CLOUD SECURITY ALLIANCE STAR (SECURITY, TRUST AND ASSURANCE REGISTRY) SUBMISSION FOR THE HYLAND CLOUD
|
|
- Olivia Blair
- 6 years ago
- Views:
Transcription
1 CLOUD SECURITY ALLIANCE STAR (SECURITY, TRUST AND ASSURANCE REGISTRY) SUBMISSION FOR THE HYLAND CLOUD August 2017 About the Cloud Security Alliance The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing and provides education on the use of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. The Cloud Security Alliance (CSA) launched the Security, Trust & Assurance Registry (STAR) initiative at the end of The CSA STAR is the first step in improving transparency and assurance in the cloud. The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. Hyland places the highest emphasis on delivering secure, reliable cloud solutions and is delighted to be working with the CSA to deliver a transparent mechanism such as STAR to assist customers in their cloud-related decision making process.
2 Introduction to the Hyland Cloud When it comes to cloud deployments, experience matters. With experience comes more functionality, an established history of demonstrated service levels, proven security and a large, active customer community. The Hyland Cloud delivers that experience. In 2004, Hyland s enterprise content management (ECM) offering, OnBase, was the first mainstream online ECM solution to be deployed in the cloud. Hyland continues to pioneer innovative cloud solutions today. When deployed in the Hyland Cloud, the exact same ECM software is used for 700+ hosted OnBase customers as is used for Hyland s on-premises OnBase deployments. The solution is offered via our world-class hosting environments, located in several locations around the globe. The Hyland Cloud provides a full technical infrastructure and software platform that allow organizations to harness the power of OnBase without purchasing or managing hardware and software on-premises. Hyland Cloud Provides Full ECM in the cloud with OnBase Stringent compliance with ISO 27001:2013, SOC 1, 2 and 3 as well as Privacy Shield standards Physical and network security with multiple network layers separated by multiple firewalls Burstable bandwidth for maximum upload and download speed Three copy replication management spread across multiple physical locations Disaster recovery processes and business continuity commitments Software performance optimization including load-balanced application and web servers Environment operating system purchase, maintenance and licensing Solution availability, optimization and assurance needed to support the OnBase application Database software purchase, maintenance and licensing needed to support the OnBase application Centralized server management and upgrades Functionality When you deploy a cloud-based ECM solution, you don t want to sacrifice functionality. However, many other cloud-based ECM solutions provide less functionality than their on-premises equivalents. Other solutions do not have the flexibility, nor are they advanced enough to provide a fully featured ECM suite.
3 This is not the case with OnBase in the Hyland Cloud. Users enjoy full functionality of ECM, capture, business process management, enterprise file sync and share, mobility, integration and case management. It s so seamless that many users don t even realize they are working on systems and data stored in the cloud. Software Since 2004, Hyland has offered users the ability to use the OnBase application as a service in the Hyland Cloud. With our hosted offering, customers choose the features and functionality they want, then the OnBase experts create that solution and provide access to it in the cloud. Your OnBase solutions is available when and where you need it. In addition, our SLAs provide clear and concise details of available remedies should availability be compromised at any point.
4 The Hyland Cloud features one of the most powerful server and networking infrastructure topologies in the market. OnBase experts maintain the infrastructure and deploy and upgrade your solution, freeing up your IT resources for other strategic initiatives. Plus, you can change and grow your cloud solution when and how you need to. Data Center Infrastructure Worldwide Data Centers Hyland provides you with complete details of where all copies of your data and systems are stored and operated through a completely transparent data location policy. Customers have a designated primary location in one of Hyland s worldwide data centers typically in the data center physically closest to them (but accommodated to their preferences if necessary). We have data centers across the U.S., as well as in London, England; Amsterdam, the Netherlands; Queretaro, Mexico; Sydney and Melbourne, Australia; and Auckland and Wellington, New Zealand.
5 Network Infrastructure and Connectivity The Hyland Cloud maintains access to the global IP backbone via dual-access routers connected to multiple backbone nodes. Back-end connectivity and network service facilities include asynchronous transfer mode (ATM), frame relay and circuit-switching. These capabilities provide high-speed internet access with burstable WAN bandwidth as part of the service classes, ensuring your content is uploaded to the system and put to use as quickly as possible. Private, Managed, Multi-Instance Cloud The Hyland Cloud provides an environment that delivers high-availability and high-performance ECM in the cloud. Each organization deployed to the Hyland Cloud receives their own instance of the OnBase software. Each solution includes dedicated resources for each customer and their data. In addition, Hyland fully manages critical daily maintenance functions of all infrastructure, hardware and software associated with the environment. This all comes together to create a unique, secure and resilient ECM in the cloud solution. Environmental Controls All data centers are equipped with standard computer room environmental systems, including: Computer room air conditioning (CRAC) units
6 Environmental monitoring system Fire detection units Fire suppression units Water detection system Raised floor Emergency power off (EPO) switches or equivalent procedures These controls ensure that the hardware infrastructure running your OnBase solution remains in optimum condition at all times, minimizing the potential for downtime due to equipment failure or environmental incidents. Compliance The Hyland Cloud serves more than 700 lifetime customers worldwide, many of whom depend on the solution to meet a number of stringent regulatory demands including HIPAA, GLBA, SOX, SEC 17a-4 and international data sovereignty requirements. The success of the Hyland Cloud is driven by customer trust. Customers entrust the handling of their vital business information and processes to the Hyland Cloud every day. In return, Hyland backs this trust with product certifications and audits undertaken on associated data centers and processes. The Hyland Cloud meets the following certifications and audits: ISO ISO is a globally recognized information security standard that tests an organization s information security risks, taking account of threats, vulnerabilities and impacts. It is considered a coherent and comprehensive suite of information security controls. ISO certification has been achieved for Hyland s cloud operations in New South Wales, Australia. Expanding this certification scope across Hyland s global footprint is a component of Hyland s compliance roadmap. SOC 1, 2 & 3 SOC standards are among the most stringent standards of security measurement for an operations center or data center. All Hyland Cloud data centers boast SOC 1, SOC 2 and/or SOC 3 certification. Additionally, Hyland s Cloud Services undertakes SOC 2 and SOC 3 audits annually, and performs quarterly internal audits and ongoing penetration and vulnerability tests.
