Anonymous, bureaucrat, administrator
7,528
edits
Changes
no edit summary
''Consumer data transiting networks should be adequately protected against tampering and eavesdropping via a combination of network protection and encryption.''
''Consumer data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.''
''Separation should exist between different consumers of the service to prevent one malicious or compromised consumer from affecting the service or data of another.''
''The service provider should have a security governance framework that coordinates and directs their overall approach to the management of the service and information within it.''
''The service provider should have processes and procedures in place to ensure the operational security of the service.''
''Service provider staff should be subject to personnel security screening and security education for their role.''
All colleagues are screened though our HR interview process. All n One strives to provide its colleagues with the safest most enjoyable environment and all HR processes are compliant with the data protection act of Ireland. All colleagues are trained in their field of expertise and are also required to complete a data protection course annually to mitigate against any accidental data loss or data exposure. For more information on our HR and operational processes view - [[Security_-_Start_Here#Human_Resource_Procedures]]
== Secure development ==
''Services should be designed and developed to identify and mitigate threats to their security.''
For all key bxp operations only All n One staff and SunGard are included. Our software is hosted in a 3rd party data center, provided by SunGard. All other partners are not involved directly in operation or provision of data service. Our other partners include Continuum, NB1 Consult Limited and Sheehan & Associates Accountantsfor other roles such as sales and marketing.. Additional information can be found here - [[All_n_One_Partners_and_Suppliers]]
Clients of the service are told to nominate a security champion for our SaaS Service. This member of staff will be able to use enhanced security features to manage their instance of bxp software (All n One's software). With this the client should be able to manage authentication and separation of access control within the interface. The system champion will also be able to run reports on the actions of users on their instance of bxp through the audit trail functionality.[[User_Profiling_-_Start_Here]] . bxp software also provides a means for data protection automation which can be viewed from the following link - [[Data_Protection_and_Data_Retention]] We also provide a live security notice board and information resource for our clients to refer to in real time. [[Bxp_Client_Dashboard_Report]]
All n One utilises the latest in TLS technology to provide our clients with the most secure login possible. By utilizing Google's password strength meter API we also have the ability to reject passwords not considered to be "Best" by Google's standards. We also provide the ability to lock down login attempts to only be successful from a particular IP of range of IP's. In order for All n One to manage our hosted servers we have created a secure encrypted VPN connection with SunGard AS. The office in which the operations team work on bxp software development is also fully secured with the latest intevo security system from Kantech which was installed by ADT. - [[Bxp_-_Ballymount_Security]] There are a significant number of security configurations possible which are detailed here in our security matrix of options. [[CC-2-1_Security_and_Custom_Interface_configuration#Matrix]]
All n One complete vulnerability tests on all aspects of the service provided. This is done in order to find vulnerabilities that can then be mitigated against to provide a more secure service. We also provide an API for the software (BEAPIbxp api) which allows third party systems to interact directly with bxp software. The BEAPI bxp api will not grant access by default. It requires EXPLICIT IP address declaration to grant any form of access or engage in any communication. [[Bxp_API]]
''The methods used by the service provider’s administrators to manage the operational service should be designed to mitigate any risk of exploitation that could undermine the security of the service.''
At All n One we review log files from the service and offer a full audit trail service to our clients for their instances. [[Bxp_-_Audit_Logs]]
''Consumers have certain responsibilities when using a cloud service in order for it to remain as secure as possible and for their data to be adequately protected.''
We provide a set of guidelines to promote the secure using of our service to these users. The following link has the guidelines for bxp usage - [[You_and_your_bxp]]