Transcription

SmartSimple GDPRSmartSimple Security, Privacy & Architecture1. Architecture and Data SegregationThe service can be run in a multi-tenant, single tenant, or enterprise (on-premise) hosting environment.SmartSimple has developed a logical abstraction layer in order to separate client-maintained data and systemconfiguration from underlying core system functionality. This innovation represents one of the key components ofthe platform and has been the subject of our research and development activities since the start of the company.System security and access models meet the needs of different user groups. This approach provides an appropriateinterface for each ‘stakeholder’ group such as applicants, staff reviewers, non-staff reviewers, board members,administrators and others. Attribute and Role Based Security & Permissions are a cornerstone of SmartSimple’ssecurity design. Attribute Based Access Control (ABAC) – in combination with standard Role Based Access Control(RBAC) - dictates everything from portal access to application access to the ability to view and modify the contentsof a field. These controls extend past the user role, and encompasses the context (location within the corporatenetwork, time of day, rank/classification, material to be accessed, and other attributes) at the field level.Customer LocationAustraliaHosting RegionsAmazon Web Services (AWS) Asia Pacific – Sydney, AustraliaAmazon Web Services (AWS) Canada (Central) – Montreal, CanadaCanadaiWeb Canada – Montreal, CanadaAmazon Web Services (AWS) EU (Ireland)EUAmazon Web Services (AWS) EU (Frankfurt)United KingdomAmazon Web Services (AWS) Europe (London Region)Amazon Web Services (AWS) US East (N. Virginia)United StatesAmazon Web Services (AWS) US West (Oregon)US FederalAmazon Web Services (AWS) GovCloud (US)2. Subprocessor ListEntity NameEntity TypeEntity CountryComputer Services, Inc. (CSI Web)Watchlist services related to terrorist and criminalorganizations and individualsUnited StatesRelease Date: 23 May 2018Page 1 of 6

SmartSimple GDPR3. Audits and CertificationsSmartSimple has engaged in several security and privacy-related audits and certifications which provide theframework in which your data is handled. Service Organization Control (SOC) reports: SmartSimple Software engages in yearly third-party evaluationby our auditors, Deloitte, which produce SOC 1 and SOC 2 compliance reports. These reports are availableupon request and under the Non-Disclosure Agreement (NDA). Federal Information Security Management Act (FISMA) Compliance: SmartSimple is compliant with thecomprehensive framework created to protect government information, operations and assets against naturaland man-made threats. Federal Information Processing Standard (FIPS 140-2) Compliance: SmartSimple is compliant with thecomputer security standard used to approve cryptographic modules. GSA IT Schedule 70 Contract Holder – SmartSimple is an approved United States Government GeneralService Agreement (GSA) Advantage Schedule 70 supplier. AWS GovCloud – SmartSimple is an Amazon AWS Partner and is authorized to connect with the AWSGovCloud dedicated server. GovCloud’s isolated AWS region allows government agencies and customersto move sensitive workloads to the cloud. GOV.UK – SmartSimple is an authorized supplier to the United Kingdom, through the GOV.UK websitemanaged by the Government Digital Service.4. Code of ConductAs of April, 2018, SmartSimple is pursuing certification from the EU Cloud Code of Conduct, a code of conductdrafted by the Cloud Select Industry Group (C-SIG). The Cloud Select Industry Group was convened by theEuropean Commission.5. Security ControlsSmartSimple provides a number of platform-level configurable security, privacy, and data retention controls thatallows clients to setup and then manage their solution in a manner that is non-prescriptive. For additional securitydetails visit our public Wiki.6. Security Policies and ProceduresSmartSimple identifies potential threats that would impair system security, availability, processing integrity, andconfidentiality commitments and requirements; analyzes the significance of risks associated with the identifiedthreats; and determines mitigation strategies for those risks (including controls and other mitigation strategies). SmartSimple uses a configuration management database and related process to capture key systemcomponents, technical and installation specific implementation details, and to support ongoing asset andservice management commitments and requirements. SmartSimple has defined a formal risk management process that specifies risk tolerances and the processfor evaluating risks based on identified threats and the specified tolerances. During the risk assessment and management process, risk management office personnel identify changesto business objectives, commitments and requirements, internal operations, and external factors thatthreaten the achievement of business objectives and update the potential threats to system objectives. Identified risks are rated using a risk evaluation process and ratings, are reviewed by management.Release Date: 23 May 2018Page 2 of 6

