisticated monitoring software on both hardware and application levels. In addition, the Pathway Studio system is continuously monitored and maintained by two designated Pathway Studio system administrators, one located in Rockville, MD, and another in Frankfurt, Germany, ensuring 24-hour application-specific support for this system. ARCHITECTURE AND NETWORK SECURITY To ensure comprehensive and effective network security, Elsevier employs a defense in depth approach. The use of packet filtering, firewalls, and control devices limit access to Elsevier s e-products. Intrusion detection and prevention devices are employed to filter out specific types of unwanted traffic. The Elsevier network is monitored constantly by automated and manual means, with support provided around the clock, as described in the previous section. Redundancy and fault tolerance are guiding principles in the Pathway Studio architecture. The Elsevier network design utilizes redundant components and connections to ensure high availability. Several independent internet service providers ensure continuous connectivity to the Lexis-Nexis operation. LexisNexis firewalls and load-balancers distribute incoming requests onto a cluster of Dell PowerEdge Linux servers that are connected to the LexisNexis SAN infrastructure. This high-speed functionality ensures high availability and fast data access. 2

ACCESS CONTROL Pathway Studio supports two access methods: username/password, and sitewide IP authentication, depending on the terms of the client s license agreement. Both authentication methods require the Elsevier license administrator to check the validity of customer and user data before creating usernames or accepting IP ranges. That extra layer of security over the two options for access ensures that safety does not take a back seat to quick user access. The process for each method of authentication is detailed below. Username / Password Authentication Typically, users self-register through the standard Pathway Studio interface, but user accounts can also be created through the Pathway Studio administration interface by the license administrator. In either case, usernames are unique throughout the whole system. The administrator must identify the user s access credentials and the password is then is chosen by the user. The password should satisfy the following rules: Password must meet a minimum length criterion Password must contain a minimum number of non-letter (number or symbol) characters Password must not match any of several easily guessed values related to the user s personal information. Pathway Studio uses state-of-the-art algorithms and processes for password encryption. User passwords are not stored directly in the authentication database; instead, a digest value calculated from the password plus an undisclosed salt value is held. The digest method is widely considered in the information security industry to be irreversible. The login process calculates the equivalent digest from the submitted password and allows authentication only if the two match. The password submitted during login is then immediately discarded. When the user accesses Pathway Studio, the application server intercepts the request and displays a login page. The user enters the username and password into the login page. If the username and password are those of a user who has a role that is allowed to access Pathway Studio, the starting screen (main page) is displayed. Only users with the correct role can access Pathway Studio; all others are blocked at application server level. IP authentication Companies or institutions that want unlimited site-wide access to Pathway Studio are required to provide a public IP address or IP range to Elsevier. This address or range is used by Pathway Studio to ensure that anonymous user access is restricted to that specific site or system IP range. When a user from a company or institution with site-wide access attempts to access Pathway Studio, the application server intercepts the request and immediately displays the main page without presenting a login dialog. Only users within the given range of IP addresses can access Pathway Studio; all others are blocked at application server level. 3

