Security from a customer s perspective. Halogen s approach to security



Similar documents
FormFire Application and IT Security. White Paper

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Security and Managed Services

ProjectManager.com Security White Paper

Client Security Risk Assessment Questionnaire

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

IBX Business Network Platform Information Security Controls Document Classification [Public]

Keyfort Cloud Services (KCS)

KeyLock Solutions Security and Privacy Protection Practices

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Supplier Information Security Addendum for GE Restricted Data

Autodesk PLM 360 Security Whitepaper

PCI Requirements Coverage Summary Table

Supplier Security Assessment Questionnaire

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Security Whitepaper: ivvy Products

SRA International Managed Information Systems Internal Audit Report

Payment Card Industry Data Security Standard

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles

Projectplace: A Secure Project Collaboration Solution

GoodData Corporation Security White Paper

Security Issues in Cloud Computing

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

Tenzing Security Services and Best Practices

Securing the Service Desk in the Cloud

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Cisco Advanced Services for Network Security

INCIDENT RESPONSE CHECKLIST

Overcoming PCI Compliance Challenges

PCI Requirements Coverage Summary Table

Security Controls for the Autodesk 360 Managed Services

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

BMC s Security Strategy for ITSM in the SaaS Environment

PCI Compliance for Cloud Applications

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

BKDconnect Security Overview

Injazat s Managed Services Portfolio

UCS Level 2 Report Issued to

Addressing Cloud Computing Security Considerations

Retention & Destruction

Is Your IT Environment Secure? November 18, Sarah Ackerman, Greg Bernard, Brian Matteson Clark Schaefer Consulting

<cloud> Secure Hosting Services

University of Pittsburgh Security Assessment Questionnaire (v1.5)

IT SERVICE MANAGEMENT FAQ

Managed Security Services for Data

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

Understanding Sage CRM Cloud

Vendor Audit Questionnaire

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Enterprise Architecture Review Checklist

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Security Controls What Works. Southside Virginia Community College: Security Awareness

Blue Jeans Network Security Features

Global ediscovery Client Data Security. Managed technology for the global legal profession

Music Recording Studio Security Program Security Assessment Version 1.1

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

SAP Secure Operations Map. SAP Active Global Support Security Services May 2015

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

Security Management. Keeping the IT Security Administrator Busy

5 Critical Considerations for. Enterprise Cloud Backup

Security Overview. BlackBerry Corporate Infrastructure

Third Party Security: Are your vendors compromising the security of your Agency?

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Cloud Security and Managing Use Risks

INDEPENDENT PRACTITIONER S TRUST SERVICES REPORT LIQUID WEB, INC.

Managing Cloud Computing Risk

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

CYBER AND IT SECURITY: CLOUD SECURITY FINAL SESSION. Architecture Framework Advisory Committee November 4, 2014

HIPAA Security Matrix

TENDER NOTICE No. UGVCL/SP/III/608/GPRS Modem Page 1 of 6. TECHNICAL SPECIFICATION OF GPRS based MODEM PART 4

Strategic Transformation and Mainframe Services Project. Project Summary

CloudCheck Compliance Certification Program

Our Cloud Offers You a Brighter Future

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

5 Critical Considerations for. Enterprise Cloud Backup

Managed IT Secure Infrastructure Flexible Offerings Peace of Mind

74% 96 Action Items. Compliance

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Information Shield Solution Matrix for CIP Security Standards

Transcription:

September 18, 2015

Security from a customer s perspective Using a cloud-based talent management program can deliver tremendous benefits to your organization, including aligning your workforce, improving performance and building better business results. Despite those advantages, many companies have concerns about the safety and security of their data in an online system. At Halogen we take the responsibility for your data very seriously, and understand that you may have questions that need to be answered. Our goal is to provide you with security services and information in a consistent and timely manner, so you understand how your data is protected and are confident that it is safe and secure. Halogen s approach to security Halogen has designed and implemented a multi-tiered approach to security. The first tier includes the security protections customers have come to expect of a leading cloud provider. These include: Firewalls Intrusion detection systems (IDS) Anti-Virus (AV) Encrypted storage and backups Multi-factor physical security Secure data centers The second tier consists of an organizational commitment to sound practices around security and IT operations. Halogen has a dedicated team of security professionals whose primary responsibility is to provide separate continuous oversight and review of IT operations at Halogen. Halogen s security organization practices separation of duties from our IT teams, and reports separately to Halogen s senior management. Halogen s security organization works with Halogen s operational IT and product development teams to ensure that our products and services are designed with security from a customer s perspective, as a top priority. The security organization is also responsible for the monitoring of Halogen s TalentSpace operational activities as they relate to Halogen s service offerings. The third tier in our approach centers on a commitment to independent assurance. We understand that our customers want to hear from independent third parties that the security measures we have taken not only make sense but are appropriate and working effectively. To assist our customers in meeting their compliance and security requirements, Halogen is committed to continuously investing resources to provide our customers with access to independent assessments and evaluations on the effectiveness of Halogen s security controls. 2

What do Halogen s Security services look like? Application Security Halogen has integrated consideration for web application security into our software development practices. These practices include the following: Education and awareness training for developers, testers, and other team members responsible for the quality of our application code. Our training materials are aligned with the OWASP Top 10 web application risks and are presented within the specific context of our application. Halogen engages with an industry-recognized third party web application vulnerability testing company to continuously assess each application end point. Third party results are reviewed by Halogen s Security, Risk and Compliance department. Confirmed defects are prioritized and entered into Halogen s defect management system for remediation. Data Center and Environmental Security Halogen has contracted with best-in-class data center providers. Halogen s TalentSpace environment is co-located in two physical sites: Primary data center (Rogers) Toronto, Ontario, Canada Backup and recovery data center (Q9 Networks) Calgary, Alberta, Canada Both sites are more than 2,600km apart (1,600 miles) Access to hardware located in secure and dedicated cages requires pre-authorization from Halogen s TalentSpace operations management team. The multi-layer physical security system includes the requirement for management pre-authorization, and authorized individuals must provide government issued Photo ID to a manned security desk. Additionally, controlled man-traps and two-factor authentication (including biometrics) are required to gain access to the data centre server room floor and Halogen s dedicated and secured cage. We perform on-site visits to each facility to validate the proper functioning of physical and logical access controls. We review the most recent assurance reports from our data center provider(s) on a continual basis. Service levels have been contractually defined with data center providers for availability and quality of service. Service levels are continually monitored by a range of applications which report on availability, performance and quality of service. Both data center facilities include redundant environmental protections, including considerations for cooling, power, physical security, network connectivity and natural disasters. 3

Backups, Redundancy, and Recovery At Halogen, we ve implemented backup and recovery processes and procedures that enable us to respond effectively to customer requests and recover quickly in the event of an incident. Key information, including customer data and infrastructure information, is backed up on a regular basis. There are formal processes in place for the replication of all customer data to a backup and recovery data center. To support full recovery, the backup and recovery data center is equipped with the same computing capacity as our production data center. Halogen also has a documented disaster recovery plan, which leverages Halogen s proprietary technology and replicated customer data to restore service in the event of a disaster Finally, Halogen s enterprise platform implements data retention to support investigation activities. We can also support customers investigation should it be required. Access Control Halogen s approach is based on (4) four main concepts: Separation of duties Least privilege Need-to-know Information classification Halogen has implemented an authorization and review process so that access rights are aligned with these four concepts. Access control is defined through compliance with Halogen s Information Security Policy and Access Control Policy, which is documented through the use of formal access control lists and a RACI 1 matrix. Management of access control includes management approval for access to the TalentSpace environment and regularly scheduled access reviews, to ensure they are accurate and up-to-date. Halogen s Access Control Policy defines the requirements for unique usernames and complex passwords. Access Control Standards are implemented and monitored through the use of a central authentication server which enforces the documented standards. Network Security Halogen s TalentSpace environment has a layered security architecture which includes: WAN and LAN perimeter firewalls with Intrusion Detection Systems (IDS) Host-based firewalls and IDS Traffic segregation enforced through the implementation of a specialized network topology Logical access to the TalentSpace environment is monitored by a dedicated security team and complemented by on-going point-in-time audits performed by the TalentSpace operations group. Security monitoring includes a daily review of security logs, privileged account usage and review and remediation of weekly security vulnerability scans, both internally and externally. 1 Responsible, Accountable, Consulted, Informed 4

Compliance with secure configuration standards is monitored, and compliance reports are reviewed and audited. Non-standard configurations are immediately reported, investigated and then remediated using the formal incident management process. Operational Security Halogen owns and manages all assets required to deliver our SaaS TalentSpace offering. All operational activities are carried out by full-time Halogen employees. Halogen has also implemented a control framework to help ensure consistency and integrity of the ongoing operations in the TalentSpace environment. Operational controls address requirements for the timely execution of activities and the ability to review operational effectiveness. These controls also help maintain proper segregation of duties and access. Operational controls in the TalentSpace environment include: Up-to-date documented processes and procedures Checklists to support the completion of daily, weekly and other time- based tasks Automated and scheduled tasks Continuous system, application, and task monitoring Security and Service Delivery Change management is a key operational control and Halogen has aligned with the ITIL v.3 change management process. Changes must be appropriately documented, tested and validated before being presented to Halogen s Change Advisory Board for risk evaluation and approval prior to implementation. Halogen has implemented a service incident management process, also based on the ITIL v.3 framework, to ensure that any failure in the production environment is addressed in a timely manner, based on the existing service level agreements. All changes related to customer-impacting incidents are treated as emergency changes in our change management process. Data Encryption Halogen s TalentSpace environment implements encryption at rest for all customer production data. This includes all data submitted by the customer or generated by Halogen TalentSpace such as customer entered data, system generated forms, reports, backups and logs. Security and Privacy Incident Response Halogen has a security and privacy incident response process designed to address possible security events or incidents. The process includes the procedures for the response to potential incidents and includes a dedicated Security Incident Response Team (SIRT). The SIRT is responsible for managing the response and remediation of any confirmed security incident or privacy breach. This includes coordinating all investigative processes, communication to customers and third parties, as well as documenting impact assessments and post incident improvements. 5

Third Party Evaluations Halogen is committed to continuously investing resources to provide our customers with access to independent assessments and evaluations on the effectiveness of Halogen s security controls. These third party evaluations are available upon request and include the following: AICPA SOC 2 Type II Web Application Vulnerability report Vulnerability scanning results Conclusion At Halogen we believe a comprehensive approach to security is an ongoing commitment. We are focused on maintaining a level of security that allows our customers to focus on achieving their goals instead of having to worry about the security of their data. If you have any additional questions or concerns we would be pleased to discuss them with you at your convenience. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information