Dooblo SurveyToGo: Security Overview



Similar documents
Security and Data Protection for Online Document Management Software

KeyLock Solutions Security and Privacy Protection Practices

Security Features: Lettings & Property Management Software

Famly ApS: Overview of Security Processes

Security Whitepaper: ivvy Products

Apteligent White Paper. Security and Information Polices

Security and Information Policies

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

White Paper How Noah Mobile uses Microsoft Azure Core Services

Autodesk PLM 360 Security Whitepaper

The Anti-Corruption Compliance Platform

BKDconnect Security Overview

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Security Overview Enterprise-Class Secure Mobile File Sharing

Supplier Information Security Addendum for GE Restricted Data

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

Woodcock-Johnson and Woodcock-Muñoz Language Survey Revised Normative Update Technical and Data Security Overview

Accellion Security FAQ

IBX Business Network Platform Information Security Controls Document Classification [Public]

System Security Plan University of Texas Health Science Center School of Public Health

Netop Environment Security. Unified security to all Netop products while leveraging the benefits of cloud computing

Question 5: We inquire into whether the new dependent is the first child, as this give the advisor more context and avenues to assist the client.

Accellion Security FAQ

Payment Card Industry Self-Assessment Questionnaire

THE BLUENOSE SECURITY FRAMEWORK

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

PCI DSS Requirements - Security Controls and Processes

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

FISMA / NIST REVISION 3 COMPLIANCE

Data Stored on a Windows Server Connected to a Network

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

Network/Cyber Security

Privacy + Security + Integrity

Security Document. Issued April 2014 Updated October 2014 Updated May 2015

Security in the Sauce Labs Cloud. Practices and protocols used in Sauce s infrastructure and Sauce Connect

Cloud S ecurity Security Processes & Practices Jinesh Varia

SonicWALL PCI 1.1 Implementation Guide

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Xerox Mobile Print Cloud

Achieving PCI-Compliance through Cyberoam

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

BOLDCHAT ARCHITECTURE & APPLICATION CONTROL

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

The Essential Security Checklist. for Enterprise Endpoint Backup

CoSolvent Community Server Implementation and Management Summary

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Data Management Policies. Sage ERP Online

CLOUD FRAMEWORK & SECURITY OVERVIEW

SECURITY DOCUMENT. BetterTranslationTechnology

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Introduction to Dropbox. Jim Miller, LCITO Office Mobile

SANS Top 20 Critical Controls for Effective Cyber Defense

Table of Contents. Page 1 of 6 (Last updated 30 July 2015)

Data Stored on a Windows Computer Connected to a Network

Cyber Security for NERC CIP Version 5 Compliance

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

White Paper. BD Assurity Linc Software Security. Overview

FileCloud Security FAQ

Privacy Impact Assessment. For. TeamMate Audit Management System (TeamMate) Date: July 9, Point of Contact: Hui Yang

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Projectplace: A Secure Project Collaboration Solution

Getting a Secure Intranet

TOP SECRETS OF CLOUD SECURITY

October P Xerox App Studio. Information Assurance Disclosure. Version 2.0

Remote Access Security

RSS Cloud Solution COMMON QUESTIONS

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

Security Whitepaper. NetTec NSI Philosophy. Best Practices

Network Security Guidelines. e-governance

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

Rule 4-004G Payment Card Industry (PCI) Remote and Mobile Access Security (proposed)

Information Technology Branch Access Control Technical Standard

LIVE CHAT CLOUD SECURITY Everything you need to know about live chat and communicating with your customers securely

Consensus Policy Resource Community. Lab Security Policy

Research Information Security Guideline

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Kony Mobile Application Management (MAM)

FileRunner Security Overview. An overview of the security protocols associated with the FileRunner file delivery application

Best Practices For Department Server and Enterprise System Checklist

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Did you know your security solution can help with PCI compliance too?

IBM Connections Cloud Security

We employ third party monitoring services to continually audit our systems to measure performance and identify potential bottlenecks.

PCI Requirements Coverage Summary Table

White Paper. Sarbanes Oxley and iseries Security, Audit and Compliance

Building Energy Security Framework

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

Bring Your Own Device:

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Transcription:

Dooblo SurveyToGo: Security Overview May, 2012 Written by: Dooblo Page 1 of 10 1

Table of Contents 1 INTRODUCTION... 3 1.1 OVERVIEW... 3 1.2 PURPOSE... 3 2 PHYSICAL DATA CENTER SECURITY... 4 2.1 OVERVIEW... 4 2.2 SERVERS... 4 2.3 EMPLOYEE LIFECYCLE... 4 3 NETWORK SECURITY... 5 3.1 OVERVIEW... 5 3.2 CONNECTIONS FROM THE DEVICES TO THE DATA CENTERS AND BACK... 5 3.3 CONNECTIONS BETWEEN SERVERS INSIDE THE DATA CENTER... 5 3.4 ADMINISTRATIVE COMMUNICATIONS... 5 3.5 IDS/IPS... 5 4 SURVEYTOGO APPLICATION SECURITY FEATURES... 6 4.1 OVERVIEW... 6 4.2 USERS, TYPES, GROUPS & PASSWORDS... 6 4.3 ROLE BASED PERMISSIONS... 6 4.4 USER RIGHTS... 7 5 SURVEYTOGO DATA COLLECTION APP SECURITY... 8 5.1 OVERVIEW... 8 5.2 ANDROID APP... 8 5.3 PC SURVEY APP... 8 5.4 LOST / STOLEN DEVICE... 8 6 CONFIGURATION MANAGEMENT... 9 6.1 OVERVIEW... 9 6.2 SOFTWARE... 9 6.3 INFRASTRUCTURE... 9 7 BACKUPS... 10 7.1 OVERVIEW... 10 Page 2 of 10 1

1 Introduction 1.1 Overview This document outlines the security of the SurveyToGo system. All non-confidential information has been included. Due to the nature of the topics discussed, some topics are considered confidential and will not be discussed in this document for obvious reasons. 1.2 Purpose The purpose of this document is to provide for a high level overview of all the security aspects of the SurveyToGo system. As the SurveyToGo system grows more security measures are added and infrastructure and communications protocols change. This document provides the overview for the system at the time of writing only. Page 3 of 10 1

2 Physical Data Center Security 2.1 Overview The SurveyToGo state-of-the-art data center servers are hosted by Amazon AWS: AWS datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. AWS only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by AWS employees is logged and audited routinely. For more extensive information about the AWS infrastructure security utilized by Dooblo: http://d36cz9buwru1tt.cloudfront.net/pdf/aws_security_whitepaper.pdf 2.2 Servers All servers include a mandatory antivirus protection and are configured to receive any security OS update as required. 2.3 Employee lifecycle Dooblo has established formal policies and procedures to delineate the minimum standards for logical access to the SurveyToGo servers. Dooblo requires that staff with potential access to customer data undergo an extensive background check (as permitted by law) relevant to their position and level of data access. Page 4 of 10 1

3 Network Security 3.1 Overview SurveyToGo enables interviewers in the field to collect data and send it over the wire to the Dooblo Data center. This involves 2 way communications over the internet to both send Survey data to the device and receive collected data from the device. The Dooblo network security measures are in place to ensure network communication both to and from the data center is secure along with communications between servers in the data center. 3.2 Connections from the devices to the data centers and back The devices and management applications communicate over the internet with the Data center. SurveyToGo can utilize industry proven SSL encryption to encrypt these device/server communications and management app/server communications. The Dooblo Data Center uses certified SSL Certificates to ensure devices can validate and authenticate the server they are communicating with to prevent man in the middle attacks along with eavesdropping risks. Any incoming communication to the data center passes through a dedicated Checkpoint firewall product to prevent network attacks. 3.3 Connections between servers inside the data center All servers in the data center are located in the same physical space and are connected through a dedicated sub-network controlled by authorized Dooblo IT employees. The Checkpoint Firewall ensures internal communication between DMZ and other servers is done only by pre-configured IP addresses. 3.4 Administrative communications All administrative communications to the data center are secured with token based security and restricted to authorized personnel and IP addresses. 3.5 IDS/IPS All network traffic stopped at the FW is monitored and IDS/IPS (Intrusion Detection/Prevention systems) is employed. Page 5 of 10 1