Secure sockets layer (SLL) protocol All data exchanged between the Pathway Studio server and a user are enciphered and transmitted via SSL. The SSL protocol is an industry-standard method for protecting Web communications and ensuring secure client/server communications. Using the SSL protocol, an SSL-enabled server can authenticate itself to an SSL-enabled client and the client can authenticate itself to the server, thereby establishing an encrypted connection between both machines. This encrypted connection provides channel security, which has three basic properties: The channel is private: encryption is used for all messages after a simple handshake defines a secret key. The initial key exchange is protected by Public Key Encryption. The channel is authenticated: the server endpoint of the conversation is always authenticated. The channel is reliable: the message transport includes a message integrity check. An SSL connection provides a high degree of confidentiality by requiring that all information sent between a client and a server is encrypted by the sending software and decrypted by the receiving software. Any tampering with data sent over an encrypted SSL connection is automatically detected by a mechanism that determines whether the data have been altered in transit. SSL connections for Pathway Studio are managed by Elsevier. SSL encryption is validated by the certification authority, Trustwave Holdings, Inc. Trustwave issues a digital certificate, or electronic credential, confirming that Elsevier is the owner of Pathway Studio connections and thus enabling secure communications between client and server. For more information on Trustwave digital certificates, refer to: https://www.trustwave.com/. Logging As a further means of security for licensed customers, several events are logged on the Pathway Studio server: Logins and logouts Number of actions per user ID Type of actions, such as relation search or expression analysis Type of analyses performed, such as GSEA or SNEA Types of objects involved in actions and analyses. Pathway Studio only logs the types of analyses conducted, but it does not log the actual data involved in the analysis. Elsevier is legally obligated to treat all stored data as confidential, and accordingly all license agreements entered into with customers reflect this fact. Storing data Pathway Studio creates temporary result sets for users in the course of their usage of the program. All temporary result sets created during a session are only stored during the session and are automatically deleted after the session has been closed. Temporary result sets, and all explicitly saved result sets, are only available to the given user logged into the system. Pathway Studio provides output and export services, which generate data files in various formats on the Pathway Studio server for downloading. Those downloadable files are available as long as the download dialog box is visible and the current session is active. Once the session is closed all download files are automatically deleted. Files with experiments uploaded by users, as well as pathways, entity lists and analysis results created by user within Pathway Studio are stored in the Pathway Studio database in non-encrypted form. 4

Web server security Elsevier requires all servers hosting Pathway Studio to be hardened prior to use. The hardening process requires disabling or removing unnecessary services, ensuring that all needed security patches are current, and that all security mechanisms are enabled. Additional software, such as anti-virus and host-based intrusion detection systems, is installed where appropriate. Elsevier has a defined process to monitor for new vulnerabilities, assess their risk, determine the appropriate response and ensure that remediation takes place. Elsevier employee security Elsevier conducts background investigations, subject to local legal restrictions, commensurate to the level of security required of the job applicant. It also conducts reference checks on all personnel as a part of due diligence in the employment process. All Elsevier personnel are required to sign confidentiality agreements as a condition of employment. Compliance Elsevier has proven internal procedures for security risk assessment and compliance with internal policy across our worldwide network. Elsevier is compliant with Sarbanes-Oxley, and is audited annually. Information security methodology and governance Elsevier employs well-established and robust processes supporting the creation, maintenance, and approval of security policies and standards. The organization takes a risk-based approach to security to ensure that effective controls are implemented in the appropriate places. Training and certification of employees in security disciplines are also priorities. Employees with direct responsibility for security at Elsevier hold certifications such as the (ISC)² CISSP or GIAC GSEC. Pathway Studio privacy policy Elsevier is committed to maintaining the confidence and trust of customers with respect to the information collected from them. Refer to the Pathway Studio privacy policy at www.pathwaystudio.com/privacy.html for a complete description of the information collected about customers, how this information is used and the options customers have about how this information is used. 5

Visit elsevier.com/products/solutions/pathway-studio or contact your nearest Elsevier office. ASIA AND AUSTRALIA Tel: + 65 6349 0222 Email: sginfo@elsevier.com JAPAN Tel: + 81 3 5561 5034 Email: jpinfo@elsevier.com KOREA AND TAIWAN Tel: +82 2 6714 3000 Email: krinfo.corp@elsevier.com EUROPE, MIDDLE EAST AND AFRICA Tel: +31 20 485 3767 Email: nlinfo@elsevier.com NORTH AMERICA, CENTRAL AMERICA AND CANADA Tel: +1 888 615 4500 Email: usinfo@elsevier.com SOUTH AMERICA Tel: +55 21 3970 9300 Email: brinfo@elsevier.com PATHWAY STUDIO is a registered trademark of Elsevier Inc. Copyright 2015 Elsevier B.V. All rights reserved. May 2015 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information