Security Policy (EN) v1.3

Similar documents
Education Network Security

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Course Outline (version 2)

Security+ SY0-501 Study Guide Table of Contents

CERTIFIED SECURE COMPUTER USER COURSE OUTLINE

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Exam : Title : Security Solutions for Systems Engineers(SSSE) Version : Demo

Awareness Technologies Systems Security. PHONE: (888)

CS 356 Operating System Security. Fall 2013

Information Security Data Classification Procedure

Projectplace: A Secure Project Collaboration Solution

The Eight Components of a Strong Cyber Security Defense System

Future-ready security for small and mid-size enterprises

IBM Security Network Protection Solutions

Security for the Cloud Era

Seqrite Endpoint Security

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Information Technology Enhancing Productivity and Securing Against Cyber Attacks

The Common Controls Framework BY ADOBE

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

A1 Information Security Supplier / Provider Requirements

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Checklist: Credit Union Information Security and Privacy Policies

NetDefend Firewall UTM Services

ISO27001 Preparing your business with Snare

Angelo Gentili Head of Business Development, EMEA Region, PartnerNET

General Data Protection Regulation

Security Architecture

MEMORY AND BEHAVIORAL PROTECTION ENDPOINT SECURITY NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

Getting ready for GDPR

Juniper Vendor Security Requirements

Security Principles for Stratos. Part no. 667/UE/31701/004

Securing Information Systems

Oracle Data Cloud ( ODC ) Inbound Security Policies

Use Cases. E-Commerce. Enterprise

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Easy Activation Effortless web-based administration that can be activated in as little as one business day - no integration or migration necessary.

Google Cloud Platform: Customer Responsibility Matrix. December 2018

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Security Policies and Procedures Principles and Practices

Trust Services Principles and Criteria

ADIENT VENDOR SECURITY STANDARD

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

Security Assessment Checklist

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

AT&T Endpoint Security

Protecting your data. EY s approach to data privacy and information security

Protection Service with Continuity

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Service Level Agreement (SLA) for Customer by Cybersmart Pty Ltd (Cloud Hosting Agreement)

ANATOMY OF AN ATTACK!

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Protect your business in today s fast-changing security and risk environment.

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

SECURITY PRACTICES OVERVIEW

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

HIPAA Security and Privacy Policies & Procedures

Symantec Protection Suite Add-On for Hosted Security

Guidelines for Data Protection Document Information

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

HikCentral V.1.1.x for Windows Hardening Guide

CompTIA JK CompTIA Academic/E2C Security+ Certification. Download Full Version :

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Security Overview. Technical Whitepaper. Secure by design. End to end security. N-tier Application Architecture. Data encryption. User authentication

A Security Admin's Survival Guide to the GDPR.

HikCentral V1.3 for Windows Hardening Guide

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

WORKSHARE SECURITY OVERVIEW

A Review Paper on Network Security Attacks and Defences

Synchronized Security

Information Security at the IEA DPC. IEA General Assembly October 10 12, 2011 Malahide, Ireland

MESSAGING SECURITY GATEWAY. Solution overview

Information Security Management Criteria for Our Business Partners

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

Carbon Black PCI Compliance Mapping Checklist

Security Statement Revision Date: 23 April 2009

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Xerox Audio Documents App

Outwit Cyber Criminals with Comprehensive Malware and Exploit Protection.

PREPARE & PREVENT. The SD Comprehensive Cybersecurity Portfolio for Business Aviation

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

UTM Firewall Registration & Activation Manual DFL-260/ 860. Ver 1.00 Network Security Solution

Cloud Security Standards Supplier Survey. Version 1

Locking down a Hitachi ID Suite server

CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals

Transcription:

Security Policy (EN) v1.3

Author: Erik Klein Langenhorst Date: Sept 21, 2017 Classificatie: 2 Intended for stakeholders only Security Policy (EN) v1.5 Pagina 1 van 9

Version History Version Date Name Changes 1.0 07-20-2017 Erik Klein Langenhorst Translation of v1.2 of the Dutch Security Protocol 1.1 07-25-2017 Erik Klein Langenhorst Completed translation. Minor corrections. 1.2 09-11-2017 Erik Klein Langenhorst Changes and additions after ICT Recht Review 1.3 09-14-2017 Erik Klein Langenhorst New layout, minor changes after Review Emiel Harbers 1.4 09-21-2017 Erik Klein Langenhorst Minor corrections after errors found while translating to Dutch 1.5 02-19-2018 Erik Klein Langenhorst Have clarified our endpoint protection measures and added asterisks for our standard measures. Security Policy (EN) v1.5 Pagina 2 van 9

