company_application_and_data_security
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
company_application_and_data_security [2018/08/17 09:19] – lucy | company_application_and_data_security [2019/07/03 20:53] – lucy | ||
---|---|---|---|
Line 10: | Line 10: | ||
| Is there a comprehensive, | | Is there a comprehensive, | ||
| Is a risk management process implemented dealing with the periodical identification, | | Is a risk management process implemented dealing with the periodical identification, | ||
- | | Is a periodic assessment conducted of how well the security policies and procedures are respected within the company? | partialy | + | | Is a periodic assessment conducted of how well the security policies and procedures are respected within the company? | partially |
==== Allocation of information security responsibilities ==== | ==== Allocation of information security responsibilities ==== | ||
Line 34: | Line 34: | ||
^ Questions ^ Response ^ Comments ^ | ^ Questions ^ Response ^ Comments ^ | ||
- | | Is physical access to buildings that house critical IT facilities restricted to authorized individuals? | + | | Is physical access to buildings that house critical IT facilities restricted to authorized individuals? |
==== Policy for DC and IT System access ==== | ==== Policy for DC and IT System access ==== | ||
^ Questions ^ Response ^ Comments ^ | ^ Questions ^ Response ^ Comments ^ | ||
- | | Are policies and procedures implemented to specify proper use of and access to IT systems and network components. | yes | Access to Routers / Network components is only possible through a separate VPN network. Authentication on Firewalls / Routers is only possible through SSH-Key. All Logs are stored on an separate logging device, all configuration changes are monitored, saved and alerted. Physical Access is only possible for certified network admins. | | + | | Are policies and procedures implemented to specify proper use of and access to IT systems and network components. | yes | Access to Routers / Network components is only possible through a separate VPN network. Authentication on Firewalls / Routers is only possible through SSH-Key. All Logs are stored on a separate logging device, all configuration changes are monitored, saved and alerted. Physical Access is only possible for certified network admins. | |
==== Secure disposal or re-use of IT equipment ==== | ==== Secure disposal or re-use of IT equipment ==== | ||
Line 57: | Line 57: | ||
^ Questions ^ Response ^ Comments ^ | ^ Questions ^ Response ^ Comments ^ | ||
| Is staff made aware of the key elements of information security and why it is needed (i.e. segregation of duties, need to know)? | yes | All staff that has any relation to the software code and our infrastructure (software engineers, QA engineers, support engineers, system admins, etc) pass internal information security courses. | | | Is staff made aware of the key elements of information security and why it is needed (i.e. segregation of duties, need to know)? | yes | All staff that has any relation to the software code and our infrastructure (software engineers, QA engineers, support engineers, system admins, etc) pass internal information security courses. | | ||
- | | Are service administrators properly educated on their responsibilities with regard to security? | yes | All employees are getting internal lesson on cyber security | + | | Are service administrators properly educated on their responsibilities with regard to security? | yes | All employees are getting |
===== Identity and Access Management ===== | ===== Identity and Access Management ===== | ||
Line 69: | Line 69: | ||
^ Questions ^ Response ^ Comments ^ | ^ Questions ^ Response ^ Comments ^ | ||
- | | Is the access to the service and data restricted to authorized individuals and based on an established access control policy? | yes | Physical access is protected with fingerprint in addition to an rfid key card and the keys of the rack. " | + | | Is the access to the service and data restricted to authorized individuals and based on an established access control policy? | yes | Physical access is protected with a fingerprint in addition to an RFID key card and the keys of the rack. " |
- | | Do access control arrangements restrict access to only approved system capabilities? | + | | Do access control arrangements restrict access to only approved system capabilities? |
==== Data access ==== | ==== Data access ==== | ||
Line 85: | Line 85: | ||
^ Questions ^ Response ^ Comments ^ | ^ Questions ^ Response ^ Comments ^ | ||
- | | Will the allocation of passwords be controlled through a formal password policy process? | partialy | + | | Will the allocation of passwords be controlled through a formal password policy process? | partially |
==== User registration & management ==== | ==== User registration & management ==== | ||
^ Questions ^ Response ^ Comments ^ | ^ Questions ^ Response ^ Comments ^ | ||
- | | Is there a formal user registration and de-registration procedure in place for granting and revoking access to all systems and services and to tenants data? | yes | An engineer may obtain | + | | Is there a formal user registration and de-registration procedure in place for granting and revoking access to all systems and services and to tenants data? | yes | An engineer may obtain access to a single tenants data only in case there is a need for maintenance, |
