IT Security

IT Security2018-12-10T19:57:58+00:00

Introduction

At CGA Technology we know that your IT security is paramount, we commit to providing a completely safe and secure environment for your data. We work hard to ensure we not only meet regulated standards but exceed them wherever possible.

We do this by having a thorough backup and redundancy process as well as being the only party to come into contact with your data, there are zero 3rd parties with access to our code or data.

Where possible we automate processes, trigger notifications and manually select data to ensure that data breaches, virus threats and any other risks are mitigated at the source.

See below for more information, if you have any queries please contact support@cgatechnology.com

1. GDPR Overview:

Protection of Personal data is an integral part of the EU Charter Fundamental rights. Article 8 states that,

“Personal data should be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”

And this includes the right to be forgotten.

GDPR determines how firms must process, protect and notify users regarding their personal data for anyone living in the European Union. This includes all aspects of collecting, storing, transferring or using that data.

An important note is, as we saw in the definition above, “personal data” as defined by GDPR is broad, and potentially includes identifiers such as email address and even an IP address!

The GDPR increases the enforcement of the regulations as well as the cost of the fines associated with non-compliance or breaches. Firms must comply with greatly increased obligations for how they handle and protect data.

2. Expanding the Rights of Individuals

The new GDPR expands the rights of individuals in the European Union by providing them the right to request copies of any personal information about them stored by that firm. In addition, individuals in the EU have the right to have their personal information removed. This is commonly known as the “right to be forgotten.”

For firms in the MSP and Hosting business, this means it’s critical to keep accurate records and backups/archives of all end-user personal data for any user located in the EU. It also means these firms must be able to quickly identify users’ personal data, provide accurate records of the data, and if necessary delete the data.

3. Increasing Compliance Obligations

In addition to the expanded rights of individuals, the GDPR also mandates that firms have policies and procedures in place to ensure the security of that data. Further, firms must conduct privacy impact assessments to validate that security and privacy are being maintained.

The regulations also require firms to be able to provide detailed records on any data activities associated with the EU users.

For Hosting and MSP firms, this places unavoidable burden in creating policies and processes to ensure data security and integrity. Technical safeguards such as encryption, end-point security and pseudonymization would need to be implemented.

GDPR also places additional burdens on ensuring that vendors of these firms are also compliant.

4. Required Notification of Data Breach and Security

Under the GDPR firms must report some types of data breaches to authorities of data protection. And in some special circumstances, firms must report these data breaches to the users impacted by the breach.

Firms must also comply with more stringent security requirements to help enforce tighter controls over access and use of personal data.

The burden on firms, including Hosting firms and MSPs is clear:

  • They must know when the breach occurred
  • They must be able to identify exactly what information may have been accessed, edited or deleted
  • They must take appropriate and quick action to notify data protection authorities and in some cases the affected individuals

5. Requirements for Profiling and Monitoring Behavior

For firms that profile or engage in monitoring behavior of EU users, there are added requirements for how that profiling and monitoring is to occur. How much this impacts each firm is subject to how much monitoring or profiling occurs.

Making it more difficult for firms is the fact that these types of profiling and monitoring activities can change over time.

For Hosting and MSP firms, any activity associated with profiling or monitoring behavior of EU users will require compliance with these new requirements. Being able to assess the types of profiling and monitoring that may already be happening, or may start happening at some later point in time will be an important element of any firm dealing with user data.

6. Appointment of a Data Privacy Officer May Be Required

Under the GDPR there is an obligation for some organizations to appoint a data protection officer (DPO), especially if a firm is performing large scale systematic monitoring of individuals (for example, online behaviour tracking).

However, we believe that appointing a DPO is best practice even if your firm is not obligated to appoint one.

The €20 Million (or more) Fine

How serious are these new regulations?

Try €20 Million or more serious!

The teeth to these regulations are the penalties that can be the greater of 20 Million Euros or four percent of a company’s annual global revenue. That’s not EU revenue, that’s global revenue!

This amount will vary depending on how bad the breach and resulting damages are. Still, it’s a large enough number that anyone managing a firm, especially firms with tight margins like Hosting companies or MSPs should be paying attention.

Not in the EU? You Still Need to Pay Attention

Even if your firm is not located in the EU, these regulations may still apply to you.

If you have users who live in the EU who are have their personal information in your systems, then you will need to comply. The GDPR regulations apply to firms inside or outside the EU as long as they are storing or tracking personal data for EU individuals.

