BKDconnect Security Overview



Similar documents
IBX Business Network Platform Information Security Controls Document Classification [Public]

Client Security Risk Assessment Questionnaire

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%

Security Controls for the Autodesk 360 Managed Services

FormFire Application and IT Security. White Paper

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM

Retention & Destruction

Data Management Policies. Sage ERP Online

Teleran PCI Customer Case Study

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Supplier Security Assessment Questionnaire

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

CLOUD FRAMEWORK & SECURITY OVERVIEW

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Information Technology Branch Access Control Technical Standard

Critical Controls for Cyber Security.

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

PCI Requirements Coverage Summary Table

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

GE Measurement & Control. Cyber Security for NEI 08-09

PCI DSS Requirements - Security Controls and Processes

Dooblo SurveyToGo: Security Overview

Music Recording Studio Security Program Security Assessment Version 1.1

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security

Cybersecurity Health Check At A Glance

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Projectplace: A Secure Project Collaboration Solution

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Secure, Scalable and Reliable Cloud Analytics from FusionOps

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

Security from a customer s perspective. Halogen s approach to security

Securing the Service Desk in the Cloud

Best Practices For Department Server and Enterprise System Checklist

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

White Paper How Noah Mobile uses Microsoft Azure Core Services

GOVERNANCE AND SECURITY BEST PRACTICES FOR PAYMENT PROCESSORS

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Payment Card Industry Self-Assessment Questionnaire

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

SNAP WEBHOST SECURITY POLICY

Security Management. Keeping the IT Security Administrator Busy

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

IT SERVICE MANAGEMENT FAQ

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

StratusLIVE for Fundraisers Cloud Operations

Exhibit to Data Center Services Service Component Provider Master Services Agreement

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

You Can Survive a PCI-DSS Assessment

GoodData Corporation Security White Paper

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Silent Safety: Best Practices for Protecting the Affluent

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Small Business IT Risk Assessment

SRA International Managed Information Systems Internal Audit Report

UCS Level 2 Report Issued to

Newcastle University Information Security Procedures Version 3

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Attachment A. Identification of Risks/Cybersecurity Governance

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

White Paper: Librestream Security Overview

Paxata Security Overview

Supplier Information Security Addendum for GE Restricted Data

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

HIPAA Security Alert

Network Security Guidelines. e-governance

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

1B1 SECURITY RESPONSIBILITY

Security Controls What Works. Southside Virginia Community College: Security Awareness

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

How To Write A Health Care Security Rule For A University

Woodcock-Johnson and Woodcock-Muñoz Language Survey Revised Normative Update Technical and Data Security Overview

Passing PCI Compliance How to Address the Application Security Mandates

Autodesk PLM 360 Security Whitepaper

Our Cloud Offers You a Brighter Future

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Security & Infra-Structure Overview

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Transcription:

BKDconnect Security Overview

1 Introduction 1.1 What is BKDconnect 1.2 Site Creation 1.3 Client Authentication and Access 2 Security Design 2.1 Confidentiality 2.1.1 Least Privilege and Role Based Security 2.1.2 TLS Authentication and Communication 2.1.3 Access Controls in BKDconnect 2.1.4 VLAN s 2.1.5 Separate Authentication Mechanisms 2.1.6 Encryption 2.1.7 Content Retention 2.2 Integrity 2.2.1 Audit Trails 2.2.2 Version Controls 2.3 Availability 2.3.1 Segregated Environments 2.3.2 Redundant Systems 2.3.3 Load Balancers 2.3.4 Backups 3 Security Operations 3.1 Physical Security 3.2 Personnel and Processes 3.3 Additional Security Controls Table of Contents

