Helping people make better decisions DATA SECURITY POLICY Kiilakiventie 1, 90250 Oulu, Finland tel: +358 10 423 7901 www.zef.fi/en
GENERAL Server Operating system: Unix, Apache 2.x. User interface implemented with PHP 5.3.x. Database structure: MySQL 5.1.x. Usage User interfaces are easy to use and support all mainstream browsers (MS Internet Explorer 8 and newer, Google Chrome, Mozilla Firefox). No installations required. Taking services in to use is fast and easy, as it is to use the services. User interface contains step-by-step instructions both as video and as text. Support Customer service is available between 8-16 (GMT +2) through e-mail, telephone and chat. 1
Introduction We at ZEF Solutions Ltd handle information carefully avoiding risks. We emphasize 1) data security in all our actions 2) high availability and reliability in our services 3) personnel training to maintain high overall level of data security. This document defines requirements for storing, destroying, moving and sharing data. Responsible Persons Chief Technology Officer (CTO) reports about data security of ZEF Solutions Ltd. to Chief Executive Officer (CEO) regularly. Our subcontractors report about their data security to CTO of ZEF Solutions Ltd. CEO is responsible for reporting the board of ZEF Solutions Ltd. about the current status of data security. Management team of ZEF Solutions Ltd. confirms this data security policy. Accepted Data Transfer Protocols In production servers that are used by customers, the accepted data transfer protocols are: HTTP, HTTPS, SMTP and SSH. Firewall settings are defined according to this document by Amazon Web Services and Google Apps. In office use by our personnel the accepted data transfer protocols and messaging services are: HTTP, HTTPS, POP, IMAP, SMTP, SSH, OpenID, Skype and Microsoft Messenger. CTO is responsible for using these technologies. CTO is responsible for current data transfer protocols and taking new data transfer protocols into use. The amount of data transfer protocols used in production servers is as small as possible. The personnel of ZEF Solutions Ltd. have the rights to install needed software applications on their personal workstations. CTO is responsible for commercial software licenses. Production Servers ZEF Solutions Ltd.'s production servers are provided by Amazon Web Services (later AWS). Our production servers are located in Ireland. We also use Google's cloud service Google Apps, which's data is stored in Google Data Centers all around the world. Here is a high level description of Amazon's approach to secure the AWS infrastructure: Amazon Web Services: Reports, Certifications, and Independent Attestations. AWS has in the past successfully completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls 1 (SOC 1) report, published under both the SSAE 16 and the ISAE 3402 professional standards. In addition, AWS has achieved ISO 27001 certification, and has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). In the realm of public sector certifications, AWS has received authorization from the U.S. General Services Administration to operate at the FISMA Moderate level, and is also the platform for applications with Authorities to Operate (ATOs) under the Defense Information Assurance Certification and Accreditation Program (DIACAP). We will continue to obtain the appropriate security certifications and conduct audits to demonstrate the security of our infrastructure and services. For more information on 2
risk and compliance activities in the AWS cloud, consult the Amazon Web Services: Risk and Compliance whitepaper. Physical Security. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. AWS infrastructure is housed in Amazon-controlled data centers throughout the world. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access. Secure Services. Each of the services within the AWS cloud is architected to be secure and contains a number of capabilities that restrict unauthorized access or usage without sacrificing the flexibility that customers demand. For more information about the security capabilities of each service in the AWS cloud, consult the Amazon Web Services: Overview of Security Processes whitepaper. Data Privacy. AWS enables users to encrypt their personal or business data within the AWS cloud and publishes backup and redundancy procedures for services so that customers can gain greater understanding of how their data flows throughout AWS. For more information on the data privacy and backup procedures for each service in the AWS cloud, consult the Amazon Web Services: Overview of Security Processes whitepaper referenced above. The AWS Security Center provides links to technical information, tools, and prescriptive guidance designed to help you build and manage secure applications in the AWS cloud. Our goal is to use this forum to proactively notify developers about security bulletins. Such transparency is the backbone of trust between AWS and our customers. Google Apps: An independent third party auditor issued Google Apps an unqualified SAS70 Type II certification. Google is proud to provide Google Apps administrators the peace of mind knowing that their data is secure under the SAS70 auditing industry standard. The independent third party auditor verified that Google Apps has the following controls and protocols in place: Logical security: Controls provide reasonable assurance that logical access to Google Apps production systems and data is restricted to authorized individuals Privacy: Controls provide reasonable assurance that Google has implemented policies and procedures addressing the privacy of customer data related to Google Apps Data center physical security: Controls provide reasonable assurance that data centers that house Google Apps data and corporate offices are protected Incident management and availability: Controls provide reasonable assurance that Google Apps systems are redundant and incidents are properly reported, responded to, and recorded 3
Change management: Controls provide reasonable assurance that development of and changes to Google Apps undergo testing and independent code review prior to release into production Organization and administration: Controls provide reasonable assurance that management provides the infrastructure and mechanisms to track and communicate initiatives within the company that impact Google Apps Storing Data Your data will be stored in Google's network of data centers. Google maintains a number of geographically distributed data centers. Google's computing clusters are designed with resiliency and redundancy in mind, eliminating any single point of failure and minimizing the impact of common equipment failures and environmental risks. Access to data centers is very limited to only authorized select Google employees personnel. Availability Rate The annual availability rate of our prodution servers is over 99%. Updates are carried out at times when the services usage is at its minimum. Scheduled breaks in services are informed beforehand to our customers. Storing, Protecting, Backing up and Destroying Data User data in production servers (used by customers) are stored in separated databases for each customer. Access to these databases is only available through production servers. Back up copies of user data are taken daily on both a back up server and a back up unit that is located in different physical location as the production servers. In office use each employee stores data on their own workstation or Google cloud service. Workstations and portable devices are secured with personal login-password pairs. We use shredder when destroying physical documents. Storage media that are removed from use are destroyed physically. User Management Root user: Root user has access to all servers and databases. CTO and his/her backup have the root privileges. Root accounts are protected by SSH keys. Administrators: Administrators have the right to create, modify and delete users. Administrator rights are available to ZEF Solutions Ltd. employees only. Users: Users can create, modify and delete content. Users are our customers. Users who create content, are responsible for legality of the content. Evaluators: Evaluators can use evaluations and use Sales Engines made by Users. All passwords in use are at least eight characters long and contain big letters, small characters and numbers. Evaluator passwords given by ZEF Solutions Ltd. are for single use only. Users are responsible for creating their own passwords based on their own data security rules. Root users change their SSH keys at least once per six months and Administrators do the same for their passwords. 4
Software Updates and Data Security Data security is on a high priority when updating and taking new softwares into use. CTO is responsible for production server software updates. Many applications on personal workstations and laptops are updated automatically through update tools of software vendors. We are keen to listen to our customer's view on data security issues and are willing to meet every data security need. Possible tailored solutions will be made according to the IT2000 contract. Use of Email ZEF Solutions Ltd.'s email address is not allowed to be used to create or deliver any content that may harm or offend for example race, gender, hair colour, disability, age, sexual orientation, religious belief, political views or nationality. Sending spam is not allowed. ZEF Solutions Ltd.'s email address can be used in personal communication with respect to these rules. Data Network Management Amazon Web Services and Google Apps are responsible for the data network of our production servers. The servers are designed to serve huge amounts of simultaneous users. Our starting point is that our services never break down due to a big amount of users. In our offices we use highly securely encrypted internet connections. 5