And in addition to addressing their own GDPR compliance, Web Hosters and MSPs should support their customers in the same endeavor.

Audit Logs

Audit logs are available where data is added, edited or deleted. Authentication and password changes are logged under the individual user in question.

Password Policy

Password configuration settings, reset intervals and session time out periods can be controlled by a system administrator to enforce company policy. Mobile access is dependent on the same system permission settings.

Configurable by the Administrator:

  • Number of Characters in the Password
  • Number of Upper Case Letters
  • Number of Numeric Characters
  • Number of Special Characters
  • Session Timeout
  • Password Reset Interval

Active Monitoring Measures

The Flex Platform and Mobile Apps have an in-built monitoring and reporting structure, ensuring that any errors that do occur are reported directly to CGA engineers. These mechanisms allow CGA to start debugging and fixing issues in real-time, minimising any disruption to the client.

These error reports contain no personal information relating to the client, no client data or information is included with the communication.

External Data Interactions

There are multiple processes to extract data and interact with the Flex system and communicate with Users / Third parties outside the context of the Platform, each designed to display information in a useful way relative to the system

Communications and alerts Automatic Event driven notifications. Details can be customised. Can be sent as Email / SMS / System Notification / Internal Mail. Can be made inactive.
Static Reporting Automatic Generate combined reports at timed intervals. Contain multiple reporting variables and drilldowns. Sent as emails to associated profiles and groups. Breakdown by system, %Project% Type and individual %Project%.
Analytics Manual Graphical representation of predetermined data. Variable date fields. Delve into data by using restrictions. On demand reporting
Exports Manual Print work screen details in PDF and excel reports
Documents Generate PDF’s of data input using the web based system or mobile applications
Dashboards Automatic High level graphical data view. Customisable to the Clients requirements and gives a live view of activities in the organisation

Scalability and Stress Testing

The only restriction on scaling is hardware and as CGA over spec hardware by default, clients are free to scale the system as required. CGA have background processes in place to monitor the server status and will schedule system upgrades or hardware extensions as required. If server downtime is required, these upgrades will be arranged with the client in advance.

Testing, Update and Release

Our testing team are continuously working to make sure no system is released with bugs in place. While we accept that no system is bug free, we endeavour to minimise the impact any bug may have on the operation of Flex.

Upgrades and Release are generally done at quarterly intervals, normally the first weekend of each new quarter. There may be times when CGA need to do releases outside this time schedule and will notify you in advance of these instances.

Security Audits & Upkeep

Internal Security Audits are conducted regularly to evaluate authentication and unauthenticated access to data, authentication methods, external access and API access.

Strict coding guidelines are in place to ensure that modern best practice is used from root development upward.

CGA are in the process of adapting and implementing the ISO27001 standards for Information Security Management Systems and will update this policy with the details once the process has completed.

6 Steps and processes to help omply with GDPR:

1.  Reason

Is your CCTV system justified?

If you are placing cameras around the perimeter of your site to detect intruders, it should be easy to justify this. If you have installed a camera to monitor employees, then it is not straight forward. This is seen as an invasion of privacy. If you can prove that the cameras are there for Health & Safety reasons, highlighting incidences in the past that may be acceptable.

What images will be captured and why?

When you are capturing images where someone would expect privacy, then you must justify the need. For example, in rest areas or just on a public walkway – if there has been an obvious level of security incidences, then this must be proven to allow for these cameras.

You need to carry out a risk assessment itemising each camera, the intended viewing area, and the reason for the camera.

2.  Inform

You must inform people of CCTV presence

The purpose for the data being collected should be clear. This is especially important if the purpose is not obvious. If it is for employee monitoring or health & Safety, this needs to be highlighted to persons being captured by the cameras. A sign(s) highlighting CCTV use and contact number for anyone wishing to follow up is sufficient.

A notification can be created through system alerts on the device to state the image capture

3.  Retain

A Data Controller needs to justify reasons for storing and retaining data.

It is generally about 30 days’ retention. If you feel you need to retain CCTV data for longer, then your risk assessment should state how long and why. A modern CCTV system will allow you to set retention limits per camera.

4.  Permit

Access Requests for personal data

GDPR states

‘Any person whose image is recorded on a CCTV system has a right to seek and be supplied with a copy of their own personal data from the footage.’

