Privacy + Security + Integrity



Similar documents
ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

IBX Business Network Platform Information Security Controls Document Classification [Public]

Supplier Information Security Addendum for GE Restricted Data

Security Policy JUNE 1, SalesNOW. Security Policy v v

QuickBooks Online: Security & Infrastructure

External Supplier Control Requirements

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

University of Pittsburgh Security Assessment Questionnaire (v1.5)

External Supplier Control Requirements

Supplier Security Assessment Questionnaire

Cloud Contact Center. Security White Paper

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

FormFire Application and IT Security. White Paper

SERENA SOFTWARE Serena Service Manager Security

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Cloud Contact Center. Security White Paper

Information Security & Management Systems

Xerox Litigation Services. In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

SITECATALYST SECURITY

Projectplace: A Secure Project Collaboration Solution

Sophisticated Password Policy

Security Controls for the Autodesk 360 Managed Services

Passing PCI Compliance How to Address the Application Security Mandates

GiftWrap 4.0 Security FAQ

KeyLock Solutions Security and Privacy Protection Practices

CHIS, Inc. Privacy General Guidelines

ISO 27002:2013 Version Change Summary

Secure Your Source Code and Digital Assets

Comparative study of security parameters by Cloud Providers

ISO Controls and Objectives

Security Whitepaper: ivvy Products

GoodData Corporation Security White Paper

Tenzing Security Services and Best Practices

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Understanding Sage CRM Cloud

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Woodcock-Johnson and Woodcock-Muñoz Language Survey Revised Normative Update Technical and Data Security Overview

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Birst Security and Reliability

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

SNAP WEBHOST SECURITY POLICY

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

INFORMATION TECHNOLOGY SECURITY STANDARDS

Whitepaper. let. work. flow

How To Protect Your Data From Being Hacked

PCI DSS Requirements - Security Controls and Processes

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

BMC s Security Strategy for ITSM in the SaaS Environment

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Enterprise level security, the Huddle way.

How to complete the Secure Internet Site Declaration (SISD) form

Autodesk PLM 360 Security Whitepaper

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

IBM Connections Cloud Security

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Intel Enhanced Data Security Assessment Form

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

Data Management Policies. Sage ERP Online

INFORMATION SECURITY PROGRAM

Clean VPN Approach to Secure Remote Access for the SMB

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Secure, Scalable and Reliable Cloud Analytics from FusionOps

White Paper How Noah Mobile uses Microsoft Azure Core Services

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Managing internet security

Tenzing Security Services and Best Practices

White Paper: Librestream Security Overview

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

Hosted Exchange. Security Overview. Learn More: Call us at

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Becoming PCI Compliant

Adobe Systems Incorporated

Nine Steps to Smart Security for Small Businesses

Complying with PCI Data Security

Protecting Sensitive Data Reducing Risk with Oracle Database Security

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

CONTENTS. Security Policy

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

ProjectManager.com Security White Paper

PCI Requirements Coverage Summary Table

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

FISMA / NIST REVISION 3 COMPLIANCE

A Strategic Approach to Enterprise Key Management

Dooblo SurveyToGo: Security Overview

Payment Card Industry (PCI) Compliance. Management Guidelines

Rational AppScan & Ounce Products

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Security in the Sauce Labs Cloud. Practices and protocols used in Sauce s infrastructure and Sauce Connect

Transcription:

Privacy + Security + Integrity Docufree Corporation Data Security Checklist Security by Design Docufree is very proud of our security record and our staff works diligently to maintain the greatest levels of security possible. We are the only SaaS vendor to accept total accountability for the chain of custody from time a document enters the mail room until your staff or systems accesses it programmatically. We have over a decade of experience protecting and processing sensitive information. From a security prospective, our data centers have stringent regulations and we design and test Docufree On-Demand with security as the top priority.

Physical Environment Docufree corporate facilities control every aspect of physical access, data integrity, network speed, safety, and power management to make sure that your data is safer with us than it would be in your own facility. Our Docufree staffed network operations center (NOC) continuously monitors for intrusion detection every hour of every day throughout the year, and we provide a redundant data center to ensure that your data will always be available. Our remote back-up data center located in Cincinnati, OH is also an industry leading Tier 1 data center hosting well known high demand applications. Access to our facilities is strictly controlled through the use of bio-metric sensors into every room with only authorized employees accessing the data center rooms. No cameras, cell phones and jackets are allowed in the secure work areas and all our employees are subject to criminal background check, credit check and random drug testing. Closed loop video surveillance cameras track activities in every room except the obvious. We maintain clean rooms to manage sensitive data and bio-hazard rooms protecting against bio-chemical concerns. Docufree Encryption Docufree stores documents with 256 bit encryption, the highest level of encryption available. Data is securely transmitted using industry standard Secure Sockets Layer (SSL) 128 bit encryption to manage the security of message transmissions on the internet. Docufree utilizes multiple, strong cryptographic encryption keys, which are created using a random generator and AES 256 bit encryption, to meet the stringent Payment Card Industry (PCI) compliance standards, ensuring proper access. AES stands for Advanced Encryption Standards which provides strong encryption to protect electronic data. Docufree uses Universal Threat Management (UTM) appliances for intrusion detection and prevention when transmitting data. And, Docufree grants access to users based on a strict set of permissions for controlled access. 2

