240
edits
Changes
no edit summary
For the purposes of terminology there are a number of key stakeholders involved in the contract process at a minimum.
A Patron in the All n One lexicon is a potential of existing client who is seeking All n One to change operational processes / procedures to suit their operational requirements. Patrons will enter separate supply agreements in order to cost, manage and ensure the operational change requests. This allows potential and existing clients to adapt to changing law and customer requirements.
Please review [[Supporting_Business_ExpressUnderstanding_bxp_Support]]
For further reading : [[Function_Vs._Content]]
=== Encryption ===
At no point does data leave encryption. Even data at rest is encrypted. [[Bxp_-_End_to_End_encryption_and_High_Availability]]
bxp encourages clients to use TLS 1.2 [[Security_-_TLS_Status]]
== System Review tools ==
bxp has a number of mechanisms to allow a client manage their security needs.
* The live bxp Client Dashboard Report - [[Bxp_Client_Dashboard_Report]]
* The periodic manually created bxp Client Security Report - [[bxp_-_Client_Security_Report]]
bxp has the ability to integrate with a number of Security Event Management Solutions [[Bxp_and_Security_Event_Management_solutions]]
For a list of the most directly used security reports [[Reporting_-_Security_Reports]]
bxp has an extensive amount of Audit Logs for security review purposes: [[Bxp_-_Audit_Logs]]
There are a number of articles relating to the security capabilities of the system and their associated reports [[Category:Module_Specific:System_Access_Management]]
==Standards and Laws==
* All n One Limited is an Irish company with operations residing completely in Ireland and under Irish Law.
* All n One Limited is registered with the Data Protection Commissioner of Ireland [https://www.dataprotection.ie/viewdoc.asp?fn=/documents/register/display.asp?ID=8759%2FA]
* The All n One support operation is operated from Ballymount, Dublin exclusively
* The bxp firewalls, switches and data servers are hosted on All n One dedicated equipment in Sungard in Parkwest, DublinAWS EU Ireland Region (EU-WEST-1).* The bxp web servers and load balancers are hosted in secured virtualised environment in Sungard in ParkwestAWS, Dublin.
* With contract provisions, a secondary mirroring site can be provided in Sungardbxp's secondary off site data redundancy infrastructure is based in ClonsaughParis, Dublin.* All client owned content is kept with France and will take over the bxp operation in the Parkwest infrastructureevent of AWS Ireland Failure.
* All n One's nearest Garda Station is Tallaght Garda Station, Belgard Walk, Tallaght, Dublin 24, Ireland on +353 1 666 6000
* The Garda Bureau of Fraud Investigation (GBFI) also includes the Computer Crime Investigation Unit http://www.garda.ie/Controller.aspx?Page=29 on +353 1 6663776
For the above reasons and the reasons of physical security, operational support and intellectual property protection, bxp '''cannot''' be installed on client equipment or in client premises and can only ever be accessed securely through the Internet. bxp does however support references to local client data. For example in eLearning or message to staff scenarios, bxp can present urls or links such as \\OurLocalServer\Important\Info\file123.docx which means that bxp can be used by the organisation but the link will only work when the data is available locally to the machine. Further examples are used in Quality Assurance when the phone / call recordings are stored locally and the reference is loaded into bxp. This way large volumes of call data does not need to be transferred into bxp.
===Data Protection and Data Retention===
For more information on this area please see [[Data_Protection_and_Data_Retention]]
===ISO 27001===
All n One themselves do not have ISO 27001 accreditation.
All n One are seeking accreditation with a view to it being in place asap. http://en.wikipedia.org/w/index.php?title=ISO27001
For obvious security reasons our ISMS is not a matter of public record, however our ongoing operational processes and procedures deliver our Plan Do Check Act cycles.
=== PCI DSS ISO 9001===All n One is not currently ISO9001 accredited. Though the majority (estimated 70% as of October 2014) of our processes and procedure are document, All n One would require a Patron before seeking accreditation.
http://en.wikipedia.org/wiki/ISO_9000#Contents_of_ISO_9001
===PCI DSS===Currently All n One does not have PCI DSS compliance accreditation. All n One operates the implementation of all of the Control Objectives, but is not accredited. All n One are working towards accreditation but require a bxp client to patron it's implementation as we do not have any bxp client with this requirement currently.
Control Objectives
* '''Build and Maintain a Secure Network''' ** 1. Install and maintain a firewall configuration to protect cardholder data ** 2. Do not use vendor-supplied defaults for system passwords and other security parameters * '''Protect Cardholder Data''' ** 3. Protect stored cardholder data ** 4. Encrypt transmission of cardholder data across open, public networks * '''Maintain a Vulnerability Management Program''' ** 5. Use and regularly update anti-virus software on all systems commonly affected by malware ** 6. Develop and maintain secure systems and applications * '''Implement Strong Access Control Measures''' ** 7. Restrict access to cardholder data by business need-to-know ** 8. Assign a unique ID to each person with computer access ** 9. Restrict physical access to cardholder data * '''Regularly Monitor and Test Networks''' ** 10. Track and monitor all access to network resources and cardholder data ** 11. Regularly test security systems and processes * '''Maintain an Information Security Policy''' ** 12. Maintain a policy that addresses information security === ENISA ===
===ENISA===
The objective of ENISA is to improve network and information security in the European Union. The agency has to contribute to the development of a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, and consequently will contribute to the smooth functioning of the EU Internal Market.
As part of ENISA's work they have developed
http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-information-assurance-framework
=== OWASP === The Open Web Application Security Project (OWASP) is an online community dedicated to web application security. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure. It is also a registered non profit in Europe since June 2011. http://en.wikipedia.org/wiki/OWASP
One of the projects delivered by OWASP is the Top 10 Project. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
=== W3C XHTML Compliance === The whole of bxp uses XHTML 1.0 as the document standard. For this reason, we validate against the W3C XHTML 1.0 standard.
