0118 977 8560

Helpdesk Login

IT Security Policy

Our hosting providers are certified according to ISO27001 or SAS70 standards. They accomplish with the security rules and follow the rules data protection policies according to EU Directive 95/46/EC. ARCHIBUS Hosting Services are based on ARCHIBUS, a TIFM (Total Infrastructure and Facilities Management) solution. Depending on the contracted applications or modules, all the loaded data in ARCHIBUS Hosting Services system is related with customer’s infrastructure and general customer’s data which identifies companies. Some examples are: Company name, contact customer name, contact customer last name, address, telephone, mail, etc. ARCHIBUS Hosting Services also can load general employee information.

 

PRIVACY POLICY

”Data Protection Directives” means the European Union Directive entitled “Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data” and the European Union Directive entitled “Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector”; For the purposes of this section, “personal data”, “special categories of data”, “process/processing”, “controller”, “processor”, “data subject” and “supervisory authority” shall have the same meaning as in the Data Protection Directives. “Data Protection Legislation” means any legislation in force from time to time which implements the Data Protection Directives and is applicable to the provision of the ARCHIBUS Hosting Services. ARCHIBUS Solution Centre Hosting Services doesn’t collect any personal information and are fully GDPR compliant.

 

INFORMATION SECURITY

ARCHIBUS ASC Hosting Provider has implemented controls to provide network based security measures to protect its enterprise network. A security policy is in place and a security awareness program is designed to educate employees to protect ASC network and systems. A variety of hardware and software based tools have been deployed, which include firewalls, intrusion detection systems, routers, switches, real-time monitoring, and audit logging. Redundant and clustered industry standard firewalls, switches and routers are implemented to provide a high level of availability and security of network, applications and data. In clustered firewall/router implementations, if one system fails, data traffic is automatically routed to the other standby firewall/router. Configuration standards of firewalls and routers are documented. The configuration of the firewall systems follow vendor recommendations and are based on the principle of least privilege, which allows only necessary and authorized access and denies other services and protocols. The firewalls are strategically placed on the network to filter data packets according to predefined access rules. Administrative access to networking devices is limited to authorised IT personnel only.

The enterprise network is segmented and grouped into different virtual local area networks (VLAN) based on business functions and responsibilities. The VLANs are built by deploying industry standard switches and the proper configuration and administration. Network segmentation serves as an additional security measure to minimize risks resulting from unauthorized network access.

A third party company is engaged to perform quarterly vulnerability assessments for a portion of its publicly accessible IP addresses. The IT personnel review the scanning reports to assess and remediate potential network and system vulnerabilities.

The ASC internal team performs annual penetration tests scan against the management environment and reviews the results and remedies potential network and system vulnerabilities.

 

SECURITY INCIDENT REPSONSE

ARCHIBUS ASC Hosting Provider maintains a security incident response plan in order to organize resources to respond in an effective and efficient manner to an adverse event related to the safety and security of a computer resource under ASC management. An adverse event may be malicious code attack, unauthorized access to managed networks or systems, unauthorized utilization of ASC services, denial of service attack, or general misuse of systems.

An incident response team is in place with defined roles and responsibilities. The purpose of this team is to protect ASC and its customers’ information assets, provide a central organization to handle Incidents, comply with government or other regulations, prevent use of ASC managed systems in attacks against other systems, and minimize the potential for negative exposure. Major responsibilities of this team include:

  • Limiting immediate incident impact to customers and business partners
  • Recovering from the incident
  • Determining how the incident occurred
  • Determining how to avoid further exploitation of the same vulnerability
  • Avoiding escalation and further incidents
  • Assessing the impact and damage
  • Determining the cause of the incident
  • Compiling and organizing incident documentation
  • Reviewing response to incidents
  • Updating policies and the Security Incident Response Plan

Security incident occurrences are tracked and documentation is maintained. Actions and procedures are documented to guide the incident response team to respond in the event of a security incident and include:

  • Taking control of the incident and invoking the security incident response plan
  • Assigning an incident response coordinator, communication manager, and technical account manager and starting documentation of the incident report including personnel assignments
  • Notifying the security manager on duty at the time of the incident
  • Assessing the incident
  • Reporting findings to the communications manager
  • Communicating the incident to the incident response team, customer, and identified additional personnel including external agencies as appropriate, and maintaining communications throughout the life of the incident
  • Containing the damage and minimizing immediate exposure
  • Identifying the impact of the incident
  • Remediation of the vulnerabilities
  • Collecting and protecting evidence
  • Recovering the systems
  • Preparing the incident analysis report for trending and analysis
  • Preparing and presenting the incident summary as necessary to the customer

Once the documentation and recovery phases of the incident are complete, the team thoroughly reviews the process that was followed during the incident to determine what was successful and where mistakes were made. Based on findings, policies and the plan are updated as appropriate.

Mass Information Systems Ltd manage these Security Policies in partnership with the ASC Hosting solution Provider.

 

Luke Bolt

Managing Director