4 SurveyToGo Application Security Features 4.1 Overview The SurveyToGo system includes application level security measures designed to allow your employees access to data only to those employees that you have configured and only to the project data that you have configured access for. SurveyToGo includes a customer-project paradigm which means that every data collected resides in a specific project that belongs to a specific customer (your customer, not Dooblo customers). 4.2 Users, types, groups & passwords Each access to the SurveyToGo system is done with a user and a password. Surveyors have user names, so do project managers and field managers. Both data collection apps and the management studio app requires a user name and a password in order to work. In fact, every interface of the system requires an authenticated user in order to work. User names and passwords are defined by the SurveyToGo account administrator (NOT by Dooblo) and passwords are encrypted. Users can be grouped in to groups to help with permissions. 4.3 Role based permissions Role based permissions are granted to users and projects. Each project has 4 levels of roles: Project Administrator Project Manager Project Reviewer Project Reader Each role includes various access rights to the data contained in the project. The SurveyToGo account administrator (or project administrator/manager) can assign users or groups of users with the relevant roles of a project. If a user does not have any access to a project that project will not show up on his management studio app. If the user does not have any access to any project of a customer than that entire customer will not show on his management app. Surveyor users can be assigned to a project which will then control whether they will see that survey in the list of surveys or not. Page 6 of 10 1

4.4 User rights On top of the project Role based security, several application level user rights can be assigned to a user or a group such as: Create users Manage subject stores Manage rights Etc.. These rights are granted to the user or group and are not related to a specific customer or project. Page 7 of 10 1

5 SurveyToGo Data Collection App Security 5.1 Overview The data collection apps are used to collect data from the field. The general approach to the security of the collected data in this regard is to upload the data and remove it from the device as quickly as possible. Shorter time on the device mean lower data security risks. 5.2 Android App The Android app stores all data in a special application storage segment provided by the Android OS. This segment is secured from access by other applications and restricts the segment to the SurveyToGo app only. Due to this enhanced security mechanism by Android, the data is saved in a local database on this secured storage segment. When-ever network is detected, all data is uploaded to the server and deleted from the device. The last user who used the app is cached locally in order to allow for quick access and continue to collect data even in offline scenarios, however the password is encrypted. Communication to and from the server is secured by SSL Encryption (Optional) as described in the network security chapter. 5.3 PC Survey App The PC (Windows) app stores all data in the local user storage space on the hard drive of the windows machine. As the hard disk is not secured like in the Android case, SurveyToGo utilizes the built-in encryption mechanism of Microsoft SQL Mobile to encrypt all the data and prevent access to it from unauthorized sources. Communication to and from the server is secured by SSL Encryption (Optional) as described in the network security chapter. 5.4 Lost / stolen Device In case the device is lost or stolen it is our recommendation that the user of that device will be set to disabled. This will disallow any access from that device to the account and prevent any tampering with data. Please note that if auto-sync is enabled up to 10 minutes worth of data collection might remain on the device and be exposed. Page 8 of 10 1

6 Configuration Management 6.1 Overview Configuration changes to the SurveyToGo system infrastructure and software are authorized, logged, tested, approved, and documented in accordance with industry norms. Updates to the SurveyToGo infrastructure are done to minimize any impact on the customer and their use of the services. Dooblo communicates with customers via email when service use is likely to be impacted. 6.2 Software Dooblo applies a systematic approach to managing change so that changes to customer impacting services are thoroughly reviewed, tested, approved and well communicated. Dooblos change management process is designed avoid unintended service disruptions and to maintain the integrity of service to the customer. Changes deployed into production environments are: Reviewed: Peer reviews of the technical aspects of a change Tested: being applied will behave as expected and not adversely impact performance Approved: to provide appropriate oversight and understanding of business impact Changes are typically pushed into production in a phased deployment starting with customers who requested the change. When possible, changes are scheduled during weekend change windows. Emergency changes might be deployed on non standard times. 6.3 Infrastructure Updates to the SurveyToGo infrastructure are done to minimize any impact on the customer and their use of the services. Dooblo communicates with customers via email when service use is likely to be impacted. Page 9 of 10 1

7 Backups 7.1 Overview Data stored in the SurveyToGo system, is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. In addition, Dooblo periodically backs up all important parts of its data. Data removed from the system by actions of the customer are physically deleted from the servers and backups and will not be available to Dooblo support staff or customer. This is to ensure customer ability to remove sensitive information from the Dooblo Data center if needed. Page 10 of 10 1

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information