7 Security Physical and Network Security All Hyland Cloud data centers are staffed by security personnel and covered by surveillance cameras. Hyland limits physical access to pre-authorized staff and visitors, who are provided with access via multifactor authentication that limits them to authorized areas only. Hardware is physically separated from any other hosting provided in the data center. Hardware is physically secured using separate cages and locking cabinets. Man traps, air locks, multiple access doors and other security measures prevent unauthorized access. Biometric controls and other cutting-edge technologies are utilized. Access to hardware is via multi-factor authentication. Network infrastructure components and services such as routing, switching and bandwidth are monitored 24/7. Certified engineers are available to resolve any issues as per the customer s chosen service class. Automated network intrusion monitoring procedures operate 24/7. Transport Security Communication between OnBase clients and the Hyland Cloud is encrypted using up to AES-256 bit TLS 1.2 or higher and SSH2. This ensures that content and operations are secure from interference or interception en route. Power Hyland provides redundant uninterruptible power supplies (UPS) with multiple modules synchronized to work in unison or independently. Each data center also has multiple, redundant generators to provide alternative power should the electricity fail. The switchover from commercial power to generator power is managed and covered by the UPS system to ensure that there is no loss of power to Hyland Cloud servers. Application Security Hyland Cloud users automatically receive access to new version upgrades when they are available. However, no upgrade is performed without customer knowledge nor are upgrades forced. End users elect when they prefer to upgrade to a more recent version. Upgrades can be performed in such a way that limited downtime is experienced by users. Customers can also request test environments to perform appropriate testing on new versions (or any other aspect of the solution).
8 Hyland Global Cloud Services Staff Selection Hyland carefully selects and screens staff managing the Hyland Cloud against numerous government and criminal checks. Hyland provides Cloud Services staff with detailed, customized and ongoing training, and they are rigorously audited and certified every year. Business Continuity Availability and Disaster Recovery The Hyland Cloud service classes allow you to select exactly how your service is managed and measured in terms of both availability and recovery time. Availability defines what percentage of time the service is online (i.e., accessible by users). Downtime will have a negative effect on any organization, but the impact of that downtime will vary based on the type of organization and the content managed within the system. OnBase in the Hyland Cloud is delivered with a choice of four service classes: Silver, Gold, Platinum and Double Platinum. Pricing for these service classes is combined with the hosting fee ensuring a clear and simple monthly cost. Availability commitments are as high as 99.9%. Any hosting service needs to be both reliable and resilient. However, there is a risk of failure with any system, and the speed and comprehensive ability to recover from any unexpected failure is a key aspect of a cloud solution. The Hyland Cloud delivers two important elements to support business continuity: Recovery Point Objective: If the system unexpectedly goes down without warning, a certain amount of data may be lost between the point of failure and the last backup. The recovery point objective is the amount of time that elapses during which data cannot be recovered and is defined by the service class selected by the customer. Recovery Time Objective: When a system experiences downtime, the relevant technical team requires a period of time to not only restart the systems, but also to identify and fix any lingering issues with the infrastructure software or otherwise. The recovery time objective represents the time required to restore the Hyland Cloud services and is defined by the service class selected by the customer.
9 Hyland Cloud Response to the CSA Cloud Controls Matrix Contents Chapter 1: Application & Interface Security...11 Chapter 2: Audit Assurance & Compliance...12 Chapter 3: Business Continuity & Operational Resilience...14 Chapter 4: Change Control & Configuration...19 Chapter 5: Data Security & Lifecycle...22 Chapter 6: Datacenter Security...24 Chapter 7: Encryption & Key...27 Chapter 8: Governance and Risk...29 Chapter 9: Human Resources...33 Chapter 10: Identity & Access...36 Chapter 11: Infrastructure & Virtualization Security...42 Chapter 12: Interoperability & Portability...46 Chapter 13: Mobile Security...48
10 Chapter 14: Security Incident, E-Discovery & Cloud...52 Chapter 15: Supply Chain, Transparency and Accountability...54 Chapter 16: Threat and Vulnerability...58
11 Chapter 1: Application & Interface Security Control Group Control ID Control Specification Hyland Response Application & Interface Security Application Security Application & Interface Security Customer Access Requirements AIS-01 AIS-02 Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations. Prior to granting customers access to data, assets, and information systems, identified security, contractual, and regulatory requirements for customer access shall be addressed. Applications and code not developed by Hyland Software, Inc is reviewed and tested by Hyland's Global Cloud Services (GCS) department before deployed in the Hyland Cloud Platform. Testing of applications developed by Hyland Software, Inc is completed by the Hyland Development Team on the Corporate network in accordance with industry best practices for security. Customer administrators control user access, user permissions, and data retention with respect to their Hosted Solutions. Application & Interface Security Data Integrity AIS-03 Data input and output integrity routines (i.e., reconciliation and edit checks) shall be implemented for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse. Customer maintains ownership of all customer data uploaded to their Hosted Solution through the full lifecycle period. Hyland employee access to customer data is restricted to authorized users and requires valid business justification.
12 Chapter 2: Audit Assurance & Compliance Control Group Control ID Control Specification Hyland Response Audit Assurance & Compliance Audit Planning AAC-01 Audit plans shall be developed and maintained to address business process disruptions. Auditing plans shall focus on reviewing the effectiveness of the implementation of security operations. All audit activities must be agreed upon prior to executing any audits. GCS maintains an internal audit program that focuses on developing, implementing, maintaining, and reassessing security controls to support risk mitigation strategies. The areas of focus include, but are not limited to, policy and procedure, logical and physical access, and business continuity. Quarterly internal audit results are compiled by the Governance, Risk and Compliance team and sent to the Associate Vice President of Hyland Global Cloud Services. Audit Assurance & Compliance Independent Audits Audit Assurance & Compliance Information System Regulatory Mapping AAC-02 AAC-03 Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations. Organizations shall create and maintain a control framework which captures standards, regulatory, legal, and statutory requirements relevant for their business needs. The control framework shall be reviewed at least annually to ensure changes that could affect the business processes are Audit program and testing plans are developed based on industry best practices and standards, including ISO 27001, AICPA Trust Services Criteria, NIST, FFIEC. Auditing plans are established annually and approved by the Associate Vice President of Global Cloud Services. Auditing plans including selected controls, testing frequency, and scope. The Hyland Cloud Platform is SOC 2 and SOC 3 audited on an annual basis. These reports are provided to customers with confidentiality agreements in place. Hyland Global Cloud Services maintains an internal audit program that conducts reviews of the Hyland Cloud Platform on at least a quarterly basis. Risk Assessments are conducted on an annual basis. Customers have the ability to conduct reviews of the Hyland Cloud Platform at their sole expense and within defined and mutually agreed upon parameters. Audit program and testing plans are developed based on industry best practices and standards, including ISO 27001, AICPA Trust Services Criteria, NIST, FFIEC. Auditing plans are established annually and approved by the Associate Vice President of Global Cloud Services. Auditing plans including selected controls, testing
13 reflected. frequency, and scope. The GCS GRC Team monitors regulatory changes within the relevant jurisdictions. When applicable, modifications are made to the ISMS and the Internal Audit Program to ensure continued compliance with all applicable legislative and regulatory requirements. Chapter 3: Business Continuity & Operational Resilience Control Group Control ID Control Specification Hyland Response Business Continuity & Operational Resilience Business Continuity BCR-01 A consistent unified framework for business continuity planning and plan development shall be established, documented, and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security Hyland Global Cloud Services maintains a documented policy that outlines the disaster recovery procedures. Disaster Recovery (DR) tests that include failover tests are performed at least annually against the Hyland Cloud platform.
