Difference between revisions of "Security - Start Here"

Revision as of 14:18, 25 May 2016 (view source) Philip Lacey (talk | contribs) (→‎Standards and Laws) ← Older edit		Revision as of 10:43, 13 June 2016 (view source) Thomas Glennon (talk | contribs) (→‎SOX 404 and SAS-70) Newer edit →
Line 430:		Line 430:
−	=== SOX 404 and SAS-70 ===	+	=== SOX 404 / SAS-70 and ISAE3402 ===
Line 438:		Line 438:
	All n One has not sought an SAS-70 to date but can deliver where a Patron requires.		All n One has not sought an SAS-70 to date but can deliver where a Patron requires.
		+	All n One has begun investigating the possibilities of implementing a process to produce ISAE 3402 reports. This is a current venture for All n One.
	[[Category:Topic:Security]]		[[Category:Topic:Security]]
	[[Category:Topic:Start Here]]		[[Category:Topic:Start Here]]

---

Revision as of 10:43, 13 June 2016

1 Overview

Security is an enormous aspect of bxp software (bxp) and an enormous field with many questions and often very detailed answers. This area of our Wixi is designed to help you navigate to the answers we feel best answer your questions. The areas, lists and answers have been compiled from numerous security surveys, questionnaires and audits we have received since 2005.

The first challenge that we have as an organisation is how much information to release to the public domain whilst still being seing to be helpful / co-operative. To this end if operationally sensitive information is required, it can be released to you under Non-Disclosure Agreement, but is not available in this Wixi or its supporting documents.

2 Contracts

All n One Limited [hereto referred to as All n One] are the company that supply the software as a service solution called bxp software [hereto referred to as bxp].

2.1 Where do we start?

The first part of any interaction with a client is to put in place a Non-Disclosure Agreement (NDA). The company looking to rent the solution [hereto referred to as the bxp Client] can use the All n One NDA or ask All n One to review and discuss an NDA of their own.

The NDA means that both parties can be privy to sensitive operaitonal details in the security that they will not be shared.

2.2 How long do I sign up for?

The contracts begin with a three month commitment followed by a month rolling contract where the bxp Client is required to provide notice only one month in advance. For some clients this period is two short and the rolling notice can be extended to any amount of time upon contractual agreement.

The reason for this is to provide bxp Clients with the security of knowing that they can take their data at any time and walk away without being tied into a length supplier contract.

2.3 Key Stakeholders

For the purposes of terminology there are a number of key stakeholders involved in the contract process at a minimum.

A Patron in the All n One lexicon is a potential of existing client who is seeking All n One to change operational processes / procedures to suit their operational requirements. Patrons will enter separate supply agreements in order to cost, manage and ensure the operational change requests. This allows potential and existing clients to adapt to changing law and customer requirements.

From the bxp Client

• The primary bxp Client: This is the person who signs the contract and authorises payment
• The primary bxp System Champion : This is the primary operational contact for the bxp Client
• The primary bxp Human Resources Champion : This is the primary HR contact for the bxp Client
• The primary bxp Security Champion : This is the primary security contact for the bxp Client

From All n One

• The Sales Relationship Manager (SRM) : This is the primary sales person who helps a bxp client get up and running and manages all aspects of the relationship up to the point of sale.
• The Business Development Account Manager (BDAM) : When the contract is signed the BDAM takes over to ensure deliver of the contract and manage relationship interactions
• The All n One Support Infrastructure : This is the entire infrastructre of the company and how interactions are managed

2.4 How do I get help?

Please review Understanding_bxp_Support

2.5 What is in the contract?

In summary, the contract outlines the provision of service, the terms and conditions of support, the price and a number of terms and conditions regarding the use of the system. A copy of your contract is available from your System Champion. To view a draft contract please contact your SRM or email us at sales@allnone.ie to obtain a copy.

2.6 Functionality Vs. Content

Within bxp there is a very clear definition between functionality and content. Functionality is a software function that is able to manipulate content. Content is raw data. The users, customer and any other data that is entered into the system will always remain the property of the bxp Client. The functionality to manipulate and interact with that data is the intellectual property of All n One.

An area called into question can be custom JavaScript developed for a client. If the code is in a standard bxp library available to all clients then it remains the property of All n One. If the code is loaded into a form or custom uploaded library within a bxp Client instance then it is considered contact and belongs to the bxp Client.