=== WAI Accessability Compliance === ''The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect.'' Tim Berners-Lee, W3C Director and inventor of the World Wide Web
=== TIA-942 === The Telecommunications Industry Associations (TIA) has TIA-942 Telecommunications Infrastructure Standard for Data Centers http://en.wikipedia.org/wiki/Data_center
There are four tiers of Data Centre within the standard
* Tier 1 – basic data center - no redundancy
* Tier 2 – redundant components - Single distribution path with redundant components
Although not certified to any of this standard Sungard AWS can deliver this service ===COBIT===http://en.wikipedia.org/wiki/COBIT ''Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows[citation needed] managers to Tier 4bridge the gap between control requirements, technical issues and business risks.'' All n One's Infrastructure department is currently working towards its COBIT accreditation. ===ITIL===http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library ''ITIL (formerly known as the Information Technology Infrastructure Library) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITIL 2011 edition), ITIL is published as a series of five core volumes, each of which covers a different ITSM lifecycle stage. Although ITIL underpins ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management, the two frameworks do have some differences.'' All n One's Infrastructure department is currently working towards its ITIL accreditation. ===G Cloud===The UK Government G-Cloud is an initiative targeted at easing procurement by public-sector bodies in departments of the United Kingdom Government of commodity information technology services that use cloud computing. All n One is G Cloud Compliant ===HR policies===[http://www.peninsulagrouplimited.com/ie/ http://www.peninsulagrouplimited.com/ie/] All n One work with Peninsula with creation of HR policies within the business. Proof of Peninsula Business Services involvement within All n One can be found at [http://www.bxpsoftware.com/wixi/index.php?title=HR_Policies http://www.bxpsoftware.com/wixi/index.php?title=HR_Policies] == Physical Infrastructure == For more information on the bxp infrastructure [[The_bxp_Infrastructure]] For more information on the physical hosting of bxp [[Bxp_software_in_AWS_Cloud_Services]] For more information on bxp capactiy and load management [[Bxp_Infrastructure_Capacity]] For more information on bxp continuity of service [[Bxp_and_Business_Continuity]] == Logical Infrastructure == For more information on the logic of the bxp system [[Bxp_-_Logical_Structure]] == Operational Procedures == For more information about backups and backup procedures please see [[Bxp_Backups]] All n One are not responsible for the content in a bxp Client system. It is important for the bxp Security Champion to be aware of their operational requirements especially around the areas of Data Protection and Retention. For this reason All n One have prepared guidelines and support documents to assist a System Champion in this area [[Data_Protection_and_Data_Retention]] It is important for a bxp Client's system champion to be aware of all the security options and configurations available. These are introduced in the training document CC-2-1 Security and Custom Interface configuration available from [[Contact_Centre_Training]] For more information on how All n One perform bxp testing and security testing [[Bxp_Security_and_Testing]] All n One manage all client data from a single centralised location. 48 / 49 Western Parkway Business Park, Lower Ballymount Road, Dublin 12, D12 DK49. This site operates a number of security processes and procedures to ensure operational security. [[Bxp_-_Ballymount_Security]] == Human Resource Procedures == All members of staff are interviewed and reviewed at directorial level. Numerous HR processes are applied in their interviews. The Data Protection Act of Ireland is closely watched an applied to all our HR practices. http://www.dataprotection.ie/docs/Data-Protection-in-the-Workplace/1239.htm Monthly reminders and daily operational procedures provide constant reinforcement of Data Protection requirements. As per Irish Law, vetting is only permitted on staff who work with children and / or vulnerable adults. To this end, police vetting is not possible. As part of the HR and recruitment policies reference checks are performed as standard. All All n One staff are subjected to the same high standards of operation regardless of role. For more information please review on our team. [[Meet_the_Team]] At no point is development outsourced, in order to maintain the highest possible levels of security and integrity of the framework. Outsourcing of design, marketing and accounts is done through our partners but this never includes code development of the framework. [[Business_Express_in_SungardAll_n_One_Partners_and_Suppliers]] == UK FAQs == * Have you or any company in your Group ever had an ICO audit, enforcement notice, signed any undertaking with the ICO or been fined for a breach of Data Protection or Privacy & Electronic Communications Regulations? All n One and bxp have never been subject to any investigation, nationally or internationally. All n One has not sought an ICO audit to date but can deliver where a Patron requires. == US FAQs ==
=== HIPAA and HITECH ===
bxp software is has not currently been applied to HITECH compliantrequirements but can deliver where a Patron requires.
==== HIPAA ====
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
One of the goals of the Healthcare Information Portability and Accountability Act, (HIPAA) signed into US law in 1996, was to ease the ability for workers to continue their healthcare insurance coverage when moving from one provider to another, for example, when moving between jobs. HIPAA regulations help ensure the uninterrupted coverage for patients, healthcare organizations needed the ability to share medical records efficiently and reliably.
==== What is HITECH ==== http://en.wikipedia.org/wiki/Health_Information_Technology_for_Economic_and_Clinical_Health_Act HITECH (Healthcare Information Technology for Economic and Clinical Health) ====
== Physical Infrastructure = SOX 404 / SAS-70 and ISAE3402 === For more information on the bxp infrastructure [[The_bxp_Infrastructure]] For more information on the physical hosting of bxp [[Business_Express_in_Sungard]]
This is a US based financial auditing control. http://sas70.com/sas70_SOX404.html
All n One has not sought an SAS-70 to date but can deliver where a Patron requires.