ZyLAB delivers a SaaS solution through its partner data center provided by Interoute and through Microsoft Azure.

Transcription

1 Security In today s world, the requirement to focus on building secure solutions and infrastructure has become an important part of the value that businesses deliver to customers and resellers. This document describes the security measures ZyLAB* and its partners have implemented to mitigate risks of unauthorized access to systems and data. Partnering with the best of breed ZyLAB delivers a SaaS solution through its partner data center provided by Interoute and through Microsoft Azure. About Microsoft Azure Microsoft Azure is a collection of integrated cloud services to build, deploy and manage applications through Microsofts global network of data centres. For Microsoft Azure security, Microsoft maintains and updates its security information through its corporate website: About Interoute Interoute is the owner and operator of Europe's largest cloud services platform and an international telecommunications service provider. The datacenters are located in multiple European cities (Amsterdam, Berlin, Geneva, Paris, Madrid, Milan and London). Compliant with the ISO/IEC 27001, ISO 20000, PCI DSS and ISAE 3402/SSAE 16 certifications. 3-TIER. Redundancy: power, network, hardware, internet and storage. Virtual Servers/ Storage Built on Interoute's self-owned MPLS-based fibre network. This allows them to implement a trusted and efficient MPLS VPN security model to protect our customer's data. The physical storage is RAID-configured to provide fault tolerance in the event of drive failure. The RAID configuration also natively spreads data across multiple spindles to maximize performance. * see last page of documents to read more about the legal entities delivering our SaaS Services

2 Interoute employees do not have direct access to the Systems and Information. As ZyLAB s Service provider they maintain the continuity of the hardware and infrastructure on which the ZyLAB systems are hosted. The procedures for accessing the premises of Interoute are: Customers granted physical access to Interoute s Data Centre s must comply with site access procedures, codes of conduct and operations processes. All customers use of Interoute services, facilities and operations must comply with stated contractual obligation to adhere to Acceptable Use Policy, as identified in applicable contract conditions and service schedules. The exchange of information and data between Interoute and customers will be controlled by contracted confidentiality clauses or non-disclosure agreements, and in compliance to Interoute policies and operations procedures. Physical site access will be controlled through Interoute Corporate Physical Security Policy, codes of conduct, and associated operations procedures. Interoute s ISO security management system, service security controls, security policies and operations procedures will protect Confidentiality, Integrity and Availability of Interoute and customer data and assets. Logical and physical access management controls, inclusive of user and password management, authorization permissions, termination and compliance of access permissions will be controlled and audited on a regular basis. Security Incident Management processes to report, log, respond and resolve to security incidents and impact Interoute operations, services and technology platforms will be maintained and reviewed. For Interoute security, Interoute maintains and updates its security information through its corporate website: Operational measures Roles and Responsibilities Security Administration of ediscovery is being managed by ZyLAB Operations (ZyLAB). Customer data is stored on a selected partner data center, employees of the partner data center do not have file (logical) access to the data sets. Platform Management Server storage is managed by partner data center, the solution is managed by ZyLAB Operations. The solution can only be accessed through a secured and managed VPN-connection. Pre-employment screening All Operations employees require a certificate of conduct, which the Dutch State Secretary for Security and Justice declares that the applicant did not commit any criminal offences that are relevant to the performance of his or her duties. Were applicable, an AIVD screening (conducted by the General Intelligence and Security Service of the Netherlands), may be provided.

3 Data in Transit ESI on data carrier ZyLAB will receive ESI on an encrypted data carrier (USB or Hard drive; customer will be responsible for data encryption) and will confirm the customer with a Data Receipt report (Chain of Custody). The received data will be copied to an encrypted VHDX and then uploaded to the processing environment by SFTP or FTPES. The data carrier will be logged and then stored securely in a physical vault. Physical paper files In the event that paper file digitization/scanning services are performed by ZyLAB, the digital results will be stored directly on its platform through secure SFTP / FTPES upload. ESI upload If the customer wishes to upload ESI directly to the processing environment, ZyLAB will create SFTP/FTPES credentials and send the FTP information by and the password by SMS. User Access Control User Management ZyLAB will provide the Users Account based on the delivered project requirements. The administration of the users is maintained by ZyLAB in cooperation with customer s responsible project contact. The username is send by and the password by sms. Password regime ZyLABs password policy is applicable: The setting of the password requires at least 8 characters and need 3 of 4 of the following: number, symbol, uppercase and lowercase. Use of secure SSL and applied key length Users logon via the SSL-protected portal, 2048-bit encryption. Two factor authentication After the user logs on with its credentials, the user will receive a Onetime Password through SMS. After verification, the user is granted access to the Legal Review Platform. Time out session To protect against unauthorized access, the web access session will automatically time out after a period of inactivity. IP Filtering Upon request, ZyLAB may activate IP filtering. Authorization on (system) files and system utilities Users do not have direct access control to the data. Depending on the user role and security, the users will be able to review documents through the ZyLAB Legal Review web interface. The access permission is read-only on the data and read/write on the TAGS (metadata).

4 Change Management Procedures Change management and maintenance ZyLAB administrators perform changes to cloud infrastructure, operating software and product software to maintain operational stability, availability, security and performance of the ediscovery environment. ZyLAB follows formal change management procedures to provide the necessary review, testing, and approval of changes prior to a roll out in the production environment. Change Management procedures include management of regular and ongoing application upgrades, updates and coordinated customer specific changes where required, and system and service maintenance. ZyLAB tries to avoid service interruption where possible. Where an anticipated change will require the application service to be unavailable during the change maintenance period, ZyLAB will work to provide prior notice of the anticipated impact. Application upgrades and updates Patches and updates are tested and implemented by ZyLAB. Security Patches are to be incorporated within one month after publication data. Legal Review Legal Review Platform Typically, each project will be hosted in a separate review platform. A dedicated virtual review server will be reserved for the Project. All processes for storage of data, processing of data and reviewing of data will run within a dedicated project environment. Customers have their own Active Directory (AD) group. Using separated processing /review platforms ZyLAB is able to provide the most secure setup and provide the best performance during review. Data encryption The data is not encrypted on the storage disks. If required, ZyLAB can encrypt the data on OS level but it can have an impact on backups and performance of the document review. PEN test Latest PEN test, which has been performed by Digital Investigation B.V. (Hilversum, The Netherlands), has been successfully passed in October Project termination Upon project completion, a written approval is required to start the data removal. After approval all project data (source and processed) will be removed from the systems. In parallel, a removal from the back up media is planned. This removal includes the delay of removal from daily/weekly/monthly back up media. After this cycle all data is removed definitive.

5 Availability Platform availability By default, the solution is not mirrored (this can be offered upon request). In case of a disaster, the solution may be recovered with system back-ups and snapshots. In case of a malfunction, ZyLAB will immediately commence efforts to recover the solution, 7x24x365. Hours of operation The solution is designed to be available 24 hours a day, 7 days a week and 365 days a year, except during system maintenance periods and technology upgrades. Disaster recovery plan Storage: Snapshots are taken every 4 hours, and these snapshots are kept for 2 days. One daily snap-shot is retained for a week. A further snapshot is taken weekly and kept for a month. By default, the snapshots will reside within the same data center. It is also possible to hold the snapshots in another data center. SQL: Differential backups are taken every hour and are kept until the daily full backup has been made. Every day a full backup will be made and the last 5 backups are kept. Recovery Time Objective (RTO); How fast can business process resume? SQL: 1 hour. Legal Review server: 2 hours. Storage: this depends of the volume size of the disk. On average it will be 50 GB per hour of recovering time. Recovery Point Objective (RPO); How many hours of data loss is expected? Storage: 4 hours. SQL: 1 hour. Monitoring ZyLAB has a standard set of events that are logged and monitored. Examples of such events are: CPU, Memory, disk storage and connectivity. Processes or services. Creating, deleting of a virtual server. Tagging, downloading, deleting of a document in Legal Review. Provisioning users. Accessing the Review environment. Antivirus ZyLAB does not use antivirus software. The reason is that antivirus software puts identified documents in quarantine. This means that these documents will not be accessible by the customer

6 and could potentially generate an error. Understanding the limitations, antivirus software can be used at the discretion of the customer. Access control to premises and facilities Datacenter Security Administration of the solution is managed by ZyLAB. Although the (customers) data are stored on a partner data center the employees of the data center do not have access to the data sets. They can perform backup and restore of virtual hard disk but never have access to the files within the virtual hard disk. About ZyLAB ZyLAB SaaS services are provided through the following entities: ZyLAB Headquarters United States Servicing the North America region ZyLAB DCS USA LLC 7918 Jones Branch Drive McLean, VA United States of America ZyLAB Headquarters EMEA & APAC Servicing the Europe, Middle East, Africa and Asia Pacific regions ZyLAB ediscovery & Compliance Services (DCS) BV Hoogoorddreef BA Amsterdam, the Netherlands The Afrika" building is a secured and locked location; no unauthorized entrance is permitted. Reception personnel is present at the ground floor, controlling locked entrance of visitors during office hours (Monday to Friday, 07:00 18:00 hrs). On workdays after 18:00 hrs and during the weekend or Bank Holidays, security personnel is present covering the Atlas Arena premises. The ZyLAB office is a locked and secured location within the Afrika" building. Reception personnel is present during office hours. The ZyLAB ediscovery & Compliance Services (DCS) BV office is located in a restricted area within the premises of the Amsterdam headquarters, protected by electronic keys, automatic locks and alarm system.