So, anyone who is captured by your CCTV cameras has the right to request that footage, it is seen as personal data. They must follow a procedure, but are perfectly within their rights. If any other individuals are visible in the footage, there needs to a footage redaction service provided i.e. blur out the faces of other individuals.

5.  Assist

Supply of CCTV images to the Gardaí

The Gardaí may request footage from you and you may supply this, but always ensure it is followed up by a written request on Garda headed paper. Gardai will often just want to view the footage on the premises of the Data Controller or Processor, this action would not raise any concern for data protection.

6.  Ensure

Responsibilities of security companies

Security companies act as Data Processors under GDPR. ‘Clients of the security company should have a contract in place which details what the security company may do with the data; what security standards should be in place and what verification procedures may apply.’

Ensure that any subcontractors working on your behalf, e.g. Security companies or CCTV Engineers, follow this procedure. You will be open to data breaches if a third party can distribute, or remove, personal data in the form of CCTV images without following the above procedures.

7.  Conclusion:

Taking the above into consideration many companies need to look at their security arrangements and ensure there are no likely breaches of regulations. An innocent oversight could result in a hefty penalty for your business. It is no longer acceptable to ‘not understand’ or ‘not be aware of’ the laws associated with CCTV systems. While it is quick and easy to purchase and install your own passive CCTV system, without the input of professional security service providers you may leave yourself open to prosecution and fines.

General cookie introduction

Cookies are small text files that can be used by websites to make a user’s experience more efficient.

The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission.

This site uses different types of cookies. No cookies are placed by third party services on our pages.

CGA Technology do not use cookies to capture user information besides local session info to assist in the use of the system and therefor are not in breach of any privacy or GDPR related regulations.

Does Flex use cookies: Yes

CGA use the following cookies to assist in the ease of use of the online flex system.

The data is used within a single session to ensure security and visual fluidity while navigating through the flex system.

# Name Type Expiry Function
 1  ModMenu Primary Session This “Holds” the place in the menu of the modules you have selected so that when the page reloads or you navigate away, on the left hand menu we still display the extended module tabs
 2  PHPSESSID Primary Session A security feature which keeps track of the unique session token and registers this when loading data to ensure that not unauthorised external access is attempted. In the case of an invalid token being referenced in a session the user is notified, ejected from the system and a log kept of each instance.
 3  Screen_height Primary Session Saves the height of the screen to ensure that there is fluidity between changes in the “working area” of the online system
 4 Screen_width Primary Session Saves the height of the screen to ensure that there is fluidity between changes in the “working area” of the online system

1         Server Configuration

Each client can get a full physical (non-virtual) server located in the EU to ensure compliance with “The EU Data Protection Directive 95/46/EC”.

There is no 3rd party access to the server, CGA control the server and Hetzner (approved hardware partner) control the hardware.

2         Server Location

CGA Technology are partnered with Hetzner, an award winning server hardware, where we host servers.

All Production systems are stored in the DC19, Data Centre Park, Falkenstein, Germany in dedicated cages and racks.

Backup systems are stored in Nuremberg, Sigmund Strass, Germany.

Where explicit rules are required by the Client, alternative hosting options can be discussed, including internally hosted systems. Additional charges may be applicable to alternative hosting options.

3         Data Centre Physical Security

A video-monitored, high-security perimeter surrounds the entire data centre park. Entry is only possible via electronic access control terminals with a transponder key or admission card. All movements are recorded and documented. Ultra-modern surveillance cameras provide 24/7 monitoring of all access routes, entrances, security door interlocking systems and server rooms.

4         Data Centre Redundancy

The uninterrupted power supply (UPS) is ensured with a 15-minute backup battery capacity and emergency diesel-generated power. All UPS systems have redundant design.

Direct free cooling allows for the environmentally friendly cooling of hardware. Climate control is effected via a raised floor system with a modern fire detection system directly connected to the fire alarm centre of the local fire department.

The Flex platform is a web application and mobile application connected software as a service platform.

To access and use Flex, each user will need to have a web browser (Microsoft Internet Explorer 8+, Mozilla Firefox 2+, Apple Safari 3+ or Google Chrome) with JavaScript enabled.

There are a variety of coding languages throughout the system each with their own specific function including:

·         PHP

·         HTML

·         JavaScript

·         jQuery

·         Python

·         CSS

·         Swift

Data storage is by way of SQL database. Database versions depend on Client requirements, however mySql is the default database for the Flex Platform.

The current Flex System (4.6) contains 116 business modules and an extensive encrypted API infrastructure. As a modular platform, modules are activated based on the license agreement. Additional modules can be added at any stage to suit the clients rollout plan, business goals and current agenda.

Flex API’s allow integration with third-party systems and Mobile Applications. Standard Connections are available such as Single Sign-On for Active Directory, however custom integrations to your existing platforms may incur a cost.

One of the key components of a Flex system is its ability to adapt to any work environment. 90% of our processes can be configured to suit the business requirements via the admin panel, configuration and administration is through our supported mechanisms. No code or database structure changes are supported by the client. Customisations, if required, will be conducted on behalf of the Client by CGA and is part of a quarterly release cycle.

Data is backed up three times daily to a remote back-up server and once daily to offsite locations with the same security standards as all servers. Hardware is not critical to the Flex Operation.

The Disaster Recovery (DR) policy for a Flex system is drop hardware and move data to a new server, minimising client downtime and a “Hot swap” server is always maintained as a precaution.

CGA have a remote action centre to manage all hardware which alerts in the case of emergency or odd behaviour.

Data Access

CGA take a multi-tier approach to data security. On tier one, client systems are isolated with each Client having an independent server.

Internal to each server, Enterprise Access Control architecture controls and limits access to data so the authenticated user only gets the minimum access required to complete their duties.

Data Encryption

Data classified as Strictly Confidential is going through a secondary encryption process using AES256 bit encryption. CGA’s and the Client’s definition of Strictly Confidential may vary, so we can add additional data to the classification Strictly Confidential to meet the clients’ requirements. However, it is worth noting that additional encryption can have negative effects on the performance of the Flex System so we limit the additional encryption to the minimum data necessary to protect the Client, their Users, Employee’s, Clients etc.

API Security

All API’s into and out of the Flex platform is secured using unique AES256 bit encryption.

Viruses

To prevent Flex being used as a distribution medium for viruses, all media uploaded to the system is scanned and scrubbed to ensure no malware or malicious content is uploaded by the Client’s Users. Where a User’s upload receives a positive result from our security screening process, CGA will be in contact with the Client Contact with details of the security incident.

Service Level Agreement

CGA shall provide Support and Maintenance Services in accordance with the terms of this Exhibit, which such terms may be amended from time to time by CGA.

Supported Browser & Device Versions.

To access and use Flex, each user will need to have a web browser (Microsoft Internet Explorer 8+, Mozilla Firefox 2+, Apple Safari 3+ or Google Chrome) with JavaScript enabled

Android & iOS devices are supported

  • Android 4.3 or Greater (API 19) / iOS 9+
  • NFC Enabled Device
  • Rear-facing Camera for Audits/ Inspections & Maintenance

Items Covered by Support and Maintenance Services.

Support and Maintenance shall include:

  • Online and phone support for all technical issues relating to the use of the Software (including errors or problems with the Software, issues during setup and assistance understanding specific features);
  • all available Upgrades as they become available for general release

Items Not Covered by Support and Maintenance Services.

CGA is not obligated to provide Support and Maintenance for errors or problems caused by the following (each, an “Excluded Cause”):

  • third-party components not provided by CGA
  • use of the Software other than in a recommended environment described in the Documentation;
  • continued use of a Version Release or Patch Release version of the Software for which Support and Maintenance Services are no longer provided in accordance with 7.3.

Client Obligations.

  • Client agrees to provide CGA with all information and materials requested by CGA for use in replicating, diagnosing and correcting an error or other problem with the Software reported by Client. Client acknowledges that CGA’s ability to provide satisfactory Support and Maintenance Services is dependent on CGA having the information necessary to replicate the reported problem with the Software. In reporting an error to CGA, Client will send a complete and accurate error report (an “Error Report”) that includes
    • Client name and on-site technical contact information;
    • a reasonably detailed description of the error, together with any supporting information that Client’s engineers believe will assist CGA in its diagnostic process;
    • any error message(s) or other message(s) generated by the system in association with the error;
    • a test case or instructions necessary to demonstrate the error;
  • Client acknowledges that any (applicable only to mobile applications) updates provided by CGA may be necessary to the proper operation of the Software and therefore Client agrees to promptly install all Updates made available by CGA to ensure that Client’s version of the Software remains supported.
Data Processing Addendum  
Cookie Policy  
EULA – End User Licence Agreement  
FDA – Electronic Sign off  
IT Security Disaster Recovery  

Helpful Resources

error: Content is protected !!