14 Planning Business Continuity & Operational Resilience Business Continuity Testing BCR-02 requirements. Requirements for business continuity plans include the following: Defined purpose and scope, aligned with relevant dependencies Accessible to and understood by those who will use them Owned by a named person(s) who is responsible for their review, update, and approval Defined lines of communication, roles, and responsibilities Detailed recovery procedures, manual work-around, and reference information Method for plan invocation Business continuity and security incident response plans shall be subject to testing at planned intervals or upon significant organizational or environmental changes. Incident response plans shall involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies. Hyland Global Cloud Services maintains a near real-time data replication process to back up customer data stored within the Hyland Cloud Platform production environment. The data replication process and data backup objectives are reviewed on at least an annual basis as part of the internal system review process by the Associate Vice President of Hyland Global Cloud Services. Access to modify the backup configuration is limited to authorized individuals. GCS maintains a documented policy that outlines the disaster recovery procedures. Disaster Recovery (DR) tests that include failover tests are performed at least annually against the Hyland Cloud platform. GCS maintains documented incident reporting procedures. Incident reports are recorded and tracked to completion within Hyland's document management system. Customer notification is provided when applicable. Business Continuity & Operational Resilience Datacenter Utilities / Environmental BCR-03 Datacenter utilities services and environmental conditions (e.g., water, power, temperature and humidity controls, telecommunications, and internet connectivity) shall be secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from GCS maintains a Customer Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedure for customers to report security and/or availability issues. The Customer Process Manual is updated and published annually by GCS directly to registered customers. The Hyland Cloud platform is housed within ISO certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additionally documentation may be provided upon completion of a Non-
15 Conditions Business Continuity & Operational Resilience Documentation BCR-04 unauthorized interception or damage, and designed with automated fail-over or other redundancies in the event of planned or unplanned disruptions. Information system documentation (e.g., administrator and user guides, and architecture diagrams) shall be made available to authorized personnel to ensure the following: Configuring, installing, and operating the information system Effectively using the system s security features Disclosure Agreement. Customers may access the Hyland Cloud Portal which provides information regarding proper usage of their solution. Customers are provided access to documentation describing the applicable security features available within their Hosted Solution and specifically how to ensure increased security in the Hyland Cloud Platform. GCS maintains architecture diagrams of the Hyland Cloud Platform depicting the hosting environment and network. Customers may request specific diagrams of their solutions. Business Continuity & Operational Resilience Environmental Risks Business Continuity & Operational Resilience Equipment Location BCR-05 BCR-06 Physical protection against damage from natural causes and disasters, as well as deliberate attacks, including fire, flood, atmospheric electrical discharge, solar induced geomagnetic storm, wind, earthquake, tsunami, explosion, nuclear accident, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, and other forms of natural or man-made disaster shall be anticipated, designed, and have countermeasures applied. To reduce the risks from environmental threats, hazards, and opportunities for unauthorized access, equipment shall be kept away from locations subject to high probability environmental risks and supplemented by redundant equipment located at a reasonable distance. Employee Process Manual is established to describe the system descriptions and its boundaries, obligations of users as well as system commitments, system standards and procedures, and the procedure for submitting feedback, complaints, and issues related to system availability and/or security and is distributed to Hyland Employees. The Hyland Cloud platform is housed within ISO certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additional documentation may be provided upon completion of a Non-Disclosure Agreement. The Hyland Cloud platform is housed within ISO certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additional documentation may be provided
16 Business Continuity & Operational Resilience Equipment Maintenance Business Continuity & Operational Resilience Equipment Power Failures BCR-07 BCR-08 Policies and procedures shall be established, and supporting business processes and technical measures implemented, for equipment maintenance ensuring continuity and availability of operations and support personnel. Protection measures shall be put into place to react to natural and man-made threats based upon a geographicallyspecific business impact assessment. upon completion of a Non-Disclosure Agreement. Hyland Cloud data centers are not located in areas with a high probability of environmental risks. All backup sites are located at least 200 miles from the production data center. GCS monitors system capacity and resource usage to support the capacity objectives as determined by the GCS system owners. On at least an annual basis, future system capacity projections are planned to limit disruptions to the Hyland Cloud platform and to prepare future growth trends. The Hyland Cloud platform is housed within ISO certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). GCS validates the each data center compliance certifications and applicable audit reports annually. Additional documentation may be provided upon completion of a Non-Disclosure Agreement. Business Continuity & Operational Resilience Impact Analysis BCR-09 There shall be a defined and documented method for determining the impact of any disruption to the organization (cloud provider, cloud consumer) that must incorporate the following: Identify critical products and services Identify all dependencies, including processes, applications, business partners, and third party service providers Understand threats to critical products and services Determine impacts resulting from planned or unplanned disruptions and how these vary over time The Hyland Cloud environment is N+1 redundant, providing automatic failover of the components that comprise the Hyland Cloud platform. The data is also replicated to a second copy in the primary data center and tertiary copy in a secondary data center. System maintenance, classified as either planned or unplanned, which could affect the security and/or availability of the Hyland Cloud is communicated to affected customers per documented procedures outlined in the Customer Process Manual. GCS maintains documented incident reporting procedures. Incidents reports are recorded and tracked to completion within Hyland's document management system. Customer notification is provided when applicable. Hyland Cloud Platform customers may request a service availability report
