Open main menu

Security - Start Here

Revision as of 14:38, 12 October 2014 by Philip Lacey (talk | contribs)
Revision as of 14:38, 12 October 2014 by Philip Lacey (talk | contribs)

Contents

1 Overview

Security is an enormous aspect of bxp software (bxp) and an enormous field with many questions and often very detailed answers. This area of our Wixi is designed to help you navigate to the answers we feel best answer your questions. The areas, lists and answers have been compiled from numerous security surveys, questionnaires and audits we have received since 2005.


The first challenge that we have as an organisation is how much information to release to the public domain whilst still being seing to be helpful / co-operative. To this end if operationally sensitive information is required, it can be released to you under Non-Disclosure Agreement, but is not available in this Wixi or its supporting documents.


2 Contracts

All n One Limited [hereto referred to as All n One] are the company that supply the software as a service solution called bxp software [hereto referred to as bxp].


2.1 Where do we start?

The first part of any interaction with a client is to put in place a Non-Disclosure Agreement (NDA). The company looking to rent the solution [hereto referred to as the bxp Client] can use the All n One NDA or ask All n One to review and discuss an NDA of their own.


The NDA means that both parties can be privy to sensitive operaitonal details in the security that they will not be shared.


2.2 How long do I sign up for?

The contracts begin with a three month commitment followed by a month rolling contract where the bxp Client is required to provide notice only one month in advance. For some clients this period is two short and the rolling notice can be extended to any amount of time upon contractual agreement.


The reason for this is to provide bxp Clients with the security of knowing that they can take their data at any time and walk away without being tied into a length supplier contract.


2.3 Key Stakeholders

For the purposes of terminology there are a number of key stakeholders involved in the contract process at a minimum.


From the bxp Client


  • The primary bxp Client: This is the person who signs the contract and authorises payment
  • The primary bxp System Champion : This is the primary operational contact for the bxp Client
  • The primary bxp Human Resources Champion : This is the primary HR contact for the bxp Client
  • The primary bxp Security Champion : This is the primary security contact for the bxp Client


From All n One


  • The Sales Relationship Manager (SRM) : This is the primary sales person who helps a bxp client get up and running and manages all aspects of the relationship up to the point of sale.
  • The Business Development Account Manager (BDAM) : When the contract is signed the BDAM takes over to ensure deliver of the contract and manage relationship interactions
  • The All n One Support Infrastructure : This is the entire infrastructre of the company and how interactions are managed


2.4 How do I get help?

Please review Supporting_Business_Express


2.5 What is in the contract?

In summary, the contract outlines the provision of service, the terms and conditions of support, the price and a number of terms and conditions regarding the use of the system. A copy of your contract is available from your System Champion. To view a draft contract please contact your SRM or email us at sales@allnone.ie to obtain a copy.


2.6 Functionality Vs. Content

Within bxp there is a very clear definition between functionality and content. Functionality is a software function that is able to manipulate content. Content is raw data. The users, customer and any other data that is entered into the system will always remain the property of the bxp Client. The functionality to manipulate and interact with that data is the intellectual property of All n One.


An area called into question can be custom JavaScript developed for a client. If the code is in a standard bxp library available to all clients then it remains the property of All n One. If the code is loaded into a form or custom uploaded library within a bxp Client instance then it is considered contact and belongs to the bxp Client.


  • All functionality belongs to All n One
  • All content belongs to the bxp client


For further reading : Function_Vs._Content


3 Standards and Laws

  • All n One Limited is an Irish company with operations residing completely in Ireland and under Irish Law.
  • All n One Limited is registered with the Data Protection Commissioner of Ireland [1]
  • All n One Limited as an Irish company is also subject to European Law
  • The All n One sales operation is delivered globally.
  • The All n One support operation is operated from Ballymount, Dublin exclusively
  • The bxp firewalls, switches and data servers are hosted on All n One dedicated equipment in Sungard in Parkwest, Dublin.
  • The bxp web servers and load balancers are hosted in secured virtualised environment in Sungard in Parkwest, Dublin.
  • With contract provisions, a secondary mirroring site can be provided in Sungard's secondary site in Clonsaugh, Dublin.
  • All client owned content is kept with the Parkwest infrastructure.


For the above reasons and the reasons of physical security, operational support and intellectual property protection, bxp cannot be installed on client equipment or in client premises and can only ever be accessed securely through the Internet. bxp does however support references to local client data. For example in eLearning or message to staff scenarios, bxp can present urls or links such as \\OurLocalServer\Important\Info\file123.docx which means that bxp can be used by the organisation but the link will only work when the data is available locally to the machine. Further examples are used in Quality Assurance when the phone / call recordings are stored locally and the reference is loaded into bxp. This way large volumes of call data does not need to be transferred into bxp.


3.1 Data Protection and Data Retention

For more information on this area please see Data_Protection_and_Data_Retention


3.2 ISO 27001

Currently All n One does not have ISO 27001 accreditation. All n One are currently implementing the standard. All n One are seeking accreditation with a view to it being in place by the end of Q1 2015. http://en.wikipedia.org/w/index.php?title=ISO27001


3.3 PCI DSS

Currently All n One does not have PCI DSS compliance accreditation. All n One operates the implementation of all of the Control Objectives, but is not accredited. All n One are working towards accreditation but require a bxp client to patron it's implementation as we do not have any bxp client with this requirement currently.


http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

Control Objectives

  • Build and Maintain a Secure Network
    • 1. Install and maintain a firewall configuration to protect cardholder data
    • 2. Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect Cardholder Data
    • 3. Protect stored cardholder data
    • 4. Encrypt transmission of cardholder data across open, public networks
  • Maintain a Vulnerability Management Program
    • 5. Use and regularly update anti-virus software on all systems commonly affected by malware
    • 6. Develop and maintain secure systems and applications
  • Implement Strong Access Control Measures
    • 7. Restrict access to cardholder data by business need-to-know
    • 8. Assign a unique ID to each person with computer access
    • 9. Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks
    • 10. Track and monitor all access to network resources and cardholder data
    • 11. Regularly test security systems and processes
  • Maintain an Information Security Policy
    • 12. Maintain a policy that addresses information security


3.4 ENISA

The objective of ENISA is to improve network and information security in the European Union. The agency has to contribute to the development of a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, and consequently will contribute to the smooth functioning of the EU Internal Market.


ENISA assists the Commission, the Member States and, consequently, the business community in meeting the requirements of network and information security, including present and future EU legislation. ENISA ultimately strives to serve as a centre of expertise for both Member States and EU Institutions to seek advice on matters related to network and information security.


http://en.wikipedia.org/wiki/European_Network_and_Information_Security_Agency


As part of ENISA's work they have developed

http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-information-assurance-framework


bxp is delivered against this assurance framework with secure details available to clients through your BDAM.


3.5 OWASP

The Open Web Application Security Project (OWASP) is an online community dedicated to web application security. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure. It is also a registered non profit in Europe since June 2011. http://en.wikipedia.org/wiki/OWASP


https://www.owasp.org/index.php/Main_Page


One of the projects delivered by OWASP is the Top 10 Project. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project


bxp is tested against the Top 10 on a monthly basis.


3.6 W3C XHTML Compliance

The whole of bxp uses XHTML 1.0 as the document standard. For this reason, we validate against the W3C XHTML 1.0 standard.


For further information on this standard http://en.wikipedia.org/wiki/World_Wide_Web_Consortium


This validator checks the markup validity of Web documents in HTML, XHTML, SMIL, MathML, etc. http://validator.w3.org/


3.7 WAI Accessability Compliance

The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee, W3C Director and inventor of the World Wide Web


All n One emulate this ideals by including the guidelines in all aspects of our design and development and implementation of bxp. http://www.w3.org/standards/webdesign/accessibility


3.8 TIA-942

The Telecommunications Industry Associations (TIA) has TIA-942 Telecommunications Infrastructure Standard for Data Centers http://en.wikipedia.org/wiki/Data_center


Details of the standard are available from https://global.ihs.com/doc_detail.cfm?&rid=TIA&input_doc_number=TIA-942&item_s_key=00414811&item_key_date=860905&input_doc_number=TIA-942&input_doc_title=#abstract


There are four tiers of Data Centre within the standard

  • Tier 1 – basic data center - no redundancy
  • Tier 2 – redundant components - Single distribution path with redundant components
  • Tier 3 – concurrently maintainable - Multiple distribution paths with only one active
  • Tier 4 – fault tolerant - Multiple active distribution paths


Although not certified to any of this standard Sungard deliver to Tier 4. For more information please review Business_Express_in_Sungard


3.9 HIPAA and HITECH

bxp software has not been applied to HITECH requirements but can deliver where a Patron requires.


3.9.1 HIPAA

http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act


One of the goals of the Healthcare Information Portability and Accountability Act, (HIPAA) signed into US law in 1996, was to ease the ability for workers to continue their healthcare insurance coverage when moving from one provider to another, for example, when moving between jobs. HIPAA regulations help ensure the uninterrupted coverage for patients, healthcare organizations needed the ability to share medical records efficiently and reliably.


To facilitate the efficient transfer of records, the bill set forth standardized terminology and Electronic Data Interchange (EDI) code sets. This standardization further pushed the migration of paper-based records to electronic medical records. But the ease of transferring patient information electronically also increased the risk of private data being inadvertently exposed to unauthorized parties. To address this, legislators developed security mandates to address privacy issues within HIPAA covered entities.


There are three parts of the HIPAA privacy regulations and compliance policy that IT professionals should be focused on:

  • HIPAA EDI Rule (162.1000) - HIPAA establishes standards for health information technology and the use of electronic code sets. The standardization of healthcare terminology was required to eliminate confusion among providers and insurers.
  • HIPAA Security Rule (164.306) - HIPAA establishes safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) that they create, receive, maintain, and transmit..
  • HIPAA Privacy Rule (164.502) - HIPAA requires healthcare organizations to protect protected health information (PHI) and defines the allowable uses and disclosures of PHI in contrast to "de-identified" health information


3.9.2 HITECH

http://en.wikipedia.org/wiki/Health_Information_Technology_for_Economic_and_Clinical_Health_Act


HITECH (Healthcare Information Technology for Economic and Clinical Health)


In 2009, as part of an effort to stimulate the U.S. economy, $787 million was allocated with the American Recovery and Reinvestment Act (ARRA), which included legislation to broaden the scope of HIPAA, while also given investigators direct, monetary incentives for levying fines. The HIPAA-specific aspects of the ARRA are found in the Health Information Technology for Economic and Clinical Health (HITECH).


There are three major areas of change brought up by HITECH regulations are:


1.Reach

  • Before: Covered Entities: healthcare organizations
  • Now with HITECH regulations: Covered Entities: expanded to business associates

2.Notification

  • Before: Loose notification requirements
  • Now with HITECH regulations: Strict notification requirements – 60 days requirement + public notice on website (and notifying HHS)

3.Economics

  • Before: 2003-2008 – 31,000 cases reported, no one fined; in 2009, CVS fined $2.25 M
  • Now with HITECH regulations: Fines up to $1.5 M / year; regulators at HHS now benefit directly from fines levied (significant uptick in fines)


4 Physical Infrastructure

For more information on the bxp infrastructure The_bxp_Infrastructure


For more information on the physical hosting of bxp Business_Express_in_Sungard


For more information on bxp capactiy and load management Business_Express_Infrastructure_Capacity


For more information on bxp continuity of service Business_Express_and_Business_Continuity


5 Logical Infrastructure

For more information on the logic of the bxp system Business_Express_-_Logical_Structure


6 Operational Procedures

For more information about backups and backup procedures please see Business_Express_Backups


All n One are not responsible for the content in a bxp Client system. It is important for the bxp Security Champion to be aware of their operational requirements especially around the areas of Data Protection and Retention. For this reason All n One have prepared guidelines and support documents to assist a System Champion in this area Data_Protection_and_Data_Retention


It is important for a bxp Client's system champion to be aware of all the security options and configurations available. These are introduced in the training document CC-2-1 Security and Custom Interface configuration available from Contact_Centre_Training


For more information on how All n One perform bxp testing and security testing Business_Express_Security_and_Testing

Retrieved from ‘https://www.bxpsoftware.com/wixi/index.php?title=Security_-_Start_Here&oldid=1991
Last modified on 11 February 2021, at 16:29