ZyLAB delivers a SaaS solution through its partner data center provided by Interoute and through Microsoft Azure.

Similar documents
Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

TRACKVIA SECURITY OVERVIEW

The Common Controls Framework BY ADOBE

WHITE PAPER- Managed Services Security Practices

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

SECURITY & PRIVACY DOCUMENTATION

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Data Processing Amendment to Google Apps Enterprise Agreement

Axiell ALM Cloud Service - Service Level Agreement

Data Security and Privacy Principles IBM Cloud Services

Dooblo SurveyToGo: Security Overview

University of Pittsburgh Security Assessment Questionnaire (v1.7)

1 Data Center Requirements

Projectplace: A Secure Project Collaboration Solution

WORKSHARE SECURITY OVERVIEW

Checklist: Credit Union Information Security and Privacy Policies

Security Information & Policies

NS2 Cloud Overview The Cloud Built for Federal Security and Export Controlled Environments. Hunter Downey, Cloud Solution Director

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Cloud Service SLA Declaration

SERVERS / SERVICES AT DATA CENTER AND CO-LOCATION POLICY

AppPulse Point of Presence (POP)

InterCall Virtual Environments and Webcasting

Juniper Vendor Security Requirements

Trust Services Principles and Criteria

Twilio cloud communications SECURITY

ADIENT VENDOR SECURITY STANDARD

BLACKLINE PLATFORM INTEGRITY

FormFire Application and IT Security

INTERNATIONAL SOS. Information Security Policy. Version 2.00

OUR CUSTOMER TERMS CLOUD SERVICES - INFRASTRUCTURE

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Google Cloud & the General Data Protection Regulation (GDPR)

Security. ITM Platform

Integrated Cloud Environment Security White Paper

Epicor ERP Cloud Services Specification Multi-Tenant and Dedicated Tenant Cloud Services (Updated July 31, 2017)

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Vendor Security Questionnaire

ISO27001 Preparing your business with Snare

enalyzer enalyzer security

Inventory and Reporting Security Q&A

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Security Standards for Information Systems

Layer Security White Paper

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

Cisco Meraki Privacy and Security Practices. List of Technical and Organizational Measures

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

Security Policies and Procedures Principles and Practices

Solution Pack. Managed Services Virtual Private Cloud Managed Database Service Selections and Prerequisites

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Standard CIP Cyber Security Critical Cyber Asset Identification

PCI DSS Compliance. White Paper Parallels Remote Application Server

Standard CIP Cyber Security Critical Cyber Asset Identification

Microsoft Azure Security, Privacy, & Compliance

Cloud FastPath: Highly Secure Data Transfer

Information Security Policy

emarketeer Information Security Policy

epldt Web Builder Security March 2017

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

Version v November 2015

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

Standard: Event Monitoring

Microsoft SharePoint Server 2013 Plan, Configure & Manage

Data Protection Policy

Oracle Data Cloud ( ODC ) Inbound Security Policies

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

PS 176 Removable Media Policy

Data Security at Smart Assessor

SERVICE DESCRIPTION & ADDITIONAL TERMS AND CONDITIONS VERSIEGELTE CLOUD. Service description & additional terms and conditions VERSIEGELTE CLOUD

Version 1/2018. GDPR Processor Security Controls

Sparta Systems TrackWise Digital Solution

Interoute Use Case. SQL 2016 Always On in Interoute VDC. Last updated 11 December 2017 ENGINEERED FOR THE AMBITIOUS

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

ICT Security Policy. ~ 1 od 21 ~

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

What can the OnBase Cloud do for you? lbmctech.com

Certified Information Systems Auditor (CISA)

Version v November 2015

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

Network Security Policy

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

Cloud Transformation and Significance of Security

AUTHORITY FOR ELECTRICITY REGULATION

Security Overview. Technical Whitepaper. Secure by design. End to end security. N-tier Application Architecture. Data encryption. User authentication

TIBCO Nimbus Service

A company built on security

THE EASIEST WAY TO THE CLOUD! V2 CLOUD WorkSpaces. CLOUD FOR SMBs V2 CLOUD

ServeRestore Service Description

Morningstar ByAllAccounts Service Security & Privacy Overview

IBM SmartCloud Notes Security

ECSA Assessment Report

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Magento GDPR Frequently Asked Questions

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Transcription:

Security In today s world, the requirement to focus on building secure solutions and infrastructure has become an important part of the value that businesses deliver to customers and resellers. This document describes the security measures ZyLAB* and its partners have implemented to mitigate risks of unauthorized access to systems and data. Partnering with the best of breed ZyLAB delivers a SaaS solution through its partner data center provided by Interoute and through Microsoft Azure. About Microsoft Azure Microsoft Azure is a collection of integrated cloud services to build, deploy and manage applications through Microsofts global network of data centres. For Microsoft Azure security, Microsoft maintains and updates its security information through its corporate website: https://www.microsoft.com/en-us/trustcenter/security/azure-security. About Interoute Interoute is the owner and operator of Europe's largest cloud services platform and an international telecommunications service provider. The datacenters are located in multiple European cities (Amsterdam, Berlin, Geneva, Paris, Madrid, Milan and London). Compliant with the ISO/IEC 27001, ISO 20000, PCI DSS and ISAE 3402/SSAE 16 certifications. 3-TIER. Redundancy: power, network, hardware, internet and storage. Virtual Servers/ Storage Built on Interoute's self-owned MPLS-based fibre network. This allows them to implement a trusted and efficient MPLS VPN security model to protect our customer's data. The physical storage is RAID-configured to provide fault tolerance in the event of drive failure. The RAID configuration also natively spreads data across multiple spindles to maximize performance. * see last page of documents to read more about the legal entities delivering our SaaS Services

Interoute employees do not have direct access to the Systems and Information. As ZyLAB s Service provider they maintain the continuity of the hardware and infrastructure on which the ZyLAB systems are hosted. The procedures for accessing the premises of Interoute are: Customers granted physical access to Interoute s Data Centre s must comply with site access procedures, codes of conduct and operations processes. All customers use of Interoute services, facilities and operations must comply with stated contractual obligation to adhere to Acceptable Use Policy, as identified in applicable contract conditions and service schedules. The exchange of information and data between Interoute and customers will be controlled by contracted confidentiality clauses or non-disclosure agreements, and in compliance to Interoute policies and operations procedures. Physical site access will be controlled through Interoute Corporate Physical Security Policy, codes of conduct, and associated operations procedures. Interoute s ISO 27001 security management system, service security controls, security policies and operations procedures will protect Confidentiality, Integrity and Availability of Interoute and customer data and assets. Logical and physical access management controls, inclusive of user and password management, authorization permissions, termination and compliance of access permissions will be controlled and audited on a regular basis. Security Incident Management processes to report, log, respond and resolve to security incidents and impact Interoute operations, services and technology platforms will be maintained and reviewed. For Interoute security, Interoute maintains and updates its security information through its corporate website: http://www.interoute.nl/products-and-services/security. Operational measures Roles and Responsibilities Security Administration of ediscovery is being managed by ZyLAB Operations (ZyLAB). Customer data is stored on a selected partner data center, employees of the partner data center do not have file (logical) access to the data sets. Platform Management Server storage is managed by partner data center, the solution is managed by ZyLAB Operations. The solution can only be accessed through a secured and managed VPN-connection. Pre-employment screening All Operations employees require a certificate of conduct, which the Dutch State Secretary for Security and Justice declares that the applicant did not commit any criminal offences that are relevant to the performance of his or her duties. Were applicable, an AIVD screening (conducted by the General Intelligence and Security Service of the Netherlands), may be provided.

Data in Transit ESI on data carrier ZyLAB will receive ESI on an encrypted data carrier (USB or Hard drive; customer will be responsible for data encryption) and will confirm the customer with a Data Receipt report (Chain of Custody). The received data will be copied to an encrypted VHDX and then uploaded to the processing environment by SFTP or FTPES. The data carrier will be logged and then stored securely in a physical vault. Physical paper files In the event that paper file digitization/scanning services are performed by ZyLAB, the digital results will be stored directly on its platform through secure SFTP / FTPES upload. ESI upload If the customer wishes to upload ESI directly to the processing environment, ZyLAB will create SFTP/FTPES credentials and send the FTP information by email and the password by SMS. User Access Control User Management ZyLAB will provide the Users Account based on the delivered project requirements. The administration of the users is maintained by ZyLAB in cooperation with customer s responsible project contact. The username is send by email and the password by sms. Password regime ZyLABs password policy is applicable: The setting of the password requires at least 8 characters and need 3 of 4 of the following: number, symbol, uppercase and lowercase. Use of secure SSL and applied key length Users logon via the SSL-protected portal, 2048-bit encryption. Two factor authentication After the user logs on with its credentials, the user will receive a Onetime Password through SMS. After verification, the user is granted access to the Legal Review Platform. Time out session To protect against unauthorized access, the web access session will automatically time out after a period of inactivity. IP Filtering Upon request, ZyLAB may activate IP filtering. Authorization on (system) files and system utilities Users do not have direct access control to the data. Depending on the user role and security, the users will be able to review documents through the ZyLAB Legal Review web interface. The access permission is read-only on the data and read/write on the TAGS (metadata).