SmartSimple GDPR The Security Committee evaluates the effectiveness of controls and mitigation strategies in meetingidentified risks and recommends changes based on its evaluation. The Security Committee's recommendations are reviewed and approved by senior management. Regardingthe identification of potential threats SmartSimple addresses the following security risks:RiskMitigation ApproachMalicious code added by developer Source Code Security Testing Both automated and manual testing is performed.Insecure code added by developer Source Code Security Testing Both automated and manual testing is performed.Vulnerability in existing code Source Code Security Testing Both automated and manual testing is performed. Penetration Testing is performed by a third party security firmat least once a year.Vulnerability discovered in existingoperating components Servers are scanned weekly for new vulnerabilities. Penetration Testing is performed by a third party security firmat least once a year. SmartSimple is a member of the Financial Services InformationSharing and Analysis Center (FS-ISAC). As such we receivethe earliest warning available related to potentialvulnerabilities. Trend Micro’s Deep Security tools are used to monitor servers.Vulnerability discovered in existingClient Configuration Client specific pen testingLogical Breach of Hosting Security The response is based on the extent of the breachPhysical Breach of Hosting FacilitySecurity See Disaster Recovery plans System Error LogsPenetration Testing is performed by a third-party security firm at least once a year. Internal and External networkscanning is performed monthly with reports being received weekly. Results are integrated into securityenhancements to the platform as part of the regularly scheduled upgrade cycle.Your organization may require our platform to be reviewed and approved for use either by internal staff or a thirdparty. To assist in this process, SmartSimple can provide, under a Non-Disclosure Agreement, the followingRelease Date: 23 May 2018Page 3 of 6

SmartSimple GDPRdocuments:SOC 2 Report – This report is an externally prepared independent service audit report prepared annually by Deloitte.This report outlines our organization’s compliance with the Trust Services Principles and Criteria as defined by theAssurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accountants,Inc.(AICPA ), and Chartered Professional Accountants of Canada (CPA Canada).SmartSimple uses this framework to manage security, availability, processing integrity, confidentiality, and privacy.SmartSimple Software Operational Policies – This document defines the policies enforced at SmartSimple toensure day-to-day compliance with the Trust Framework.Third Party Penetration Test – This report describes the results of a third-party security assessment that is carriedout annually. The assessment provides details as to the security of the system based on industry standards.7. Intrusion DetectionSmartSimple employs tools that monitor network traffic for network intrusion. Intrusion protection includes bothIntrusion Detection System (IDS) and Intrusion Prevention System (IPS).Software firewalls are employed to restrict network traffic to the servers. Only specified ports are opened to thepublic. Secure Shell (SSH) is restricted by source IP address, only allowing connections from the SmartSimple officeor backup/non-production servers. All other ports are restricted and Internet Control Message Protocol (ICMP)disabled.8. Security LogsSmartSimple maintains the following logs: User login and logout, Including IP address; Change value logging(old/new values, date/time and user performing the change); Security logs can be enabled on a field-by-field basisthroughout the system; All record deletion events are logged and the deleted records archived; Reader Log can beenabled to track all users that view and/or edit a record.9. Incident ManagementIn the event that the monitoring tools and scheduled procedures (in each of the hardware, software and data securitysections) identify an incident, SmartSimple will immediately assess the situation and determine the nature of theincident. All appropriate parties will be contacted within 24 hours (the client will always be notified of securitybreaches), and collectively these parties, under the direction of SmartSimple, will determine a resolution.10. Physical SecuritySmartSimple has partnered with Amazon Web Services (AWS) for our production data centers. Amazon’s controlpoints includes secure design (site selection, redundancy, availability, capacity planning), business continuity &disaster recovery (BCP, pandemic response), physical access (employee data center access, third-party data centeraccess, AWS GovCloud data center access), monitoring & logging (data center access review, data center accesslogs, data center access monitoring), surveillance & detection (CCTV, Data Center Entry Points, intrusion detection),device management (asset management, media destruction), operational support systems (power, climate andtemperature, fire detection and suppression, leakage detection), infrastructure maintenance (equipmentmaintenance, environment management), and governance & risk, are all inherited by SmartSimple clients.Release Date: 23 May 2018Page 4 of 6