17 Business Continuity & Operational Resilience Policy Business Continuity & Operational Resilience Retention Policy BCR-10 BCR-11 Establish the maximum tolerable period for disruption Establish priorities for recovery Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption Estimate the resources required for resumption Policies and procedures shall be established, and supporting business processes and technical measures implemented, for appropriate IT governance and service management to ensure appropriate planning, delivery, and support of the organization's IT capabilities supporting business functions, workforce, and/or customers based on industry acceptable standards (i.e., ITIL v4 and COBIT 5). Additionally, policies and procedures shall include defined roles and responsibilities supported by regular workforce training. Policies and procedures shall be established, and supporting business processes and technical measures implemented, for defining and adhering to the retention period of any critical asset as per established policies and procedures, as well as applicable legal, statutory, or regulatory compliance obligations. Backup and recovery measures shall be incorporated as part of business continuity planning and tested accordingly for effectiveness. containing a list of service level availability (SLA) incidents that have been reported by Customer. The report will reflect each incident's confirmation or rejection by Hyland. GCS maintains a documented policy that outlines the disaster recovery procedures. Disaster Recovery (DR) tests that include failover tests are performed at least annually against the Hyland Cloud platform. GCS maintains an Employee Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedures for employees to report security and/or availability issues. The Employee Process Manual is released to the GCS department using Hyland's document management system. GCS employees are required to acknowledge and accept the latest version of the process manual by electronic acknowledgement using Hyland's document management system. Customer maintains ownership of all customer data uploaded to their Hosted Solution through the full lifecycle period. Customer administrators control user access, user permissions, and data retention with respect to their Hosted Solutions. GCS maintains a real-time data replication process to back up customer data stored within the Hyland Cloud Platform production environment. The data replication process and data backup objectives are reviewed on at least an annual basis as part of the internal system review process by the AVP of GCS. Access to modify the backup configuration is limited to authorized individuals.
18 Hyland has documented policies and procedures which detail the retention period for its critical assets. Chapter 4: Change Control & Configuration Control Group Control ID Control Specification Hyland Response Change Control & Configuration New Development / Acquisition CCC-01 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network, and systems components, or any corporate, operations and/or datacenter facilities have been pre-authorized by the organization's business leadership or other accountable business role or function. The GCS Leadership Team is responsible for reviewing and approving new system acquisitions and significant modifications to systems and related components. GCS maintains documented change management procedures and records all change requests in Hyland's document management system. Change requests must be approved by an authorized employee and tested before changes can be implemented. System changes made in the case of an emergency and/or are noncompliant with policy are recorded as an exception and is subject to rollback procedures if approval is not granted. Logical access to system configuration, super user functionality, master passwords, powerful utilities and security devices
19 Change Control & Configuration Outsourced Development CCC-02 External business partners shall adhere to the same policies and procedures for change management, release, and testing as internal developers within the organization (e.g., ITIL service management processes). (including firewall configurations) is restricted to authorized individual GCS employees based on specific roles that are established and maintained based on job responsibilities. External parties are not used in administration of the Hyland Cloud Platform. Change Control & Configuration Production Changes Change Control & Configuration Quality Testing CCC-05 CCC-03 Policies and procedures shall be established for managing the risks associated with applying changes to: Business-critical or customer (tenant)- impacting (physical and virtual) applications and system-system interface (API) designs and configurations. Infrastructure network and systems components. Technical measures shall be implemented to provide assurance that all changes directly correspond to a registered change request, businesscritical or customer (tenant), and/or authorization by, the customer (tenant) as per agreement (SLA) prior to deployment. Organization shall follow a defined quality change control and testing process (e.g., ITIL Service ) with established baselines, testing, and GCS maintains a Customer Process Manual which describes the Hyland Cloud platform, its boundaries, the obligations/commitments of each party as it concerns security and availability, customer notification of related incidents, and also the procedure for customers to report security and/or availability issues. The Customer Process Manual is updated and released annually by GCS directly to registered customers through . GCS maintains documented change management procedures and records all change requests in Hyland's document management system. Change requests must be approved by an authorized employee and tested before changes can be implemented. System changes made in the case of an emergency or are noncompliant with policy are recorded as an exception and is subject to rollback procedures if approval is not granted. Changes made to a customer solution must have written documentation from the customer requesting the change. These changes are reviewed quarterly through the Internal Audit Program. All changes under a risk assessment, and when applicable are subject to documented roll back procedures. GCS defines the roles which are authorized to install software, hardware and other network devices within the Access Control policy. Access to these predefined roles is
20 release standards that focus on system availability, confidentiality, and integrity of systems and services. restricted using Active Directory user group policy settings. The GCS Leadership Team is responsible for reviewing and approving new system acquisitions and significant modifications to systems and related components. Change Control & Configuration Unauthorized Software Installations CCC-04 Policies and procedures shall be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components. Changes to Hyland Cloud platform can only be made by authorized individuals based on their assigned roles as documented in GCS policies. Changes to end user's Hosted solution is restricted to authorized individuals based on assigned roles. The GCS Leadership Team is responsible for reviewing and approving new system acquisitions and significant modifications to systems and related components. The Hyland Cloud Platform is built on virtualization technology and accessed through the use of virtual desktops. This prevents unauthorized installation of software. Privileged accounts are restricted to authorized users.
21 Chapter 5: Data Security & Lifecycle Control Group Control ID Control Specification Hyland Response Data Security & Information Lifecycle Classification Data Security & Information Lifecycle Data Inventory / Flows DSI-01 DSI-02 Data and objects containing data shall be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization. Policies and procedures shall be established, and supporting business processes and technical measures implemented, to inventory, document, and maintain data flows for data that is resident (permanently or temporarily) within the service's geographically distributed (physical and virtual) applications and infrastructure network and systems components and/or shared with other third parties to ascertain any regulatory, statutory, or supply chain agreement (SLA) compliance impact, and to address any other business risks associated with the data. Upon request, provider shall inform customer (tenant) of compliance impact and risk, especially if customer data is used as part of the services. GCS documents and maintains descriptions of the information used within the Hyland Cloud platform which includes customer data and system data classifications. These classifications are reviewed as part of the annual policy review process by the Associate Vice President of GCS. The Hyland Cloud uses firewalls to prevent unauthorized network access. Firewall standards are documented in the Operations Security Policy to only allow network access to specific protocols that are required to support end users solutions. Architectural components (e.g. networks, servers, co-location data centers) are logically separated between (1) any customer, including GCS and (2) Hyland, prevent unauthorized access by internal or external users. Customer Hosted Solutions exist in a private virtualized environment secured by firewall configurations.
