1 Introduction

At All n One we strive to provide the more secure system to our clients as possible. This document references All n One's compliance to the UK government cloud security principles. UK Government Cloud Principles

2 Sections

2.1 1. Data in transit protection

Consumer data transiting networks should be adequately protected against tampering and eavesdropping via a combination of network protection and encryption.

All n One utilises SunGard's hosting environment in Parkwest business park Dublin.In this environment SunGard use cisco 5510 firewalls for network protection and Cent OS virtual load balancers utilizing TLS negotiation so we can offer TLS 1.2 to users using the latest browsing software and older versions of TLS for legacy software. (IE6 etc.) We also complete vulnerability tests to ensure All n One's cloud security.

2.2 2. Asset protection and resilience

Consumer data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.

As the client data we store is held in Sungard's secure Parkwest facility in our database servers. The processes and procedures for SunGard facility entry include a sign in/sign out policy so unauthorised individuals will not be permitted access to our servers. A visit to SunGard can only be authorised by two members of our staff.. Our data is stored in this secure facility which means we are able to mitigate against tampering, loss, damage or seizure. We also utalize BitLocker encryption on our database servers so client data is encrypted. (256-bit key). We are also fully compliant with the Irish data protection act and client data is deleted once it is older then our back-up storage scope. Data Protection and Data Retencion

2.3 Separation between consumers

Separation should exist between different consumers of the service to prevent one malicious or compromised consumer from affecting the service or data of another.

All instances of the service are segregated by client. This means that one client instance of the software is unable to get any data from another client system. As the system is a SaaS Solution consumers from the same system will have to log in using different usernames/passwords. All events that occur from the users are stored in log files so it is possible to review all colleague activity.

2.4 Governance framework

The service provider should have a security governance framework that coordinates and directs their overall approach to the management of the service and information within it.

All n One is 80% compliant with ISO 27001 and Cobit 5. All n One currently requires an external audit for validation. Our hosting infrastructure is ISO 27001 complaint which shows that SunGard AS Ireland has developed and implemented a best-in-class information security management system (ISMS) for itself and its customers. bxp software in Sungard

5. Operational security- The service provider should have processes and procedures in place to ensure the operational security of the service.

All n One is 80% compliant with ISO 27001 and Cobit 5. All n One currently requires an external audit for validation. Company policies and procedures are stored in a secure internal network. All n One also supplies the public with a company wikipedia that provides information on the service. Our hosting infrastructure is ISO 27001 complaint which shows that SunGard AS Ireland has developed and implemented a best-in-class information security management system (ISMS) for itself and its customers. Introduction to bxp security

6. Personnel security- Service provider staff should be subject to personnel security screening and security education for their role.

All colleagues are screened though our HR interview process. All n One strives to provide its colleagues with the safest most enjoyable environment. All colleagues are trained in their field of expertise and are also required to complete a data protection course annually to mitigate against any accidental data loss or data exposure.

7. Secure development- Services should be designed and developed to identify and mitigate threats to their security.

All n One complete vulnerability scans on our service and network in order to find issues to mitigate against. This provides us with the high level of security expected from Industry standard. bxp security and testing

8. Supply chain security- The service provider should ensure that its supply chain satisfactorily supports all of the security principles that the service claims to implement.

Our software is hosted in a 3rd party data center, provided by SunGard. Additional information included in adjectent URL link. bxp software in Sungard

9. Secure consumer management- Consumers should be provided with the tools required to help them securely manage their service.

Clients of the service are told to nominate a security champion for our SaaS Service. This member of staff will be able to use enhanced security features to manage their instance of bxp software (All n One's software). With this the client should be able to manage authentication and seperation of access control within the interface. bxp system access management

10. Identity and authentication- Access to all service interfaces (for consumers and providers) should be constrained to authenticated and authorised individuals.

All n One utalises the latest in TLS technology to provide out clients with the most secure login possible. By utalizing Google's password strength meter API we also have the ability to reject passwords not considered to be "Best" by Google's standards. We also provide the ability to lock down login attempts to only be successful from a particular IP of range of IP's. In order for All n One to manage our hosted servers we can created and secure encrypted VPN connection with SunGard AS.

11. External interface protection- All external or less trusted interfaces of the service should be identified and have appropriate protections to defend against attacks through them.

All n One complete vulnerability tests on all aspects of the service provided. This is don’t in order to find vulnerabilities that can then be mitigated against to provide a more secure service. bxp security and testing

12. Secure service administration- The methods used by the service provider’s administrators to manage the operational service should be designed to mitigate any risk of exploitation that could undermine the security of the service.

At All n One we review log files from the service and offer a full audit trail service to our clients. In our hosting environment SunGard mitigate against any DDOS or networking attacks through

13. Audit information provision to consumers- Consumers should be provided with the audit records they need to monitor access to their service and the data held within it.

All n One provides a full audit trail to clients of actions completed on their instance of the service. bxp audit logs

14. Secure use of the service by the consumer- Consumers have certain responsibilities when using a cloud service in order for this use to remain secure, and for their data to be adequately protected.

All n One provide training for their bxp software to any client who signs up to the service. For this All n One train the client on how to use the system and control the security aspects of the service for their users. The client can also turn on controls as to what a particular user can access so sensitive data could be removed from viewing by a standard colleague.