Contents Version History... 2 Contents... 3 Purpose and Background... 4 Revision Frequency... 4 Nature of Data Processing... 4 Risks... 4 Unauthorized access... 4 Damage or Destruction... 4 Unavailability... 5 Measures... 6 Encryption of digital files containing personal data*... 6 Logical access control, using a password and a one-time access token*... 6 Technical measures for network security... 6 Antivirus software*... 7 Spam Filtering*... 7 Backups*... 8 VPN*... 8 DDoS Protection... 8 Secure connections*... 8 Server Hardening... 8 Secured internal network*... 8 Endpoint protection*... 8 Organisational measures for access restrictions*... 8 Physical access control*... 9 Random audits... 9 Exclusions... 9 Security Policy (EN) v1.5 Pagina 3 van 9

Purpose and Background This security protocol is part of the Agreement that the Customer ( Data Controller ) has entered into with Harbers ICT ( Data Processor ) and is meant to provide insight into the technical and organizational measures that Harbers ICT has implemented as a Data Processor. This security protocol applies to all services Harbers ICT Delivers from its data centres. The most recent version of this document can always be requested by e-mail at support@harbersict.nl. This document may also be used as a reference for Harbers ICT customers that have not entered into a Data Processing Agreement with Harbers ICT. Under the GDPR the Data Controller is responsible for determining whether the technical and organisatorial measures are sufficient for the type of data that is processed by the Data Processor. Are you reading this in your role as a Data Controller and do you have any questions after reading this document? Harbers ICT is ready to answer your questions. Revision Frequency This document will be revised on a yearly basis. It will also be revised when important changes to the Harbers ICT Security Policy have been made. Harbers ICT reserves the right to revise its Security Policy one-sidedly, but only if it doesn t negatively impact the level of security. Nature of Data Processing Within the context of the Data Processing Agreement Harbers ICT can perform different types of data processing, such as: Hosting of websites or web applications, cloud storage of (personal) data and the hosting of applications in online workspaces. Harbers ICT will only provide the IT infrastructure in which the Data Controller can store the data. The Data Controller determines the means and purposes for the processing. Risks Within the context of Data Processing, the Data Controller is at risk of unauthorized data processing such as damage of data, unauthorized access, changes of the data. If it cannot be reasonably ruled out that a breach of the security measures has led to one of these unauthorized actions, according to EU law this has to be considered a data leak. These risks are described below. Unauthorized access An unauthorized person gaining unauthorized access to the data, e.g. by circumventing security measures or procedures. Damage or Destruction The Responsible Party s data is damaged or destroyed. The cause may, for example, be a virus or malware but it can also be human error. Security Policy (EN) v1.5 Pagina 4 van 9

Unavailability In case of unavailability the data is still present but the Responsible Party is unable to access the data as a consequence of (infrastructural) problems on the Data Processor s side. Security Policy (EN) v1.5 Pagina 5 van 9

Measures Harbers ICT shall use reasonable efforts to ensure an adequate level of security of the data it processes to prevent abuse and unauthorized use as described in the Data Processing Agreement. Harbers ICT can take the following measures to mitigate the aforementioned risks. The actual measures taken are described in the Agreement or SLA. All standard measures are marked with an Asterisk*. We always take these measures, regardless of the Services you re purchasing. Encryption of digital files containing personal data* If there is a need to store digital files containing personal data on external media or to (digitally) transfer those files we will ensure that the files and connection are encrypted. We shall use a minimum of the following Encryption standards. Key exchange: Diffie Hellman key exchange with minimum 2048 bits Message Integrity: HMAC-SHA2 Message Hash: SHA2 256 bits Assymetric encryption: RSA 2048 bits Symmetric-key algorithm: AES 128 bits Password Hashing: PBKDF2, Scrypt, Bcrypt. Logical access control, using a password and a one-time access token* Harbers ICT online workspaces are equipped with an access control mechanism that requires the use of a password and a 2-factor authentication token. A 2-factor authentication token is a personal identification number that can be generated using an app on your cell phone or a token generation device. Other services are only secured with a password. This applies to e.g. the webmail service. Technical measures for network security Depending on the services you have subscribed to, we will use the following technical measures to secure your services. Network Partitioning and Isolation o Our network design incorporates VLAN configuration to partition our servers into distinctive segments. Every Customer receives their own VLAN unless otherwise specified. Check Point Next Generation Threat Prevention, consisting of: o Next Generation Firewall* o Application Control The Application Control Software Blade controls access to over 5,200 applications and 240,000 social network widgets with the industry s largest application coverage. It creates granular security policies based on users or groups to identify, block or limit usage of web applications and widgets like instant messaging, social networking, video streaming, VoIP, games and more. o Anti-Bot Security Policy (EN) v1.5 Pagina 6 van 9