Docufree frequently performs security assessments drawing on software vulnerability categories from (National Institute of Standards and Technology (NIST), Common Weakness Enumeration (CWE), and OWASP to provide a thorough risk assessment. Some of the areas of the application that are tested for that various vulnerability attack scenarios include: Access Control Administration Interface Application Server Configuration Authentication Caching Code Quality Cross-site Scripting Cryptography Denial of Service Error Handling External Communications Input Validation Interpreter Injection Logging Malware Privacy and Compliance Session Management SQL Injection Thread Safety Docufree On-Demand Docufree On-Demand has been architected, developed and deployed in compliance with OWASP (Open Web Application Security Protocol) Top Ten best practices. These are the same security practices used by the U.S. Defense Information System Agency and required for DOD Information Technology Security Certification and Accreditation Process to secure their Web applications. Global companies like A.G. Edwards, IBM Global Services, Price Waterhouse Coopers and Swiss Federal Institute of Technology also follow these same security practices. Docufree On-Demand employs an advanced access control framework built into the core solution that enables secure authentication, records logs of user activity and allows administrators to control which users have access to highly sensitive documents. Users can view the detailed audit trail which shows which users have viewed and taken action on any given file. The Docufree On-Demand development lifecycle includes steps for performing vulnerability testing and applying any necessary remediation to ensure that the application is secure at the source. In addition, Docufree sub-contracts with security experts who specialize in identifying flaws in source code that expose business-critical applications to potential attack through rigid vulnerability assessments to ensure we are continually identifying security vulnerabilities and producing actionable results to take appropriate action to reduce risk to business operations. 3

Security Checklist Physical Environment Secure Areas IT facilities supporting critical or sensitive business activities are located within secure areas. Physical Security Perimeter Strategically located barriers around defined perimeters provide physical security protection throughout the facility where sensitive business activities occur. Physical Entry Controls Only authorized personnel can gain access to secure areas by use of biometric finger print scan. Security of Data Centers and Computer Rooms Physical security for data centers and computer rooms is established that is commensurate with possible threats. Isolated Delivery and Loading Areas The data center and computer room delivery and loading areas are isolated to reduce the opportunity for unauthorized access. Equipment Location and Protection Equipment is located to reduce risks of environmental hazards and unauthorized access. Power Supplies Electronic equipment is protected from power failures and other electrical anomalies. Cabling Security All power and telecommunications cabling is protected from interception or damage. Equipment Maintenance Procedures are established to correctly maintain IT equipment to ensure its continued availability and integrity. Separation of Development and Operational Facilities Development and operational facilities are segregated to reduce the risk of accidental changes or unauthorized access to production software and business data. Environmental Monitoring Host computer environments, including temperature, humidity, and power supply quality, are monitored to identify conditions that might adversely affect the operation of computer equipment and to facilitate corrective action. Media Handling and Security Computer media is controlled and physically protected to prevent damage to assets and interruptions to business activities. System Planning and Acceptance Advance capacity planning and preparation ensures the proper availability of adequate capacity and resources as customer demands grow. 4

Network Management Protection from Malicious Software Precautions are taken to prevent and detect the introduction of malicious software to safeguard the integrity of software and data. Virus Controls Virus detection and prevention measures and appropriate user awareness procedures have been implemented. Network Monitoring Security of computer networks are monitored 24x7 and managed to safeguard information and to protect the supporting infrastructure. Network Security Controls Appropriate controls ensure the security of data in networks and the protection of connected services from unauthorized access. Electronic File Access 256 K Bit Encryption Data stored on the file server is encrypted using the maximum encryption available, 256K. Secured Socket Layer All communication is delivered over an industry standard 128 bit encrypted SSL. Access Controls User access to files is strictly granted on permissions basis where administrators can quickly change permissions. Active Directory Integration You can manage your users from Active Directory ensuring you only need one user store. Policies and Procedures Clear Desk Policy Employees working with or viewing sensitive information must work on a clear desk to reduce risks of unauthorized access, loss, or damage outside normal working hours. Data Handling Procedures Procedures exist for handling sensitive data to protect such data from unauthorized disclosure or misuse both when onsite or in transit. Removal of Property Personnel are required to have documented management authorization to take equipment, data or software off-site. Operational Procedures and Responsibilities Responsibilities and procedures are established for the management and operation of all computers and networks. Documented Operating Procedures Operating procedures are clearly documented for all operational computer systems to ensure their correct, secure operation. 5

Incident Management Procedures Incident management responsibilities and procedures are in place to ensure a quick, effective, orderly response to security incidents. Operational Change Control Documented procedures are established for controlling changes to IT facilities and systems to ensure satisfactory control of all changes to equipment. Data Back-Up Documented procedures are established for taking regular back-up copies of essential business data and software to ensure that it can be recovered following a computer disaster or media failure. Operator Logs Routine procedures are established for taking back-up copies of data, logging events and faults, and where appropriate, monitoring the equipment environment. Management of Removable Computer Media Procedures exist for the management of removable computer media such as tapes, disks, cassettes, and printed reports. Fault Logging Procedures exist for logging faults reported by users regarding problems with computer or communications systems, and for reporting and taking corrective action. System Acceptance Acceptance criteria for new systems are established and tested are prior to customer rollout. Vulnerability Testing Procedures exist to test for all OWASP categories of vulnerabilities on an ongoing basis. Summary Docufree prides ourselves on our focus to each granular detail in securing our customers sensitive data so that your data is much safer with us than it would be in your environment. We secure the physical environment tightly, screen our employees prior to and after hire, and follow rigid security methodology in our development lifecycle process and continuously test our source code for any vulnerabilities. If you have additional questions about our security policies and activities please send us an email or call using the information below. Also, if you d like to tour one of our centers we can arrange this for you too. 2010 Docufree Corporation. Docufree is a registered trademark of Docufree Corporation. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information