1 Introduction 1.1 What is BKDconnect? BKDconnect is an online application hosted by BKD, LLP (BKD). With BKDconnect, BKD hosts client data, provides project management and enables client collaboration through the life of the project. BKDconnect allows clients to easily submit documentation, oversee their project, provide updates and collaborate with other client personnel and BKD staff. BKD recognizes that with the increased efficiencies and communication of online applications, also comes increased security concerns and risk. This document describes the controls implemented by BKD specific to BKDconnect for the purpose of clients to determine if BKDconnect is suitable for their business. 1.2 Site Creation Client sites can only be created by BKDconnect Site Administrators. These are internal BKD personnel responsible for the administration and management of the client site and only the BKD System Administrators can add users to Site Administrators group. BKD requires that all personnel receive training before they are added to the Site Administrator s group. This is to ensure that all site administrators are prepared to help their teams and client teams with site use. 1.3 Client Authentication and Access Upon creation of the client site, the BKD Site Administrator will create a Client Site Administrator account for the client as designated by the client. This account will be the account used by the client to create new accounts for client personnel to access and use the site. Additionally, the Client Site Administrator account will be able to assign roles to the accounts it creates. This provides the client with role based security if they choose to use it. Client user accounts are managed by the designated Client Site Administrator. As the Client Site Administrator adds to or edits the Client Team Members list, each individual user is systematically added to or removed from specific permission groups based on the selections made by the Client Site Administrator. When individual users are added to the Client Team Members list, system generated invitations are sent requesting registration. Upon successful registration, the user will be granted access to the site. When individual users are removed from the Client Team Members list, all permissions to the site are systematically removed. More information about setting up Client Team Members can be found in the BKDconnect Basic User Manual.

Each site created by a BKD Site Administrator is for a specific client, and only accessible to the team members assigned to that client site. Team members are assigned by the BKD Site Administrator for BKD personnel and the Client Site Administrator for client personnel. 2 Security Design 2.1 Confidentiality Confidentiality ensures that client data is only accessible by authorized entities. BKD provides confidentially in the following ways: 2.1.1 Least Privilege and Role Based Security Least privilege is widely accepted as a best practice, and as such BKD has implemented role based security within and around BKDconnect to enforce least privilege. This includes to the extent that the client has the ability to assign specific access permissions to their staff. BKD recommends all clients take advantage of this granular security feature whenever possible. The following roles have been created and are currently used: Infrastructure Team Internal BKD IT personnel responsible for the hardware and operating system of the application. This team is responsible for system stability and maintenance and does not have access to the BKDconnect application or data. System Administrator These are internal BKD IT personnel responsible for the BKDconnect application and underlying databases. They are responsible for patching and maintaining the stability of the application. Additionally, they assign users to the Site Administrator group. BKD Site Administrator These are trained internal BKD personnel that are responsible for managing client engagements and the client s site. The BKD Site Administrator creates the Client Site Administrator account and assigns BKD staff as BKD Team Members. Client Site Administrator This account is the account used by the client to assign Client Team Members from client staff. Additionally, this account can set access permissions (applicable to the specific site only) for the accounts they create. Team Member These are the individual (BKD and/or client staff) assigned to work on the project in some fashion. They can only access what the Site/Client Administrator account has granted them access to. 2.1.2 TLS Authentication and Communication All communications, including the registration and authentication processes are protected with TLS 1.0. These certificates are issued by the certificate authority GoDaddy.

2.1.3 Access Controls in BKDconnect Within the BKDconnect application itself, access controls have been implemented. Each site is locked down and only accessible by the accounts assigned specifically to that site. This disallows the ability for an account to log in and then through nefarious means, gain access to other sites. 2.1.4 VLAN s VLAN s are used to segregate the BKDconnect systems and databases from the rest of the network. VLAN s disallow traffic to pass between them without going through a router. This keeps nodes on the network from broadcasting attacks or eavesdropping on communications to these systems. 2.1.5 Separate Authentication Mechanisms The systems managing authentication for BKD personnel and client personnel are separate and isolated. This ensures that BKD personnel cannot create client accounts, nor can clients create BKD accounts in an attempt to circumvent security controls and gain unauthorized access to data. Additionally, this allows each client to implement role based security for their personnel that matches their in house designated roles. This flexibility and security should be taken advantage of as much as possible. 2.1.6 Encryption Encryption of data both at rest and in motion are utilized with BKDconnect. All communication is encrypted with TLS and all data is stored in an encrypted database. All communication and data encryption is compliant with the FIPS 140-2 standards. 2.1.7 Content Retention Data is stored in BKDconnect through the life of the project. At the completion of the project, data is exported into BKD s corporate data repository where it is retained for 7 years (per AICPA requirements). While reports and project results may be retained in BKDconnect longer at the client s request, data not in use is removed from the system and no longer accessible. All non-deliverable type content stored on BKDconnect, i.e. working drafts, task lists, comments, etc. is purged 60 days after the engagement completion. 2.2 Integrity Integrity refers to the trustworthiness of the information. This is that data has not been changed inappropriately, whether by accident or intentionally. BKD tries to ensure integrity through:

2.2.1 Audit Trails BKDconnect is configured to generate extremely detailed audit logs. These logs record account actions such as, who accesses data, when they accessed the data, what they did with the data they accessed, etc. These logs are retained within the encrypted database and accessible by the System Administrator. 2.2.2 Version Control Version control has been enabled on all lists and libraries. The system will create a new version of the item any time the item is updated or replaced by another item with the same name or title. If a different name or title is used, then a new record is created and the original record remains in place until it is deleted. 2.3 Availability Integrity refers to the ability to access and use the data resource when needed and to protect against unplanned failures in service. BKD tries to ensure availability by: 2.3.1 Segregated Environments BKD utilizes a dedicated Development environment for implementing new code and changes to the BKDconnect system. Once these have been enacted and appear stable, it is moved to the Quality Assurance instance where it is thoroughly tested and reviewed. Once all testing has been performed and the new code/changes have passed, it is uploaded into the production instance during a maintenance cycle. This ensures that unstable or malicious code doesn t go into production. This is a standard best practice of SDLC. 2.3.2 Redundant Systems BKD utilizes redundant best in class systems and network devices to provide BKDconnect. This includes redundant Internet connections, routers, firewalls and servers. BKD has made a conscience effort to remove all single points of failure from BKDconnect. 2.3.3 Load Balancers BKD utilizes enterprise class load balancers to ensure that high volumes of traffic do not limit service or reduce functionality. 2.3.4 Backups BKDconnect resides on redundant servers at a secure underground facility in Springfield Missouri. Utilizing BKD s enterprise backup solution, all BKDconnect servers and databases are backed up.

Incremental backups are performed nightly and full backups performed weekly. These backups are rotated offsite to a secure location. 3 Security Operations While not necessarily specific to BKDconnect, many security controls within BKD contribute to the overall security of the BKDconnect system. 3.1 Physical Security BKD utilizes a best in class data center to house their systems. This facility provides protection from all but the most severe natural disasters. The facility is staffed 24x7 and provides physical access restrictions through a dead man room, electronic access controls and remote monitoring via cameras. Additionally, it provides the environmental controls necessary for a continuous computing environment (redundant power, HVAC, fire suppression, etc.). 3.2 Personnel and Processes BKD not only utilizes best in class systems, but enterprise class personnel. With over 50 dedicated trained IT personnel, BKD ensures stable and secure system operations through the use of best practice process; such as change control, patch management, SDLC, etc. 3.3 Additional Security Controls Dedicated IT Security BKD has a dedicated IT security team responsible for overseeing and ensuring the confidentiality, integrity and availability of BKD s systems and data. Information Security Program BKD has a formalized and robust Information Security Program that consists of formalized policies and procedures, incident response and IT continuity and recovery plans. Penetration Testing BKD performs routine vulnerability assessments against internal and external systems. Additionally, BKD has penetration testing performed annually. Application Testing BKDconnect has undergone an independent application test by an industry recognized application testing company. Intrusion Detection BKD utilizes enterprise class IDS with 24 X 7 monitoring and alerting services. SIEM BKD has implemented a Security Information and Event Management solutions BKDconnect. This includes in-depth log reviews every 24 hours.

Anti-Virus BKD uses enterprise class anti-virus at both the operating system and application level to protect against malicious software.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information