o o o o o The Anti-Bot Software Blade detects bot-infected machines, prevents bot damages by blocking bot cyber-criminal s Command and Control center communications, and is continually updated from ThreatCloud Antivirus The Antivirus Software Blade stops incoming malicious files at the gateway before the user is affected with real-time virus signatures and anomalybased protections from ThreatCloud Identify over 4.5 million malware signatures and 300,000 malicious websites with a constantly-updated worldwide network of sensors that provide ongoing malware intelligence. Identity Awareness The Identity Awareness Software Blade provides granular visibility of users, groups and machines, enabling unmatched application and access control through the creation of accurate, identity-based policies. Anti-Spam and Email security* The Check Point Anti-Spam & Email Security Software Blade provides comprehensive protection for our messaging infrastructure. A multidimensional approach protects our email infrastructure, provides highly accurate anti-spam coverage and defends organizations from a wide variety of virus and malware threats delivered within email. Intrusion Prevention System IPS provides a complete Intrusion Prevention System security solution, providing comprehensive network protection against malicious and unwanted network traffic, including: Malware attacks Dos and DDoS attacks Application and server vulnerabilities Insider threats Unwanted URL Filtering The URL Filtering Software Blade controls access to millions of web sites by category, users, groups and machines with cloud-based technology that is constantly updated with new websites to support employee productivity and security policies. Antivirus software* We install state of the art antivirus software on our own servers as well as on customer servers/vps es. Spam Filtering* To secure our e-mail platform we use a Barracuda Email Security Gateway. This is an email security gateway that manages and filters all inbound and outbound email traffic to protect your organization from email-borne threats and data leaks. Security Policy (EN) v1.5 Pagina 7 van 9

Backups* We use specialised backup software to back up your data. We host our own backup infrastructure in a second Equinix data centre (location Zwolle). We have a private connection between these data centers. Retention times vary per product and are specified in your service agreement or SLA. We offer granular restore options to be able to restore separate files, e-mail items, AD items or an entire VPS. VPN* We use a multi-layered network setup with a separate management network. We use Check Point Endpoint Remote Access VPN software to securely connect to our management network. DDoS Protection Distributed Denial of Service attacks are increasingly common and can cause network outages in unprotected infrastructures. We offer Equinix AntiDDoS defense as an optional service against DDoS attacks. For more information see: http://www.equinix.nl/services/managed-services/securityperformance/anti-ddos/ Secure connections* All connections to our sites, portals and support desk are secured using TLS. We also offer the possibility to set up TLS connections to the websites we host for our customers (at an extra charge). Where this is possible we only use Strong Ciphersuites and protocols. Server Hardening Where applicable we follow guidelines set up by the Center for Internet Security for server hardening for Microsoft Windows Server. For more information visit https://www.cisecurity.org/cisbenchmarks/. Secured internal network* Organisational and physical measures also apply to our internal network. Our employees cannot access the internal server space without permission. Our internal network has been secured using firewalls, virus scanning and spam filtering. Endpoint protection* Of course, we have secured our office network using a Next-generation Firewall. All of our computers have a antivirus software and our mail is filtered by the Barracuda spam filtering that we also use for our customers. We use bitlocker encryption and our Mac computers use Filevault encryption. Organisational measures for access restrictions* Only employees who need access to perform their work have access to personal data. They have signed an NDA (Non-Disclosure Agreement) with a penalty clause. You can also sign a Non-Disclosure Agreement with Harbers ICT to contractually record that Harbers ICT will not use the possibility to access the data for other reasons than to perform necessary processing. We provide regular training to Employees to help them understand the value of protecting Customer and Colleague information and their role in keeping this data secure. We have procedures in place to ensure our employee s access rights are correctly altered or revoked in case of changes in or termination of employment. Security Policy (EN) v1.5 Pagina 8 van 9

Physical access control* The hosting services that Harbers ICT provides are delivered from a high security Equinix data center. Access to facilities and equipment is restricted to a limited number of employees, and only after an identity check. External suppliers are only allowed access under direct Employee supervision. The data center is under permanent video surveillance. Random audits Harbers ICT will randomly audit whether access restrictions are set up correctly and whether policies are being followed correctly. Furthermore, Harbers ICT is working on implementing a security policy based on ISO 27001 guidelines. Part of this implementation process is the performance of regular third party audits. Exclusions This document only applies to cloud- and hosting services that Harbers ICT offers. For on-site server and network administration Harbers ICT only plays an advisory role. Customers are responsible for the security of their network and data. For some of our services the conditions of a third party apply. In general this includes products that are hosted by third parties whereby Harbers ICT cannot influence security measures. This includes Office 365, where the Microsoft conditions apply. Security Policy (EN) v1.5 Pagina 9 van 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback