Helping people make better decisions DATA SECURITY POLICY. Kiilakiventie 1, 90250 Oulu, Finland tel: +358 10 423 7901 www.zef.

Similar documents
Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

WALKME WHITEPAPER. WalkMe Architecture

Anypoint Platform Cloud Security and Compliance. Whitepaper

Live Guide System Architecture and Security TECHNICAL ARTICLE

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

With Eversync s cloud data tiering, the customer can tier data protection as follows:

KeyLock Solutions Security and Privacy Protection Practices

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Famly ApS: Overview of Security Processes

Security Document. Issued April 2014 Updated October 2014 Updated May 2015

VIEWABILL. Cloud Security and Operational Architecture. featuring RUBY ON RAILS

Building Energy Security Framework

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

Autodesk PLM 360 Security Whitepaper

10 Considerations for a Cloud Procurement. Anthony Kelly Erick Trombley David DeBrandt Carina Veksler January 2015

Casper Suite. Security Overview

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

Client Security Risk Assessment Questionnaire

Intel Enhanced Data Security Assessment Form

Security Information & Policies

The Education Fellowship Finance Centralisation IT Security Strategy

Sage Nonprofit Online and Sage Virtual Services. Frequently Asked Questions

University of Pittsburgh Security Assessment Questionnaire (v1.5)

How To Create A Walkme.Com Walkthrus.Com Website And Help With Your Website Or App On A Pc Or Mac Or Ipad (For Pc) Or Mac (For Mac) Or Ipa (For Ipa) Or Pc

Security Whitepaper. NetTec NSI Philosophy. Best Practices

Security Overview Enterprise-Class Secure Mobile File Sharing

Amazon Web Services: Risk and Compliance May 2011

CONTENT OUTLINE. Background... 3 Cloud Security Instance Isolation: SecureGRC Application Security... 5

HC3 Draft Cloud Security Assessment

Cloud Operations Excellence & Reliability

Hans Bos Microsoft Nederland.

BeBanjo Infrastructure and Security Overview

Whitepaper. Security Best Practices for Evaluating Google Apps Marketplace Applications. Introduction. At a Glance

Secure Data Hosting. Your data is our top priority.

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

Amazon Web Services: Risk and Compliance July 2012

The Anti-Corruption Compliance Platform

Enterprise Architecture Review Checklist

Transparency. Privacy. Compliance. Security. What does privacy at Microsoft mean? Are you using my data to build advertising products?

Expand Your Infrastructure with the Elastic Cloud. Mark Ryland Chief Solutions Architect Jenn Steele Product Marketing Manager

FormFire Application and IT Security. White Paper

Technical specifications

Cloud Store & Share Frequently Ask Questions

Compliance, Audits and Fire Drills: In the Way of Real Security?

VMware vcloud Air Security TECHNICAL WHITE PAPER

319 MANAGED HOSTING TECHNICAL DETAILS

Is it Time to Look at an Ektron Managed Cloud Strategy? Copyright 2014 Ektron, Inc.

Logz.io See the logz that matter

PROVIDING IT SOLUTIONS FOR THE HEALTHCARE INDUSTRY

Miami University. Payment Card Data Security Policy

Question 5: We inquire into whether the new dependent is the first child, as this give the advisor more context and avenues to assist the client.

A Flexible and Comprehensive Approach to a Cloud Compliance Program

An Agile and Scalable Mobile Workplace

Security Practices, Architecture and Technologies

March

Managing digital audio video court record in the age of HD video and YouTube. technology and privacy. Tony Douglass President, For The Record

10 Ways to Avoid Ethics Dangers in the Cloud

DOVECOT Overview. Timo Sirainen Chief Architect Co-Founder

Clever Security Overview

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Securing the Microsoft Cloud

Securing the Microsoft Cloud Infrastructure. Reto Häni Chief Security Officer Microsoft Western Europe MEET SWISS INFOSEC!

PII Compliance Guidelines

ACL ANALYTICS. Installation and Activation Guide

White Paper. Data Security. journeyapps.com

InsightCloud. Hosted Desktop Service. What is InsightCloud? What is SaaS? What are the benefits of SaaS?

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

Data safety at UXprobe. White Paper Copyright 2015 UXprobe bvba

ClickTale Security Standards and Practices: Delivering Peace of Mind in Digital Optimization

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Flexible Identity Federation

FISMA Cloud GovDataHosting Service Portfolio

AWS alignment with the Australian Signals Directorate (ASD) Cloud Computing Security Considerations

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Intermedia s Dedicated Exchange

Investor Newsletter. SMEStorage Open Cloud File Server Unify, Govern, and Manage your files. Cloud File Server Overview

BMC s Security Strategy for ITSM in the SaaS Environment

Information Technology Branch Access Control Technical Standard

Cloud Computing Paradigm Shift. Jan Šedivý

Software as a Service (SaaS) Requirements

Frequently Asked Questions

SECURITY DOCUMENT. BetterTranslationTechnology

JAMF Software Server Installation and Configuration Guide for Linux. Version 9.2

About Acquia. Acquia Cloud Site Factory allows you to rapidly build mobile- ready brand, campaign, and franchise websites on a turnkey cloud platform.

Hosted Exchange. Security Overview. Learn More: Call us at

Stone Vault, LLC SOC 1 (SSAE NO. 16) TYPE 1 REPORT ON CONTROLS PLACED IN OPERATION FOR TAX RETURN AND FINANCIAL STATEMENT PORTAL SERVICES

Amazon Web Services: Risk and Compliance January 2011

JAMF Software Server Installation and Configuration Guide for OS X. Version 9.2

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Creating an ESS instance on the Amazon Cloud

Amazon Web Services: Risk and Compliance January 2013

JAMF Software Server Installation and Configuration Guide for OS X. Version 9.0

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

White Paper DocuWare Cloud. Version 2.0

ANDREW HERTENSTEIN Manager Microsoft Modern Datacenter and Azure Solutions En Pointe Technologies Phone

Welcome to ECBuzz.com! Please go through this document carefully to make the experience of owning and using a website an enjoyable one.

THE BLUENOSE SECURITY FRAMEWORK

Transcription:

Helping people make better decisions DATA SECURITY POLICY Kiilakiventie 1, 90250 Oulu, Finland tel: +358 10 423 7901 www.zef.fi/en

GENERAL Server Operating system: Unix, Apache 2.x. User interface implemented with PHP 5.3.x. Database structure: MySQL 5.1.x. Usage User interfaces are easy to use and support all mainstream browsers (MS Internet Explorer 8 and newer, Google Chrome, Mozilla Firefox). No installations required. Taking services in to use is fast and easy, as it is to use the services. User interface contains step-by-step instructions both as video and as text. Support Customer service is available between 8-16 (GMT +2) through e-mail, telephone and chat. 1

Introduction We at ZEF Solutions Ltd handle information carefully avoiding risks. We emphasize 1) data security in all our actions 2) high availability and reliability in our services 3) personnel training to maintain high overall level of data security. This document defines requirements for storing, destroying, moving and sharing data. Responsible Persons Chief Technology Officer (CTO) reports about data security of ZEF Solutions Ltd. to Chief Executive Officer (CEO) regularly. Our subcontractors report about their data security to CTO of ZEF Solutions Ltd. CEO is responsible for reporting the board of ZEF Solutions Ltd. about the current status of data security. Management team of ZEF Solutions Ltd. confirms this data security policy. Accepted Data Transfer Protocols In production servers that are used by customers, the accepted data transfer protocols are: HTTP, HTTPS, SMTP and SSH. Firewall settings are defined according to this document by Amazon Web Services and Google Apps. In office use by our personnel the accepted data transfer protocols and messaging services are: HTTP, HTTPS, POP, IMAP, SMTP, SSH, OpenID, Skype and Microsoft Messenger. CTO is responsible for using these technologies. CTO is responsible for current data transfer protocols and taking new data transfer protocols into use. The amount of data transfer protocols used in production servers is as small as possible. The personnel of ZEF Solutions Ltd. have the rights to install needed software applications on their personal workstations. CTO is responsible for commercial software licenses. Production Servers ZEF Solutions Ltd.'s production servers are provided by Amazon Web Services (later AWS). Our production servers are located in Ireland. We also use Google's cloud service Google Apps, which's data is stored in Google Data Centers all around the world. Here is a high level description of Amazon's approach to secure the AWS infrastructure: Amazon Web Services: Reports, Certifications, and Independent Attestations. AWS has in the past successfully completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls 1 (SOC 1) report, published under both the SSAE 16 and the ISAE 3402 professional standards. In addition, AWS has achieved ISO 27001 certification, and has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). In the realm of public sector certifications, AWS has received authorization from the U.S. General Services Administration to operate at the FISMA Moderate level, and is also the platform for applications with Authorities to Operate (ATOs) under the Defense Information Assurance Certification and Accreditation Program (DIACAP). We will continue to obtain the appropriate security certifications and conduct audits to demonstrate the security of our infrastructure and services. For more information on 2

risk and compliance activities in the AWS cloud, consult the Amazon Web Services: Risk and Compliance whitepaper. Physical Security. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. AWS infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access. Secure Services. Each of the services within the AWS cloud is architected to be secure and contains a number of capabilities that restrict unauthorized access or usage without sacrificing the flexibility that customers demand. For more information about the security capabilities of each service in the AWS cloud, consult the Amazon Web Services: Overview of Security Processes whitepaper. Data Privacy. AWS enables users to encrypt their personal or business data within the AWS cloud and publishes backup and redundancy procedures for services so that customers can gain greater understanding of how their data flows throughout AWS. For more information on the data privacy and backup procedures for each service in the AWS cloud, consult the Amazon Web Services: Overview of Security Processes whitepaper referenced above. The AWS Security Center provides links to technical information, tools, and prescriptive guidance designed to help you build and manage secure applications in the AWS cloud. Our goal is to use this forum to proactively notify developers about security bulletins. Such transparency is the backbone of trust between AWS and our customers. Google Apps: An independent third party auditor issued Google Apps an unqualified SAS70 Type II certification. Google is proud to provide Google Apps administrators the peace of mind knowing that their data is secure under the SAS70 auditing industry standard. The independent third party auditor verified that Google Apps has the following controls and protocols in place: Logical security: Controls provide reasonable assurance that logical access to Google Apps production systems and data is restricted to authorized individuals Privacy: Controls provide reasonable assurance that Google has implemented policies and procedures addressing the privacy of customer data related to Google Apps Data center physical security: Controls provide reasonable assurance that data centers that house Google Apps data and corporate offices are protected Incident management and availability: Controls provide reasonable assurance that Google Apps systems are redundant and incidents are properly reported, responded to, and recorded 3

Change management: Controls provide reasonable assurance that development of and changes to Google Apps undergo testing and independent code review prior to release into production Organization and administration: Controls provide reasonable assurance that management provides the infrastructure and mechanisms to track and communicate initiatives within the company that impact Google Apps Storing Data Your data will be stored in Google's network of data centers. Google maintains a number of geographically distributed data centers. Google's computing clusters are designed with resiliency and redundancy in mind, eliminating any single point of failure and minimizing the impact of common equipment failures and environmental risks. Access to data centers is very limited to only authorized select Google employees personnel. Availability Rate The annual availability rate of our prodution servers is over 99%. Updates are carried out at times when the services usage is at its minimum. Scheduled breaks in services are informed beforehand to our customers. Storing, Protecting, Backing up and Destroying Data User data in production servers (used by customers) are stored in separated databases for each customer. Access to these databases is only available through production servers. Back up copies of user data are taken daily on both a back up server and a back up unit that is located in different physical location as the production servers. In office use each employee stores data on their own workstation or Google cloud service. Workstations and portable devices are secured with personal login-password pairs. We use shredder when destroying physical documents. Storage media that are removed from use are destroyed physically. User Management Root user: Root user has access to all servers and databases. CTO and his/her backup have the root privileges. Root accounts are protected by SSH keys. Administrators: Administrators have the right to create, modify and delete users. Administrator rights are available to ZEF Solutions Ltd. employees only. Users: Users can create, modify and delete content. Users are our customers. Users who create content, are responsible for legality of the content. Evaluators: Evaluators can use evaluations and use Sales Engines made by Users. All passwords in use are at least eight characters long and contain big letters, small characters and numbers. Evaluator passwords given by ZEF Solutions Ltd. are for single use only. Users are responsible for creating their own passwords based on their own data security rules. Root users change their SSH keys at least once per six months and Administrators do the same for their passwords. 4

Software Updates and Data Security Data security is on a high priority when updating and taking new softwares into use. CTO is responsible for production server software updates. Many applications on personal workstations and laptops are updated automatically through update tools of software vendors. We are keen to listen to our customer's view on data security issues and are willing to meet every data security need. Possible tailored solutions will be made according to the IT2000 contract. Use of Email ZEF Solutions Ltd.'s email address is not allowed to be used to create or deliver any content that may harm or offend for example race, gender, hair colour, disability, age, sexual orientation, religious belief, political views or nationality. Sending spam is not allowed. ZEF Solutions Ltd.'s email address can be used in personal communication with respect to these rules. Data Network Management Amazon Web Services and Google Apps are responsible for the data network of our production servers. The servers are designed to serve huge amounts of simultaneous users. Our starting point is that our services never break down due to a big amount of users. In our offices we use highly securely encrypted internet connections. 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information