• All functionality belongs to All n One
• All content belongs to the bxp client

For further reading : Function_Vs._Content

2.7 Encryption

At no point does data leave encryption. Even data at rest is encrypted. Bxp_-_End_to_End_encryption_and_High_Availability

bxp encourages clients to use TLS 1.2 Security_-_TLS_Status

3 System Review tools

bxp has a number of mechanisms to allow a client manage their security needs.

The two primary security tools that are provided from All n One are:

• The live bxp Client Dashboard Report - Bxp_Client_Dashboard_Report
• The periodic manually created bxp Client Security Report - bxp_-_Client_Security_Report

bxp has the ability to integrate with a number of Security Event Management Solutions Bxp_and_Security_Event_Management_solutions

For a list of the most directly used security reports Reporting_-_Security_Reports

bxp has an extensive amount of Audit Logs for security review purposes: Bxp_-_Audit_Logs

There are a number of articles relating to the security capabilities of the system and their associated reports

4 Standards and Laws

• All n One Limited is an Irish company with operations residing completely in Ireland and under Irish Law.
• All n One Limited is registered with the Data Protection Commissioner of Ireland [1]
• All n One Limited as an Irish company is also subject to European Law

• The All n One sales operation is delivered globally.
• The All n One support operation is operated from Ballymount, Dublin exclusively

• The bxp firewalls, switches and data servers are hosted on All n One dedicated equipment in Sungard in Parkwest, Dublin.
• The bxp web servers and load balancers are hosted in secured virtualised environment in Sungard in Parkwest, Dublin.

• With contract provisions, a secondary mirroring site can be provided in Sungard's secondary site in Clonsaugh, Dublin.
• All client owned content is kept with the Parkwest infrastructure.

• All n One's nearest Garda Station is Tallaght Garda Station, Belgard Walk, Tallaght, Dublin 24, Ireland on +353 1 666 6000
• The Garda Bureau of Fraud Investigation (GBFI) also includes the Computer Crime Investigation Unit http://www.garda.ie/Controller.aspx?Page=29 on +353 1 6663776

For the above reasons and the reasons of physical security, operational support and intellectual property protection, bxp cannot be installed on client equipment or in client premises and can only ever be accessed securely through the Internet. bxp does however support references to local client data. For example in eLearning or message to staff scenarios, bxp can present urls or links such as \\OurLocalServer\Important\Info\file123.docx which means that bxp can be used by the organisation but the link will only work when the data is available locally to the machine. Further examples are used in Quality Assurance when the phone / call recordings are stored locally and the reference is loaded into bxp. This way large volumes of call data does not need to be transferred into bxp.

4.1 Data Protection and Data Retention

For more information on this area please see Data_Protection_and_Data_Retention

4.2 ISO 27001

Currently All n One does not have ISO 27001 accreditation. All n One are currently implementing the standard. All n One are seeking accreditation with a view to it being in place by the end of Q1 2015. http://en.wikipedia.org/w/index.php?title=ISO27001

For obvious security reasons our ISMS is not a matter of public record, however our ongoing operational processes and procedures deliver our Plan Do Check Act cycles.

4.3 ISO 9001

All n One is not currently ISO9001 accredited. Though the majority (estimated 70% as of October 2014) of our processes and procedure are document, All n One would require a Patron before seeking accreditation.

http://en.wikipedia.org/wiki/ISO_9000#Contents_of_ISO_9001

4.4 PCI DSS

Currently All n One does not have PCI DSS compliance accreditation. All n One operates the implementation of all of the Control Objectives, but is not accredited. All n One are working towards accreditation but require a bxp client to patron it's implementation as we do not have any bxp client with this requirement currently.

http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

Control Objectives

• Build and Maintain a Secure Network
  • 1. Install and maintain a firewall configuration to protect cardholder data
  • 2. Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data
  • 3. Protect stored cardholder data
  • 4. Encrypt transmission of cardholder data across open, public networks
• Maintain a Vulnerability Management Program
  • 5. Use and regularly update anti-virus software on all systems commonly affected by malware
  • 6. Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
  • 7. Restrict access to cardholder data by business need-to-know
  • 8. Assign a unique ID to each person with computer access
  • 9. Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
  • 10. Track and monitor all access to network resources and cardholder data
  • 11. Regularly test security systems and processes
• Maintain an Information Security Policy
  • 12. Maintain a policy that addresses information security

4.5 ENISA

The objective of ENISA is to improve network and information security in the European Union. The agency has to contribute to the development of a culture of network and information security for the benefit of the citizens, consumers, enterprises and public sector organisations of the European Union, and consequently will contribute to the smooth functioning of the EU Internal Market.

ENISA assists the Commission, the Member States and, consequently, the business community in meeting the requirements of network and information security, including present and future EU legislation. ENISA ultimately strives to serve as a centre of expertise for both Member States and EU Institutions to seek advice on matters related to network and information security.

http://en.wikipedia.org/wiki/European_Network_and_Information_Security_Agency

As part of ENISA's work they have developed

http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-information-assurance-framework

bxp is delivered against this assurance framework with secure details available to clients through your BDAM.

4.6 OWASP

The Open Web Application Security Project (OWASP) is an online community dedicated to web application security. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The OWASP Foundation is a 501(c)(3) charitable organization that supports and manages OWASP projects and infrastructure. It is also a registered non profit in Europe since June 2011. http://en.wikipedia.org/wiki/OWASP

https://www.owasp.org/index.php/Main_Page

One of the projects delivered by OWASP is the Top 10 Project. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

bxp is tested against the Top 10 on a monthly basis.

4.7 W3C XHTML Compliance

The whole of bxp uses XHTML 1.0 as the document standard. For this reason, we validate against the W3C XHTML 1.0 standard.

For further information on this standard http://en.wikipedia.org/wiki/World_Wide_Web_Consortium

This validator checks the markup validity of Web documents in HTML, XHTML, SMIL, MathML, etc. http://validator.w3.org/

4.8 WAI Accessability Compliance

The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee, W3C Director and inventor of the World Wide Web

All n One emulate this ideals by including the guidelines in all aspects of our design and development and implementation of bxp. http://www.w3.org/standards/webdesign/accessibility

4.9 TIA-942

The Telecommunications Industry Associations (TIA) has TIA-942 Telecommunications Infrastructure Standard for Data Centers http://en.wikipedia.org/wiki/Data_center

Details of the standard are available from https://global.ihs.com/doc_detail.cfm?&rid=TIA&input_doc_number=TIA-942&item_s_key=00414811&item_key_date=860905&input_doc_number=TIA-942&input_doc_title=#abstract

There are four tiers of Data Centre within the standard

• Tier 1 – basic data center - no redundancy
• Tier 2 – redundant components - Single distribution path with redundant components
• Tier 3 – concurrently maintainable - Multiple distribution paths with only one active
• Tier 4 – fault tolerant - Multiple active distribution paths

Although not certified to any of this standard Sungard deliver to Tier 4. For more information please review bxp_software_in_Sungard

4.10 COBIT

http://en.wikipedia.org/wiki/COBIT

Control Objectives for Information and Related Technology (COBIT) is a framework created by ISACA for information technology (IT) management and IT governance. It is a supporting toolset that allows[citation needed] managers to bridge the gap between control requirements, technical issues and business risks.

All n One's Infrastructure department is currently working towards its COBIT accreditation.

4.11 ITIL

http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library

ITIL (formerly known as the Information Technology Infrastructure Library) is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. In its current form (known as ITIL 2011 edition), ITIL is published as a series of five core volumes, each of which covers a different ITSM lifecycle stage. Although ITIL underpins ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management, the two frameworks do have some differences.

All n One's Infrastructure department is currently working towards its ITIL accreditation.

4.12 G Cloud

The UK Government G-Cloud is an initiative targeted at easing procurement by public-sector bodies in departments of the United Kingdom Government of commodity information technology services that use cloud computing.

All n One is G Cloud Compliant

4.13 HR policies

http://www.peninsulagrouplimited.com/ie/

All n One work with Peninsula with creation of HR policies within the business.

Proof of Peninsula Business Services involvement within All n One can be found at http://www.bxpsoftware.com/wixi/index.php?title=HR_Policies

5 Physical Infrastructure

For more information on the bxp infrastructure The_bxp_Infrastructure

For more information on the physical hosting of bxp bxp_software_in_Sungard

For more information on bxp capactiy and load management Bxp_Infrastructure_Capacity

For more information on bxp continuity of service Bxp_and_Business_Continuity

6 Logical Infrastructure

For more information on the logic of the bxp system Bxp_-_Logical_Structure

7 Operational Procedures

For more information about backups and backup procedures please see Bxp_Backups

All n One are not responsible for the content in a bxp Client system. It is important for the bxp Security Champion to be aware of their operational requirements especially around the areas of Data Protection and Retention. For this reason All n One have prepared guidelines and support documents to assist a System Champion in this area Data_Protection_and_Data_Retention

It is important for a bxp Client's system champion to be aware of all the security options and configurations available. These are introduced in the training document CC-2-1 Security and Custom Interface configuration available from Contact_Centre_Training

For more information on how All n One perform bxp testing and security testing Bxp_Security_and_Testing

All n One manage all client data from a single centralised location. 48 / 49 Western Parkway Business Park, Lower Ballymount Road, Dublin 12, D12 DK49. This site operates a number of security processes and procedures to ensure operational security. Bxp_-_Ballymount_Security

8 Human Resource Procedures

All members of staff are interviewed and reviewed at directorial level. Numerous HR processes are applied in their interviews. The Data Protection Act of Ireland is closely watched an applied to all our HR practices. http://www.dataprotection.ie/docs/Data-Protection-in-the-Workplace/1239.htm

Monthly reminders and daily operational procedures provide constant reinforcement of Data Protection requirements.

As per Irish Law, vetting is only permitted on staff who work with children and / or vulnerable adults. To this end, police vetting is not possible. As part of the HR and recruitment policies reference checks are performed as standard.

All All n One staff are subjected to the same high standards of operation regardless of role.

For more information on our team. Meet_the_Team

At no point is development outsourced, in order to maintain the highest possible levels of security and integrity of the framework. Outsourcing of design, marketing and accounts is done through our partners but this never includes code development of the framework. All_n_One_Partners_and_Suppliers

9 UK FAQs

• Have you or any company in your Group ever had an ICO audit, enforcement notice, signed any undertaking with the ICO or been fined for a breach of Data Protection or Privacy & Electronic Communications Regulations?

All n One and bxp have never been subject to any investigation, nationally or internationally.

All n One has not sought an ICO audit to date but can deliver where a Patron requires.

10 US FAQs

10.1 HIPAA and HITECH

bxp software has not been applied to HITECH requirements but can deliver where a Patron requires.

10.1.1 HIPAA

http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act

One of the goals of the Healthcare Information Portability and Accountability Act, (HIPAA) signed into US law in 1996, was to ease the ability for workers to continue their healthcare insurance coverage when moving from one provider to another, for example, when moving between jobs. HIPAA regulations help ensure the uninterrupted coverage for patients, healthcare organizations needed the ability to share medical records efficiently and reliably.

To facilitate the efficient transfer of records, the bill set forth standardized terminology and Electronic Data Interchange (EDI) code sets. This standardization further pushed the migration of paper-based records to electronic medical records. But the ease of transferring patient information electronically also increased the risk of private data being inadvertently exposed to unauthorized parties. To address this, legislators developed security mandates to address privacy issues within HIPAA covered entities.

There are three parts of the HIPAA privacy regulations and compliance policy that IT professionals should be focused on:

• HIPAA EDI Rule (162.1000) - HIPAA establishes standards for health information technology and the use of electronic code sets. The standardization of healthcare terminology was required to eliminate confusion among providers and insurers.

• HIPAA Security Rule (164.306) - HIPAA establishes safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI) that they create, receive, maintain, and transmit..

• HIPAA Privacy Rule (164.502) - HIPAA requires healthcare organizations to protect protected health information (PHI) and defines the allowable uses and disclosures of PHI in contrast to "de-identified" health information

10.1.2 HITECH

http://en.wikipedia.org/wiki/Health_Information_Technology_for_Economic_and_Clinical_Health_Act

HITECH (Healthcare Information Technology for Economic and Clinical Health)

In 2009, as part of an effort to stimulate the U.S. economy, $787 million was allocated with the American Recovery and Reinvestment Act (ARRA), which included legislation to broaden the scope of HIPAA, while also given investigators direct, monetary incentives for levying fines. The HIPAA-specific aspects of the ARRA are found in the Health Information Technology for Economic and Clinical Health (HITECH).

There are three major areas of change brought up by HITECH regulations are:

1.Reach

• Before: Covered Entities: healthcare organizations
• Now with HITECH regulations: Covered Entities: expanded to business associates

2.Notification

• Before: Loose notification requirements
• Now with HITECH regulations: Strict notification requirements – 60 days requirement + public notice on website (and notifying HHS)

3.Economics

• Before: 2003-2008 – 31,000 cases reported, no one fined; in 2009, CVS fined $2.25 M
• Now with HITECH regulations: Fines up to $1.5 M / year; regulators at HHS now benefit directly from fines levied (significant uptick in fines)

10.2 SOX 404 / SAS-70 and ISAE3402

This is a US based financial auditing control. http://sas70.com/sas70_SOX404.html

All n One has not sought an SAS-70 to date but can deliver where a Patron requires.

All n One has begun investigating the possibilities of implementing a process to produce ISAE 3402 reports. This is a current venture for All n One.