- | | Is a user management process in place (creation, revocation, provisioning and termination of rights, etc.)? | yes | After contract termination the LUCY Server Instance is safely reset. This is a built in and secure feature in LUCY Server. https:// | + | | Is a user management process in place (creation, revocation, provisioning, and termination of rights, etc.)? | yes | After contract termination the LUCY Server Instance is safely reset. This is a built-in and secure feature in LUCY Server. https:// |
==== Session time-out ==== | ==== Session time-out ==== | ||
Line 103: | Line 103: | ||
^ Questions ^ Response ^ Comments ^ | ^ Questions ^ Response ^ Comments ^ | ||
- | | Do you have an easily | + | | Do you have an easy way for externals to report security vulnerabilities in your systems? | yes | Write a mail to support@lucysecurity.com or dpo@lucysecurity.com . Every employee needs to react as stated in the GDPR code of contact | |
==== Information about inappropriate access ==== | ==== Information about inappropriate access ==== | ||
Line 130: | Line 130: | ||
^ Questions ^ Response ^ Comments ^ | ^ Questions ^ Response ^ Comments ^ | ||
- | | Is a operating system hardening performed for all systems involved? | yes | OS is protected by internal firewall (iptables), SSH access keys are randomly generated, removed USB/ | + | | Is an operating system hardening performed for all systems involved? | yes | OS is protected by internal firewall (iptables), SSH access keys are randomly generated, removed USB/ |
==== Application Server hardening ==== | ==== Application Server hardening ==== | ||
Line 161: | Line 161: | ||
^ Questions ^ Response ^ Comments ^ | ^ Questions ^ Response ^ Comments ^ | ||
- | | Is tenets data held on data storage media (including magnetic tapes, disks, printed results, and stationery) protected against corruption, loss or disclosure? | yes | Tenants data is entirely stored on a disk on the server, and the only measure against data loss we perform _by default_ is a local daily database backup, which can help to prevent minor data loss. As an additional measure, we can set up RAID0 or RAID5 array, which can add an additional layer of protection against data loss or corruption. There is no access to other storage media from the server. The information in DB is encrypted using AES-256 (so it's stored int he encrypted form) and the key is built into the application, | + | | Is tenets data held on data storage media (including magnetic tapes, disks, printed results, and stationery) protected against corruption, loss or disclosure? | yes | Tenants data is entirely stored on a disk on the server, and the only measure against data loss we perform _by default_ is a local daily database backup, which can help to prevent minor data loss. As an additional measure, we can set up RAID0 or RAID5 array, which can add an additional layer of protection against data loss or corruption. There is no access to other storage media from the server. The information in DB is encrypted using AES-256 (so it's stored int he encrypted form) and the key is built into the application, |
==== Malware/ Defacement ==== | ==== Malware/ Defacement ==== | ||
Line 176: | Line 176: | ||
^ Questions ^ Response ^ Comments ^ | ^ Questions ^ Response ^ Comments ^ | ||
- | | Do you encrypt tenant data in storage and server side? | yes | Data is encrypted using AES-256. The application server gets data over HTTP/ | + | | Do you encrypt tenant data in storage and server side? | yes | Data is encrypted using AES-256. The application server gets data over HTTP/ |
==== Network encryption ==== | ==== Network encryption ==== | ||
Line 193: | Line 193: | ||
^ Questions ^ Response ^ Comments ^ | ^ Questions ^ Response ^ Comments ^ | ||
- | | Do you provide secure software development training to your engineers, that teaches them about common threats and counter measures | + | | Do you provide secure software development training to your engineers, that teaches them about common threats and countermeasures |
==== Use of productive Data for test purpose ==== | ==== Use of productive Data for test purpose ==== | ||
Line 203: | Line 203: | ||
^ Questions ^ Response ^ Comments ^ | ^ Questions ^ Response ^ Comments ^ | ||
- | | Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data? | yes | Build in validations in the application | | + | | Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data? | yes | Built-in validations in the application | |
===== Business Continuity Management ===== | ===== Business Continuity Management ===== | ||
Line 230: | Line 230: | ||
==== GDPR Agreement ==== | ==== GDPR Agreement ==== | ||
- | Please download our GDPR agreement here | + | Please download our GDPR agreement |
+ | |||
+ | |||
+ | ==== Auftragsdatenverarbeitungsvertrag (German) ==== | ||
+ | |||
+ | Please download our Auftragsdatenverarbeitungsvertrag {{ :: | ||
company_application_and_data_security.txt · Last modified: 2021/09/01 15:11 by lucy