240
edits
Changes
From All n One's bxp software Wixi
no edit summary
For the purposes of terminology there are a number of key stakeholders involved in the contract process at a minimum.
A Patron in the All n One lexicon is a potential of existing client who is seeking All n One to change operational processes / procedures to suit their operational requirements. Patrons will enter separate supply agreements in order to cost, manage and ensure the operational change requests. This allows potential and existing clients to adapt to changing law and customer requirements.
* The Sales Relationship Manager (SRM) : This is the primary sales person who helps a bxp client get up and running and manages all aspects of the relationship up to the point of sale.
* The Business Development Account Manager (BDAM) : When the contract is signed the BDAM takes over to ensure deliver of the contract and manage relationship interactions
* The All n One Support Infrastructure : This is the entire infrastructre of the company and how interactions are managed === How do I get help? === Please review [[Security_-_Getting_HelpUnderstanding_bxp_Support]]
For further reading : [[Function_Vs._Content]]
=== Encryption ===
At no point does data leave encryption. Even data at rest is encrypted. [[Bxp_-_End_to_End_encryption_and_High_Availability]]
bxp encourages clients to use TLS 1.2 [[Security_-_TLS_Status]]
== System Review tools ==
bxp has a number of mechanisms to allow a client manage their security needs.
The two primary security tools that are provided from All n One are:
* The live bxp Client Dashboard Report - [[Bxp_Client_Dashboard_Report]]
* The periodic manually created bxp Client Security Report - [[bxp_-_Client_Security_Report]]
bxp has the ability to integrate with a number of Security Event Management Solutions [[Bxp_and_Security_Event_Management_solutions]]
For a list of the most directly used security reports [[Reporting_-_Security_Reports]]
bxp has an extensive amount of Audit Logs for security review purposes: [[Bxp_-_Audit_Logs]]
There are a number of articles relating to the security capabilities of the system and their associated reports [[Category:Module_Specific:System_Access_Management]]
==Standards and Laws==
* All n One Limited is an Irish company with operations residing completely in Ireland and under Irish Law.
* All n One Limited is registered with the Data Protection Commissioner of Ireland[https://www.dataprotection.ie/viewdoc.asp?fn=/documents/register/display.asp?ID=8759%2FA]
* All n One Limited as an Irish company is also subject to European Law
* The All n One support operation is operated from Ballymount, Dublin exclusively
* The bxp firewalls, switches and data servers are hosted on All n One dedicated equipment in Sungard in Parkwest, DublinAWS EU Ireland Region (EU-WEST-1).* The bxp web servers and load balancers are hosted in secured virtualised environment in Sungard AWS, Dublin. * bxp's off site data redundancy infrastructure is based in Paris, France and will take over the bxp operation in Parkwestthe event of AWS Ireland Failure. * All n One's nearest Garda Station is Tallaght Garda Station, Belgard Walk, Tallaght, Dublin24, Ireland on +353 1 666 6000* The Garda Bureau of Fraud Investigation (GBFI) also includes the Computer Crime Investigation Unit http://www.garda.ie/Controller.aspx?Page=29 on +353 1 6663776
For the above reasons and the reasons of physical security, operational support and intellectual property protection, bxp '''cannot''' be installed on client equipment or in client premises and can only ever be accessed securely through the Internet. bxp does however support references to local client data. For example in eLearning or message to staff scenarios, bxp can present urls or links such as \\OurLocalServer\Important\Info\file123.docx which means that bxp can be used by the organisation but the link will only work when the data is available locally to the machine. Further examples are used in Quality Assurance when the phone / call recordings are stored locally and the reference is loaded into bxp. This way large volumes of call data does not need to be transferred into bxp.
===Data Protection and Data Retention===
For more information on this area please see [[Data_Protection_and_Data_Retention]]
===ISO 27001===
All n One themselves do not have ISO 27001 accreditation.
All n One are seeking accreditation with a view to it being in place asap. http://en.wikipedia.org/w/index.php?title=ISO27001
===ISO 9001===
All n One is not currently ISO9001 accredited. Though the majority (estimated 70% as of October 2014) of our processes and procedure are document, All n One would require a Patron before seeking accreditation.
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_StandardISO_9000#Contents_of_ISO_9001
===PCI DSS===
Currently All n One does not have PCI DSS compliance accreditation. All n One operates the implementation of all of the Control Objectives, but is not accredited. All n One are working towards accreditation but require a bxp client to patron it's implementation as we do not have any bxp client with this requirement currently.
Control Objectives
* '''Build and Maintain a Secure Network'''
** 1. Install and maintain a firewall configuration to protect cardholder data
** 2. Do not use vendor-supplied defaults for system passwords and other security parameters
* '''Protect Cardholder Data'''
** 3. Protect stored cardholder data
** 4. Encrypt transmission of cardholder data across open, public networks
* '''Maintain a Vulnerability Management Program'''
** 5. Use and regularly update anti-virus software on all systems commonly affected by malware
** 6. Develop and maintain secure systems and applications
* '''Implement Strong Access Control Measures'''
** 7. Restrict access to cardholder data by business need-to-know
** 8. Assign a unique ID to each person with computer access
** 9. Restrict physical access to cardholder data
* '''Regularly Monitor and Test Networks'''
** 10. Track and monitor all access to network resources and cardholder data
** 11. Regularly test security systems and processes
* '''Maintain an Information Security Policy'''
** 12. Maintain a policy that addresses information security
===ENISA===
The objective of ENISA is to improve network and information security in the European Union. The agency has to contribute to the development of a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, and consequently will contribute to the smooth functioning of the EU Internal Market.
As part of ENISA's work they have developed
http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-information-assurance-framework
=== OWASP ===The Open Web Application Security Project (OWASP) is an online community dedicated to web application security. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure. It is also a registered non profit in Europe since June 2011. http://en.wikipedia.org/wiki/OWASP https://www.owasp.org/index.php/Main_Page One of the projects delivered by OWASP is the Top 10 Project. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project bxp is tested against the Top 10 on a monthly basis.
===W3C XHTML Compliance===The Open Web Application Security Project (OWASP) is an online community dedicated to web application securitywhole of bxp uses XHTML 1. The OWASP community includes corporations, educational organizations, and individuals from around 0 as the worlddocument standard. This community works to create freely-available articlesFor this reason, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure. It is also a registered non profit in Europe since June 2011. http://enwe validate against the W3C XHTML 1.wikipedia0 standard.org/wiki/OWASP
''Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows[citation needed] managers to bridge the gap between control requirements, technical issues and business risks.''
All n One's Infrastructure department is currently working towards its COBIT accreditation.
===ITIL===
http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library
''ITIL (formerly known as the Information Technology Infrastructure Library) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITIL 2011 edition), ITIL is published as a series of five core volumes, each of which covers a different ITSM lifecycle stage. Although ITIL underpins ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management, the two frameworks do have some differences.''
All n One's Infrastructure department is currently working towards its ITIL accreditation.
All n One is G Cloud Compliant
All n One emulate this ideals by including work with Peninsula with creation of HR policies within the guidelines in all aspects of our design and development and implementation of bxp. http://www.w3business.org/standards/webdesign/accessibility
Proof of Peninsula Business Services involvement within All n One can be found at [http://www.bxpsoftware.com/wixi/index.php?title=HR_Policies http://www.bxpsoftware.com/wixi/index.php?title=HR_Policies]
== Physical Infrastructure ==
For more information on the bxp infrastructure [[The_bxp_Infrastructure]]
For more information on the physical hosting of bxp [[Bxp_software_in_AWS_Cloud_Services]]
For more information on bxp capactiy and load management [[Bxp_Infrastructure_Capacity]]
For more information on bxp continuity of service [[Bxp_and_Business_Continuity]]
== Logical Infrastructure ==
For more information on the logic of the bxp system [[Bxp_-_Logical_Structure]]
== Operational Procedures ==
For more information about backups and backup procedures please see [[Bxp_Backups]]
All n One are not responsible for the content in a bxp Client system. It is important for the bxp Security Champion to be aware of their operational requirements especially around the areas of Data Protection and Retention. For this reason All n One have prepared guidelines and support documents to assist a System Champion in this area [[Data_Protection_and_Data_Retention]]
It is important for a bxp Client's system champion to be aware of all the security options and configurations available. These are introduced in the training document CC-2-1 Security and Custom Interface configuration available from [[Contact_Centre_Training]]
For more information on how All n One perform bxp testing and security testing [[Bxp_Security_and_Testing]]
All n One manage all client data from a single centralised location. 48 / 49 Western Parkway Business Park, Lower Ballymount Road, Dublin 12, D12 DK49. This site operates a number of security processes and procedures to ensure operational security. [[Bxp_-_Ballymount_Security]]
== Human Resource Procedures ==
All members of staff are interviewed and reviewed at directorial level. Numerous HR processes are applied in their interviews. The Data Protection Act of Ireland is closely watched an applied to all our HR practices. http://www.dataprotection.ie/docs/Data-Protection-in-the-Workplace/1239.htm
Monthly reminders and daily operational procedures provide constant reinforcement of Data Protection requirements.
As per Irish Law, vetting is only permitted on staff who work with children and / or vulnerable adults. To this end, police vetting is not possible. As part of the HR and recruitment policies reference checks are performed as standard.
All All n One staff are subjected to the same high standards of operation regardless of role.
For more information on our team. [[Meet_the_Team]]
At no point is development outsourced, in order to maintain the highest possible levels of security and integrity of the framework. Outsourcing of design, marketing and accounts is done through our partners but this never includes code development of the framework. [[All_n_One_Partners_and_Suppliers]]
== UK FAQs ==
* Have you or any company in your Group ever had an ICO audit, enforcement notice, signed any undertaking with the ICO or been fined for a breach of Data Protection or Privacy & Electronic Communications Regulations?
All n One and bxp have never been subject to any investigation, nationally or internationally.
All n One has not sought an ICO audit to date but can deliver where a Patron requires.
== US FAQs ==
=== HIPAA and HITECH ===
bxp software has not been applied to HITECH requirements but can deliver where a Patron requires.
==== HIPAA ====
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
One of the goals of the Healthcare Information Portability and Accountability Act, (HIPAA) signed into US law in 1996, was to ease the ability for workers to continue their healthcare insurance coverage when moving from one provider to another, for example, when moving between jobs. HIPAA regulations help ensure the uninterrupted coverage for patients, healthcare organizations needed the ability to share medical records efficiently and reliably.
To facilitate the efficient transfer of records, the bill set forth standardized terminology and Electronic Data Interchange (EDI) code sets. This standardization further pushed the migration of paper-based records to electronic medical records. But the ease of transferring patient information electronically also increased the risk of private data being inadvertently exposed to unauthorized parties. To address this, legislators developed security mandates to address privacy issues within HIPAA covered entities.
There are three parts of the HIPAA privacy regulations and compliance policy that IT professionals should be focused on:
* HIPAA EDI Rule (162.1000) - HIPAA establishes standards for health information technology and the use of electronic code sets. The standardization of healthcare terminology was required to eliminate confusion among providers and insurers.
* HIPAA Security Rule (164.306) - HIPAA establishes safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) that they create, receive, maintain, and transmit..
* HIPAA Privacy Rule (164.502) - HIPAA requires healthcare organizations to protect protected health information (PHI) and defines the allowable uses and disclosures of PHI in contrast to "de-identified" health information
==== HITECH ====
http://en.wikipedia.org/wiki/Health_Information_Technology_for_Economic_and_Clinical_Health_Act
HITECH (Healthcare Information Technology for Economic and Clinical Health)
In 2009, as part of an effort to stimulate the U.S. economy, $787 million was allocated with the American Recovery and Reinvestment Act (ARRA), which included legislation to broaden the scope of HIPAA, while also given investigators direct, monetary incentives for levying fines. The HIPAA-specific aspects of the ARRA are found in the Health Information Technology for Economic and Clinical Health (HITECH).
There are three major areas of change brought up by HITECH regulations are:
1.Reach
* Before: Covered Entities: healthcare organizations
* Now with HITECH regulations: Covered Entities: expanded to business associates
2.Notification
* Before: Loose notification requirements
* Now with HITECH regulations: Strict notification requirements – 60 days requirement + public notice on website (and notifying HHS)
3.Economics
* Before: 2003-2008 – 31,000 cases reported, no one fined; in 2009, CVS fined $2.25 M
* Now with HITECH regulations: Fines up to $1.5 M / year; regulators at HHS now benefit directly from fines levied (significant uptick in fines)
=== SOX 404 / SAS-70 and ISAE3402 ===
This is a US based financial auditing control. http://sas70.com/sas70_SOX404.html
All n One has not sought an SAS-70 to date but can deliver where a Patron requires.
All n One has begun investigating the possibilities of implementing a process to produce ISAE 3402 reports. This is a current venture for All n One.
[[Category:Topic:Security]]
[[Category:Topic:Start Here]]