22 Data Security & Information Lifecycle Ecommerce Transactions Data Security & Information Lifecycle Handling / Labeling / Security Policy DSI-03 DSI-04 Data related to electronic commerce (ecommerce) that traverses public networks shall be appropriately classified and protected from fraudulent activity, unauthorized disclosure, or modification in such a manner to prevent contract dispute and compromise of data. Policies and procedures shall be established for the labeling, handling, and security of data and objects which contain data. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data. GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the Hyland Cloud platform remotely. Connections to the Hyland platform are encrypted using HTTPS, PCOIPS, or Blast secure protocol. Access to encryption configuration is limited to authorized individuals. GCS documents and maintains descriptions of the information used within the Hyland Cloud platform which includes customer data and system data classifications. These classifications are reviewed as part of the annual policy review process by the Associate Vice President of GCS. Data Security & Information Lifecycle Non-Production Data Data Security & Information Lifecycle Ownership / Stewardship DSI-05 DSI-06 Production data shall not be replicated or used in non-production environments. Any use of customer data in non-production environments requires explicit, documented approval from all customers whose data is affected, and must comply with all legal and regulatory requirements for scrubbing of sensitive data elements. All data shall be designated with stewardship, with assigned responsibilities defined, documented, and communicated. GCS documents and maintains descriptions of all assets, including hardware, software, and data, used, held, and/or managed within the Hyland Cloud Platform which includes customer data and system data classification. These classifications are reviewed as part of the annual policy review process by the AVP of GCS. Customer production and non-production environments are logically separated. GCS does not input customer data into the nonproduction environment. These environments are separated using a domain authentication source (Active Directory). Customer maintains ownership of all customer data uploaded to their Hosted Solution through the full lifecycle period. GCS access to customer data is restricted to authorized users and requires valid business justification. Data Security & Information DSI-07 Policies and procedures shall be established with supporting business Customer administrators control user access, user permissions, and data retention with respect to their Hosted Solutions. When a storage device has reached the end of its useful life, Global Cloud Services
23 Lifecycle Secure Disposal processes and technical measures implemented for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means. procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. GCS uses the techniques recommended by the National Institute for Standards and Technology (NIST) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures, the device will be virtually shredded or physically destroyed in accordance with industry-standard practices. Devices used in the administration of the customer s Hosted Solution that have been decommissioned will be subjected to these or equally effective standards. Chapter 6: Datacenter Security Control Group Control ID Control Specification Hyland Response Datacenter Security Asset Datacenter Security Controlled Access Points Datacenter Security Equipment Identification DCS-01 DCS-02 DCS-03 Assets must be classified in terms of business criticality, service-level expectations, and operational continuity requirements. A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time shall be maintained and updated regularly, and assigned ownership by defined roles and responsibilities. Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) shall be implemented to safeguard sensitive data and information systems. Automated equipment identification shall be used as a method of connection authentication. Location-aware technologies may be used to validate connection authentication integrity An inventory of assets is established and maintained. Asset inventory lists document identifiable information for each asset listed, including vendor, version number, system owner and geographical location. The Hyland Cloud platform is housed within ISO certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). Customer data is secured behind physical barriers to prevent unauthorized access. Only authorized personnel have access to the data centers, all others require special authorization from Hyland and data center staff and require an escort. The Hyland Cloud platform is housed within ISO certified and SOC 1 and SOC 3 audited data centers (or reasonable equivalent). Customer data is secured behind physical barriers to prevent
24 Datacenter Security Off-Site Authorization Datacenter Security Off-Site Equipment Datacenter Security Policy DCS-04 DCS-05 DCS-06 based on known equipment location. Authorization must be obtained prior to relocation or transfer of hardware, software, or data to an offsite premises. Policies and procedures shall be established for the secure disposal of equipment (by asset type) used outside the organization's premises. This shall include a wiping solution or destruction process that renders recovery of information impossible. The erasure shall consist of a full overwrite of the drive to ensure that the erased drive is released to inventory for reuse and deployment, or securely stored until it can be destroyed. Policies and procedures shall be established, and supporting business processes implemented, for maintaining a safe and secure working environment in offices, rooms, facilities, and secure areas storing sensitive information. unauthorized access. Only authorized personnel have access to the data centers, all others require special authorization from Hyland and data center staff and require an escort. Customer data will not be removed from the GCS data centers unless explicit written authorization from the customer. Relocation or transfer of hardware or software within the data center follows the GCS Change Procedures. When a storage device has reached the end of its useful life, Global Cloud Services procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. Hyland Global Cloud Services uses the techniques recommended by the National Institute for Standards and Technology (NIST) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures, the device will be virtually shredded or physically destroyed in accordance with industry-standard practices. Devices used in the administration of the customer s hosted solution that have been decommissioned will be subjected to these or equally effective standards. Attestation letters to that effect can be provided to Customer, upon request. Access to the data centers is restricted to the pre-defined roles documented in the Access Policy. User access requests are subject to the change management procedures. Visitors to the data center must be escorted. Only authorized personnel, with a justified business need, are permitted inside the secure data centers unescorted. All other personnel must be escorted at all times, after demonstrating a valid business need and obtaining approval.
25 Datacenter Security Secure Area Authorization DCS-07 Ingress and egress to secure areas shall be constrained and monitored by physical access control mechanisms to ensure that only authorized personnel are allowed access. Access to the data centers is restricted to the pre-defined roles documented in the Access Policy. User access requests are subject to the change management procedures. Visitors to the data center must be escorted. Datacenter Security Unauthorized Persons Entry Datacenter Security User Access DCS-08 DCS-09 Ingress and egress points such as service areas and other points where unauthorized personnel may enter the premises shall be monitored, controlled and, if possible, isolated from data storage and processing facilities to prevent unauthorized data corruption, compromise, and loss. Physical access to information assets and functions by users and support personnel shall be restricted. Only authorized personnel, with a justified business need, are permitted inside the secure data centers unescorted. All other personnel must be escorted at all times, after demonstrating a valid business need and obtaining approval. Access to the data centers is restricted to the pre-defined roles documented in the Access Policy. User access requests are subject to the change management procedures. Visitors to the data center must be escorted. Only authorized personnel, with a justified business need, are permitted inside the secure data centers unescorted. All other personnel must be escorted at all times, after demonstrating a valid business need and obtaining approval. Access to the data centers is restricted to the pre-defined roles documented in the Access Policy. User access requests are subject to the change management procedures. Visitors to the data center must be escorted. Only authorized personnel, with a justified business need, are permitted inside the secure data centers unescorted. All other personnel must be escorted at all times, after demonstrating a valid business need and obtaining approval.
26 Chapter 7: Encryption & Key Control Group Control ID Control Specification Hyland Response Encryption & Key Entitlement EKM-01 Keys must have identifiable owners (binding keys to identities) and there shall be key management policies. GCS maintains a Cryptography Policy for cryptographic controls. Responsibility for effectively managing encryption keys is divided between the customer and Hyland. Knowledge of keys is split within Hyland. Encryption & Key Key Generation Encryption & Key Sensitive Data Protection EKM-02 EKM-03 Policies and procedures shall be established for the management of cryptographic keys in the service's cryptosystem (e.g., lifecycle management from key generation to revocation and replacement, public key infrastructure, cryptographic protocol design and algorithms used, access controls in place for secure key generation, and exchange and storage including segregation of keys used for encrypted data or sessions). Upon request, provider shall inform the customer (tenant) of changes within the cryptosystem, especially if the customer (tenant) data is used as part of the service, and/or the customer (tenant) has some shared responsibility over implementation of the control. Policies and procedures shall be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive GCS maintains a Cryptography Policy for cryptographic controls. Responsibility for effectively managing encryption keys is divided between the customer and Hyland. Knowledge of keys is split within Hyland. Encryption technologies, such as SFTP, SSL/TLS, are employed for data in transit. Customers are responsible for the data that outside the boundaries of our environment. Customer are made aware of their responsibilities for use of encryption technologies through the Customer Process Manual and specific guides related to encryption technologies they have purchased. GCS maintains a Cryptography Policy for cryptographic controls. Responsibility for effectively managing encryption keys is divided between the customer and Hyland. Knowledge of keys is split within Hyland.
27 data in storage (e.g., file servers, databases, and end-user workstations), data in use (memory), and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations. Encryption technologies, such as SFTP, SSL/TLS, are employed for data in transit. Customers are responsible for the data that outside the boundaries of our environment. Customer are made aware of their responsibilities for use of encryption technologies through the Customer Process Manual and specific guides related to encryption technologies they have purchased. Encryption & Key Storage and Access EKM-04 Platform and data-appropriate encryption (e.g., AES-256) in open/validated formats and standard algorithms shall be required. Keys shall not be stored in the cloud (i.e., at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider. Key management and key usage shall be separated duties. GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the Hyland Cloud platform remotely. Connections to the Hyland platform are encrypted using HTTPS, PCOIPS, or Blast secure protocol. Access to encryption configuration is limited to authorized individuals. GCS utilizes security transport encryption methods, such as SSL, for securing user authentication and session data when accessing the Hyland Cloud platform remotely. Connections to the Hyland platform are encrypted using HTTPS, PCOIPS, or Blast secure protocol. Access to encryption configuration is limited to authorized individuals.
What can the OnBase Cloud do for you? lbmctech.com
What can the OnBase Cloud do for you? lbmctech.com The OnBase Cloud by Hyland When it comes to cloud deployments, experience matters. With experience comes more functionality, long tracks of outstanding
More informationTB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored
the onbase cloud ONBASE CLOUD // Experience Matters The OnBase Cloud by Hyland When it comes to cloud deployments, experience matters. With experience comes more functionality, an established history of
More informationAutomate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds
EXECUTIVE BRIEF SHAREBASE BY HYLAND Automate sharing. Empower users. Retain control. With ShareBase by Hyland, empower users with enterprise file sync and share (EFSS) technology and retain control over
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationCriminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud
Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud Introduction The Criminal Justice Information Security (CJIS) Policy is a publically accessible document that contains
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationMapping of Cloud Security Alliance Cloud Control Matrix
Mapping of Cloud Security Alliance Cloud Control Matrix Published: December 15, 2015 2015 Microsoft Corporation. All rights reserved. This document is provided "as-is." Information and views expressed
More informationWORKSHARE SECURITY OVERVIEW
WORKSHARE SECURITY OVERVIEW April 2016 COMPANY INFORMATION Workshare Security Overview Workshare Ltd. (UK) 20 Fashion Street London E1 6PX UK Workshare Website: www.workshare.com Workshare Inc. (USA) 625
More informationCONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v Google Cloud (updated Jan 2017)
CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v3.0.1 - Google Cloud (updated Jan 2017) The information described in this paper is detailed as of the time of authorship. The information in this document
More informationSolution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites
Solution Pack Managed Services Virtual Private Cloud Security Features Selections and Prerequisites Subject Governing Agreement DXC Services Requirements Agreement between DXC and Customer including DXC
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationWorkshop on Certification Schemes for Cloud Computing
WE CAN DO SO MUCH TOGETHER Workshop on Certification Schemes for Cloud Computing What should a EU-wide cloud security certification scheme cover? Conchi Cortés TECNALIA December 11 th, 2017 SMART 2016
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationPhysical and Environmental Security Standards
Physical and Environmental Security Standards Table of Contents 1. SECURE AREAS... 2 1.1 PHYSICAL SECURITY PERIMETER... 2 1.2 PHYSICAL ENTRY CONTROLS... 3 1.3 SECURING OFFICES, ROOMS AND FACILITIES...
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationEXHIBIT A. - HIPAA Security Assessment Template -
Department/Unit: Date: Person(s) Conducting Assessment: Title: 1. Administrative Safeguards: The HIPAA Security Rule defines administrative safeguards as, administrative actions, and policies and procedures,
More informationTwilio cloud communications SECURITY
WHITEPAPER Twilio cloud communications SECURITY From the world s largest public companies to early-stage startups, people rely on Twilio s cloud communications platform to exchange millions of calls and
More informationWatson Developer Cloud Security Overview
Watson Developer Cloud Security Overview Introduction This document provides a high-level overview of the measures and safeguards that IBM implements to protect and separate data between customers for
More informationAwareness Technologies Systems Security. PHONE: (888)
Awareness Technologies Systems Security Physical Facility Specifications At Awareness Technologies, the security of our customers data is paramount. The following information from our provider Amazon Web
More informationSecurity Policies and Procedures Principles and Practices
Security Policies and Procedures Principles and Practices by Sari Stern Greene Chapter 3: Information Security Framework Objectives Plan the protection of the confidentiality, integrity and availability
More informationTRACKVIA SECURITY OVERVIEW
TRACKVIA SECURITY OVERVIEW TrackVia s customers rely on our service for many mission-critical applications, as well as for applications that have various compliance and regulatory obligations. At all times
More informationTrust Services Principles and Criteria
Trust Services Principles and Criteria Security Principle and Criteria The security principle refers to the protection of the system from unauthorized access, both logical and physical. Limiting access
More informationFRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.
FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013 Visit us online at Flank.org to learn more. HITRUST CSF v9 Framework ISO 27001/27002:2013 Framework FLANK ISO 27001/27002:2013 Documentation from
More informationINFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare
INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading INTRODUCTION Information is critical to all of our clients and is therefore
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationData Processing Amendment to Google Apps Enterprise Agreement
Data Processing Amendment to Google Apps Enterprise Agreement The Customer agreeing to these terms ( Customer ) and Google Inc., Google Ireland, or Google Asia Pacific Pte. Ltd. (as applicable, Google
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationInformation Security Management
Information Security Management BS ISO/ IEC 17799:2005 (BS ISO/ IEC 27001:2005) BS 7799-1:2005, BS 7799-2:2005 SANS Audit Check List Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SFS, ITS 2319, IT
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationWHITE PAPER- Managed Services Security Practices
WHITE PAPER- Managed Services Security Practices The information security practices outlined below provide standards expected of each staff member, consultant, or customer staff member granted access to
More informationApex Information Security Policy
Apex Information Security Policy Table of Contents Sr.No Contents Page No 1. Objective 4 2. Policy 4 3. Scope 4 4. Approval Authority 5 5. Purpose 5 6. General Guidelines 7 7. Sub policies exist for 8
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationData Security and Privacy Principles IBM Cloud Services
Data Security and Privacy Principles IBM Cloud Services 2 Data Security and Privacy Principles: IBM Cloud Services Contents 2 Overview 2 Governance 3 Security Policies 3 Access, Intervention, Transfer
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationSecurity and Compliance at Mavenlink
Security and Compliance at Mavenlink Table of Contents Introduction....3 Application Security....4....4....5 Infrastructure Security....8....8....8....9 Data Security.... 10....10....10 Infrastructure
More informationHIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationRMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS
RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS RMS REPORT PAGE 1 Confidentiality Notice Recipients of this documentation and materials contained herein are subject to the restrictions
More informationWHITE PAPER. Title. Managed Services for SAS Technology
WHITE PAPER Hosted Title Managed Services for SAS Technology ii Contents Performance... 1 Optimal storage and sizing...1 Secure, no-hassle access...2 Dedicated computing infrastructure...2 Early and pre-emptive
More informationSYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement
SYSTEM KARAN ADVISER & INFORMATION CENTER Information technology- security techniques information security management systems-requirement ISO/IEC27001:2013 WWW.SYSTEMKARAN.ORG 1 www.systemkaran.org Foreword...
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationKantanMT.com. Security & Infra-Structure Overview
KantanMT.com Security & Infra-Structure Overview Contents KantanMT Platform Security... 2 Customer Data Protection... 2 Application Security... 2 Physical and Environmental Security... 3 ecommerce Transactions...
More informationLayer Security White Paper
Layer Security White Paper Content PEOPLE SECURITY PRODUCT SECURITY CLOUD & NETWORK INFRASTRUCTURE SECURITY RISK MANAGEMENT PHYSICAL SECURITY BUSINESS CONTINUITY & DISASTER RECOVERY VENDOR SECURITY SECURITY
More informationAdvent IM Ltd ISO/IEC 27001:2013 vs
Advent IM Ltd ISO/IEC 27001:2013 vs 2005 www.advent-im.co.uk 0121 559 6699 bestpractice@advent-im.co.uk Key Findings ISO/IEC 27001:2013 vs. 2005 Controls 1) PDCA as a main driver is now gone with greater
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationU.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)
U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment Tool Physical Safeguards Content Version Date:
More informationNEN The Education Network
NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected
More informationA company built on security
Security How we handle security at Flywheel Flywheel was founded in 2012 on a mission to create an exceptional platform to help creatives do their best work. As the leading WordPress hosting provider for
More informationBaseline Information Security and Privacy Requirements for Suppliers
Baseline Information Security and Privacy Requirements for Suppliers INSTRUCTION 1/00021-2849 Uen Rev H Ericsson AB 2017 All rights reserved. The information in this document is the property of Ericsson.
More informationCloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015
Cloud Computing Standard Effective Date: July 28, 2015 1.1 INTRODUCTION Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationCTS performs nightly backups of the Church360 production databases and retains these backups for one month.
Church360 is a cloud-based application software suite from Concordia Technology Solutions (CTS) that is used by churches of all sizes to manage their membership data, website, and financial information.
More informationInterCall Virtual Environments and Webcasting
InterCall Virtual Environments and Webcasting Security, High Availability and Scalability Overview 1. Security 1.1. Policy and Procedures The InterCall VE ( Virtual Environments ) and Webcast Event IT
More informationAUTHORITY FOR ELECTRICITY REGULATION
SULTANATE OF OMAN AUTHORITY FOR ELECTRICITY REGULATION SCADA AND DCS CYBER SECURITY STANDARD FIRST EDITION AUGUST 2015 i Contents 1. Introduction... 1 2. Definitions... 1 3. Baseline Mandatory Requirements...
More informationENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE
ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE INTRODUCTION In line with commercial industry standards, the data center used by EndNote employs a dedicated security team to protect our
More informationNORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers
Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.
More informationHIPAA Compliance Checklist
HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.
More informationNetwork Security Policy
Network Security Policy Date: January 2016 Policy Title Network Security Policy Policy Number: POL 030 Version 3.0 Policy Sponsor Policy Owner Committee Director of Business Support Head of ICU / ICT Business
More informationSECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry
SECURITY ON AWS By Max Ellsberry AWS Security Standards The IT infrastructure that AWS provides has been designed and managed in alignment with the best practices and meets a variety of standards. Below
More informationOracle Data Cloud ( ODC ) Inbound Security Policies
Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards...
More informationIT CONTINUITY, BACKUP AND RECOVERY POLICY
IT CONTINUITY, BACKUP AND RECOVERY POLICY IT CONTINUITY, BACKUP AND RECOVERY POLICY Effective Date May 20, 2016 Cross- Reference 1. Emergency Response and Policy Holder Director, Information Business Resumption
More informationKeys to a more secure data environment
Keys to a more secure data environment A holistic approach to data infrastructure security The current fraud and regulatory landscape makes it clear that every firm needs a comprehensive strategy for protecting
More informationRADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE
ADIAN6 SECUITY, PIVACY, AND ACHITECTUE Last Updated: May 6, 2016 Salesforce s Corporate Trust Commitment Salesforce is committed to achieving and maintaining the trust of our customers. Integral to this
More informationAltius IT Policy Collection
Altius IT Policy Collection Complete set of cyber and network security policies Over 100 Policies, Plans, and Forms Fully customizable - fully customizable IT security policies in Microsoft Word No software
More informationSECURITY PRACTICES OVERVIEW
SECURITY PRACTICES OVERVIEW 2018 Helcim Inc. Copyright 2006-2018 Helcim Inc. All Rights Reserved. The Helcim name and logo are trademarks of Helcim Inc. P a g e 1 Our Security at a Glance About Helcim
More information2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.
Diageo Third Party Hosting Standard 1. Purpose This document is for technical staff involved in the provision of externally hosted solutions for Diageo. This document defines the requirements that third
More informationIBM Case Manager on Cloud
Service Description IBM Case Manager on Cloud This Service Description describes the Cloud Service IBM provides to Client. Client means and includes the company, its authorized users or recipients of the
More informationGeneral Data Protection Regulation
General Data Protection Regulation Workshare Ltd ( Workshare ) is a service provider with customers in many countries and takes the protection of customers data very seriously. In order to provide an enhanced
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationSecurity Note. BlackBerry Corporate Infrastructure
Security Note BlackBerry Corporate Infrastructure Published: 2017-03-02 SWD-20170302091637541 Contents Introduction... 5 History... 6 BlackBerry policies...7 Security organizations... 8 Cyber Security
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationCSA Consensus Assessments Initiative Questionnaire. May 2017
CSA s Initiative Questionnaire May 2017 2017, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes only. It represents AWS s current
More informationSECURITY STRATEGY & POLICIES. Understanding How Swift Digital Protects Your Data
SECURITY STRATEGY & POLICIES Understanding How Swift Digital Protects Your Data Table of Contents Introduction 1 Security Infrastructure 2 Security Strategy and Policies 2 Operational Security 3 Threat
More informationProtecting your data. EY s approach to data privacy and information security
Protecting your data EY s approach to data privacy and information security Digital networks are a key enabler in the globalization of business. They dramatically enhance our ability to communicate, share
More informationAUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE
AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE Table of Contents Dedicated Geo-Redundant Data Center Infrastructure 02 SSAE 16 / SAS 70 and SOC2 Audits 03 Logical Access Security 03 Dedicated
More informationCanada Life Cyber Security Statement 2018
Canada Life Cyber Security Statement 2018 Governance Canada Life has implemented an Information Security framework which supports standards designed to establish a system of internal controls and accountability
More informationITG. Information Security Management System Manual
ITG Information Security Management System Manual This manual describes the ITG Information Security Management system and must be followed closely in order to ensure compliance with the ISO 27001:2005
More informationSecurity Specification
Security Specification Security Specification Table of contents 1. Overview 2. Zero-knowledge cryptosystem a. The master password b. Secure user authentication c. Host-proof hosting d. Two-factor authentication
More informationASD CERTIFICATION REPORT
ASD CERTIFICATION REPORT Amazon Web Services Elastic Compute Cloud (EC2), Virtual Private Cloud (VPC), Elastic Block Store (EBS) and Simple Storage Service (S3) Certification Decision ASD certifies Amazon
More informationVersion 1/2018. GDPR Processor Security Controls
Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in
More informationBUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW
BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW EXECUTIVE SUMMARY CenturyLink is committed to ensuring business resiliency and survivability during an incident or business disruption. Our Corporate Business
More informationBLACKLINE PLATFORM INTEGRITY
BLACKLINE PLATFORM INTEGRITY Security, Availability, and Disaster Recovery Your Trusted Partner for Financial Corporate Performance Management BlackLine is a leading provider of cloud software that automates
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationWhat you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered
What you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered Over the last decade, cloud backup, recovery and restore (BURR) options have emerged
More informationOnline Services Security v2.1
Online Services Security v2.1 Contents 1 Introduction... 2 2... 2 2.1... 2 2.2... 2 2.3... 3 3... 4 3.1... 4 3.2... 5 3.3... 6 4... 7 4.1... 7 4.2... 7 4.3... 7 4.4... 7 4.5... 8 4.6... 8 1 Introduction
More informationCloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017
Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017 Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and
More informationCOMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY
COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY OVERVIEW On February 2013, President Barack Obama issued an Executive Order
More informationVendor Security Questionnaire
Business Associate Vendor Name Vendor URL Vendor Contact Address Vendor Contact Email Address Vendor Contact Phone Number What type of Service do You Provide Covenant Health? How is Protected Health Information
More informationSOC 3 for Security and Availability
SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2015 through September 30, 2016 Independent SOC 3 Report for the Security and Availability Trust
More informationHosted Testing and Grading
Hosted Testing and Grading Technical White Paper July 2010 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or
More informationIntroduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview
IBM Watson on the IBM Cloud Security Overview Introduction IBM Watson on the IBM Cloud helps to transform businesses, enhancing competitive advantage and disrupting industries by unlocking the potential
More information