SmartSimple GDPR11. Reliability and BackupAll SmartSimple systems are backed-up on a nightly basis at a separate but equally secure data center from whereproduction data is hosted.A hot backup server is used to save and mount the daily backups every night (the backup and mounting frequencycan be determined by a client if they choose dedicated hosting). Acting as a hot backup, this server is always onlineand available. Physically, the server can either be hosted by the client, or using Amazon’s EC2 cloud offering. Eachdaily incremental backup is archived to a separate location. Incremental backups are generally archived for a periodof three (3) months and then removed.12. Disaster RecoverySmartSimple has a comprehensive disaster recovery and business continuity plan based on SOC control points. Inthe event that a SmartSimple server becomes unreachable, the hot backup server may be used in a read-onlyfashion for users wishing to view information entered into the system up to the previous date.After triaging the situation there are two possible routes of action: In the event that the production server data isintact and is recoverable within a predetermined amount of time, then users will continue to use the hot backupserver in a read-only fashion until the production server is restored online. In the event that the production serverdata is unrecoverable or the server is not recoverable within a predetermined amount of time, then the hot backupserver will be promoted as the production server. A new server will be procured and a maintenance windowscheduled to promote the new server as the production server, and demote the existing server back to the hotbackup.13. VirusesThe system can accept all file types (documents, spreadsheets, PDF files, PowerPoint presentations, jpg, png, gif,mp3, mp4, mpg, mov, qt, wav, zip.) except for exe and binary files. All files are scanned for viruses once uploadedto the system.14. Data EncryptionAll data is encrypted in motion (through Transport Layer Encryption - TLS) and at rest. Encrypted hard disk storageuses AES (256 Bit Key). Passwords are encrypted within the database using SHA256. Passwords are salted andstretched.15. Return of Customer DataSmartSimple also provides data export functionality from your system to National Archives Electronic RecordsArchives (ERA) standards. The significance of this functionality is that it provides self-serve access to exported datain a format that can be used beyond the confines of the SmartSimple application and platform.16. Deletion of Customer Data(a)Upon termination of an account, the Client’s right to use such account and the Service immediately ceases.Release Date: 23 May 2018Page 5 of 6

SmartSimple GDPR(b)SmartSimple shall return to the Client all of its Participant Data, subject to fee for the time required to do sodetermined at the then current billing rates, in an agreed format such as CD-ROM or the Client supplies a USBKey or USB Hard Disk within thirty (30) days and shall retain the Data for ninety (90) days thereafter (“RetentionPeriod”).(c)Within a reasonable time after the return of such Participant Data to the Client and the expiry of the RetentionPeriod. SmartSimple shall deliver to the Client a certificate signed by a senior officer of SmartSimple statingthat all of the Participant Data has been permanently deleted/purged from the database. As archive data isretained for the archive cycle (currently (6) six months), all residual copies of the data will be deleted.Release Date: 23 May 2018Page 6 of 6

Amazon Web Services (AWS) Canada (Central) – Montreal, Canada . (SOC) reports: SmartSimple Software engages in yearly third-party evaluation by our auditors, Deloitte, which produce SOC 1 and SOC 2 compliance reports. . SOC 2 Report – This report is an externally prepared independent service aud