Change Management Procedures Change management and maintenance ZyLAB administrators perform changes to cloud infrastructure, operating software and product software to maintain operational stability, availability, security and performance of the ediscovery environment. ZyLAB follows formal change management procedures to provide the necessary review, testing, and approval of changes prior to a roll out in the production environment. Change Management procedures include management of regular and ongoing application upgrades, updates and coordinated customer specific changes where required, and system and service maintenance. ZyLAB tries to avoid service interruption where possible. Where an anticipated change will require the application service to be unavailable during the change maintenance period, ZyLAB will work to provide prior notice of the anticipated impact. Application upgrades and updates Patches and updates are tested and implemented by ZyLAB. Security Patches are to be incorporated within one month after publication data. Legal Review Legal Review Platform Typically, each project will be hosted in a separate review platform. A dedicated virtual review server will be reserved for the Project. All processes for storage of data, processing of data and reviewing of data will run within a dedicated project environment. Customers have their own Active Directory (AD) group. Using separated processing /review platforms ZyLAB is able to provide the most secure setup and provide the best performance during review. Data encryption The data is not encrypted on the storage disks. If required, ZyLAB can encrypt the data on OS level but it can have an impact on backups and performance of the document review. PEN test Latest PEN test, which has been performed by Digital Investigation B.V. (Hilversum, The Netherlands), has been successfully passed in October 2015. Project termination Upon project completion, a written approval is required to start the data removal. After approval all project data (source and processed) will be removed from the systems. In parallel, a removal from the back up media is planned. This removal includes the delay of removal from daily/weekly/monthly back up media. After this cycle all data is removed definitive.

Availability Platform availability By default, the solution is not mirrored (this can be offered upon request). In case of a disaster, the solution may be recovered with system back-ups and snapshots. In case of a malfunction, ZyLAB will immediately commence efforts to recover the solution, 7x24x365. Hours of operation The solution is designed to be available 24 hours a day, 7 days a week and 365 days a year, except during system maintenance periods and technology upgrades. Disaster recovery plan Storage: Snapshots are taken every 4 hours, and these snapshots are kept for 2 days. One daily snap-shot is retained for a week. A further snapshot is taken weekly and kept for a month. By default, the snapshots will reside within the same data center. It is also possible to hold the snapshots in another data center. SQL: Differential backups are taken every hour and are kept until the daily full backup has been made. Every day a full backup will be made and the last 5 backups are kept. Recovery Time Objective (RTO); How fast can business process resume? SQL: 1 hour. Legal Review server: 2 hours. Storage: this depends of the volume size of the disk. On average it will be 50 GB per hour of recovering time. Recovery Point Objective (RPO); How many hours of data loss is expected? Storage: 4 hours. SQL: 1 hour. Monitoring ZyLAB has a standard set of events that are logged and monitored. Examples of such events are: CPU, Memory, disk storage and connectivity. Processes or services. Creating, deleting of a virtual server. Tagging, downloading, deleting of a document in Legal Review. Provisioning users. Accessing the Review environment. Antivirus ZyLAB does not use antivirus software. The reason is that antivirus software puts identified documents in quarantine. This means that these documents will not be accessible by the customer

and could potentially generate an error. Understanding the limitations, antivirus software can be used at the discretion of the customer. Access control to premises and facilities Datacenter Security Administration of the solution is managed by ZyLAB. Although the (customers) data are stored on a partner data center the employees of the data center do not have access to the data sets. They can perform backup and restore of virtual hard disk but never have access to the files within the virtual hard disk. About ZyLAB ZyLAB SaaS services are provided through the following entities: ZyLAB Headquarters United States Servicing the North America region ZyLAB DCS USA LLC 7918 Jones Branch Drive McLean, VA 22102 United States of America ZyLAB Headquarters EMEA & APAC Servicing the Europe, Middle East, Africa and Asia Pacific regions ZyLAB ediscovery & Compliance Services (DCS) BV Hoogoorddreef 9 1101 BA Amsterdam, the Netherlands The Afrika" building is a secured and locked location; no unauthorized entrance is permitted. Reception personnel is present at the ground floor, controlling locked entrance of visitors during office hours (Monday to Friday, 07:00 18:00 hrs). On workdays after 18:00 hrs and during the weekend or Bank Holidays, security personnel is present covering the Atlas Arena premises. The ZyLAB office is a locked and secured location within the Afrika" building. Reception personnel is present during office hours. The ZyLAB ediscovery & Compliance Services (DCS) BV office is located in a restricted area within the premises of the Amsterdam headquarters, protected by electronic keys, automatic locks and alarm system.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback