Netsurit Technical and Organizational Measures
1.1 Introduction
This page describes technical and organizational security measures and controls implemented by Netsurit to protect the data customers entrust to us as part of the Netsurit service.
Within this, the following definitions apply:
“Customer” means any subscriber to Netsurit services.
“Netsurit Service” means the Technical and Advisory Services provided by Netsurit to our Customers.
“Confidential Data” means any information provided, submitted or stored by the Customer that is processed by Netsurit as part of our service delivery and includes Personal Data.
“Personal Data” means any information relating to an identified or identifiable legal and natural person.
“Personnel” means Netsurit employees and authorized individual contractors/vendors.
“Strong Encryption” means the use of industry standard encryption measures.
This document is a high-level overview of Netsurit’s technical and organizational measures. Netsurit may change these measures from time to time to adapt to the evolving security landscape and where required will notify customers of these changes.
1.2 Organization of Information Security
Objective:
To outline Netsurit’s information security structure.
Measures:
- Netsurit is committed to deploy trained/certified security Personnel responsible for information security.
- The information security function reports directly to a Netsurit senior leadership team member, independent to operational management.
- Netsurit has a comprehensive set of information security policies, approved by senior management and disseminated to all Personnel.
- Netsurit security policies are reviewed at least annually and updated when needed.
- All Netsurit Personnel have signed legally reviewed confidentiality agreements that apply during and post-engagement.
- Failure of personnel to follow information security policies can be treated as a disciplinary matter and lead to sanctions, including dismissal.
- All Netsurit Personnel are given training in information security, and complete two information security tests on a bi-annual basis.
- Netsurit is committed to continual improvement of its security.
1.3 Information Security Management System
Objective:
Netsurit has established an ISMS (information security management system) to evaluate risks to the security of Confidential Data, to manage the assessment and treatment of these risks and to continually improve its information security.
Measures:
- Netsurit has deployed an ISMS (Information Security Management System) that serves as the foundation of our information security practices.
1.4 Physical Access
Objective:
To protect the physical assets that contain Confidential Data.
Measures:
- Netsurit operates from several industry certified third-party production data centres with a defined and protected physical perimeter, strong physical controls including access control mechanisms, controlled delivery and loading areas, surveillance, and security guards.
- Only authorized Personnel have access to the data centre premises housing Confidential Data and access is controlled through a security registration process requiring a government issued photo ID.
- Power and telecommunications cabling carrying Confidential Data or supporting information services at the production data centres are protected from interception, interference and damage.
- The production data centres and their equipment are physically protected against natural disasters, unauthorized entry, malicious attacks, and accidents.
- Equipment at the production data centre is protected from power failures and other disruptions caused by failures in supporting utilities and is appropriately maintained.
- When Confidential Data is copied electronically by Netsurit outside the production data centre, appropriate physical security is maintained, and the data is Encrypted at all times.
1.5 System Access
Objective:
To ensure systems containing Confidential Data are used only by approved, authenticated users.
Measures:
- Access to Netsurit systems is granted only to Netsurit Personnel and access is strictly limited as required for those persons to fulfil their function.
- All users access Netsurit systems with a unique identifier (UID).
- Netsurit has established a password policy that prohibits the sharing of passwords and requires passwords to be changed on a regular basis and default passwords to be altered.
- A second factor of authentication is required for access to online systems containing Confidential Data.
- Remote access to systems containing Confidential Data are only possible through a secure VPN tunnel and require a second factor of authentication.
- Netsurit has a thorough process to deactivate users and their access when Personnel leaves the company or a function, and to review and update access rights when Personnel change roles within the company.
- All access or attempted access to systems is logged and monitored. System and Security logs are retained for a period of at least 6 months.
- Any WiFi networks used by Netsurit in processing of Confidential Data will have Strong Encryption enabled and require user authentication.
1.6 Data Access
Objective:
To ensure Personnel entitled to use systems gain secure access only to the Confidential Data that they are authorized to access.
Measures:
- Netsurit restricts Personnel access to files and programs on a “need to know” basis, and perform regular reviews of user accounts and access rights on systems that store Confidential Data.
- Netsurit ensures that appropriate personnel receive alerts and notifications from system software vendors and other sources of security advisories and installs system software patches regularly.
- Netsurit uses up-to-date anti-virus software on all appropriate computers and servers.
- Netsurit uses well-configured firewalls, including host-based firewalls, to protect access to the network, computers and servers.
- Netsurit conducts regular vulnerability scanning to identify and resolve weaknesses in the network, servers, workstations and applications.
- Remote access and its subsequent operations on Customer networks are logged and monitored.
- Customer network credentials are saved in an encrypted repository and only authorised Personnel are provided access to the credentials.
- Personnel training covers access rights to and general guidelines on definition and use of Confidential Data.
- Secure baseline configurations are developed for systems that access and/or process Confidential Data, including software versions, security patch levels, managed anti-virus detection, encryption level, TPM module requirements and security settings for audit.
- An automated audit process that documents system security events will be implemented for systems that process Confidential Data.
- Netsurit implements appropriate controls to safeguard against data leakage, enable remote wipe of mobile devices and to ensure that mobile devices comply with the security baseline configuration.
- Where Netsurit uses contractors to assist with processing of Confidential Data, an appropriate Operator/Processor agreement will be signed with the third party that clearly indicates the responsibilities of the third party to safeguard Confidential Data, including the Technical and Organization Measures that the third party has to comply with.
1.7 Data Transmission/Storage/Destruction
Objective:
To ensure Confidential Data is not read, copied, altered or deleted by unauthorized parties during transfer/storage.
Measures:
- Access to the Netsurit Service portals are protected by the most current version of Transport Layer Security (TLS).
- Netsurit uses Strong Encryption in the transmission of Confidential Data outside the production data centres.
- Confidential Data stored outside the production data centre is protected by Strong Encryption, regardless of media type.
- Upon Customer’s request, Confidential Data will be promptly deleted.
- Netsurit equipment or disk media containing Confidential Data are not physically removed from the production data centre unless securely erased prior to such removal or being transferred securely for destruction at a third-party site.
1.8 Confidentiality and Integrity
Objective:
To ensure Confidential Data remains confidential throughout processing and remains intact, complete and current during processing activities.
Measures:
- Netsurit has a formal background check process and carries out background checks on all new Personnel in critical roles with access to Confidential Data.
- Netsurit trains its Personnel in application security practices and secure coding practices.
- Netsurit has a central, secured repository of product source code, which is accessible only to authorized Personnel.
- Netsurit has a formal application security program and employs a robust Secure Development Lifecycle (SDL).
- Security testing includes code review, penetration testing, and employing static code analysis tools on a periodic basis to identify flaws.
- All changes to software are via a controlled, approved release mechanism within a formal change control program.
- All encryption and other cryptographic functionality used within Netsurit uses industry standard encryption and cryptographic measures.
1.9 Availability
Objective:
To ensure Confidential Data is protected from accidental destruction or loss, and there is timely access, restoration or availability to Confidential Data in the event of an incident.
Measures:
- Each production data centre has multiple power supplies, generators on-site and with battery back-up to safeguard power availability to the data centre.
- Each production data centre has multiple access points to the Internet to safeguard connectivity.
- Each production data centre is monitored 24x7x365 for power, network, environmental and technical issues.
- Netsurit has a business continuity plan in place that is regularly updated.
- Netsurit tests elements of its business continuity plan regularly and learns from the results of such tests.
- Netsurit makes a reasonable effort to create frequent, encrypted backup copies of Confidential Data, and these are stored in a geographically separate location to the data centre.
- Netsurit has a process in place to ensure that backup failures are flagged and dealt with.
- Netsurit performs restore tests of backups on at least a quarterly basis.
- Netsurit keeps an up to date register of Personnel and Customers who are authorised to request access to backup media and restore of data.
- Netsurit monitors server, service and resource availability via a network monitoring system.
1.10 Data Separation
Objective:
To ensure each Customer’s Data is processed separately.
Measures:
- Netsurit uses logical separation within its multi-tenant architecture to enforce data segregation between customers.
- Customers only have access to their own Confidential Data.
1.11 Incident Management
Objective:
In the event of any security incident of Confidential Data, the effect of the incident is minimized, and the Customer is promptly informed.
Measures:
- Netsurit maintains an up-to-date incident response plan that includes responsibilities, how information security events are assessed and classified as incidents and response plans and procedures.
- Netsurit regularly tests its incident response plan with “table-top” exercises and learns from tests and potential incidents to improve the plan.
- In the event of a security incident, Netsurit will notify Customers without undue delay after becoming aware of the security incident.
1.12 Audit
Objective:
To ensure Netsurit regularly tests, assesses and evaluates the effectiveness of the technical and organizational measures outlined above.
Measures:
- Netsurit conducts regular internal audits of its security practices.
- Netsurit ensures that Personnel are aware of and comply with the technical and organizational measures set forth in this document.
- Netsurit maintains a register of security incidents and unscheduled outages.