AchieveMore's Security Policy
Objective
ACHIEVEMORE fully acknowledges that the confidentiality, integrity and availabilit...
Detailed information of data centers can be found in the following addresses:
http://aws.amazon.com/about-aws/
http://aws....
Security during Traffic of Information:
The connection to ACHIEVEMORE environment is made through a RapidSSL WildCard, usi...
of 3

Política de Segurança AchieveMore english final version (1)

Published on: Mar 4, 2016
Source: www.slideshare.net


Transcripts - Política de Segurança AchieveMore english final version (1)

  • 1. AchieveMore's Security Policy Objective ACHIEVEMORE fully acknowledges that the confidentiality, integrity and availability of our clients` data are vital for their business operations and for our own success. Therefore, we established a set of practices and adopted measures to continuously monitor and perfect our applications, systems and processes to meet the increasing requirements and challenges regarding security. Security Measures for Human Resources ACHIEVEMORE is responsible for the guiding, training and commitment of its collaborators to the security and confidentiality of the information of its clients. In order to do so, the following measures are adopted: • Signing of the Non-Disclosure Agreement (Termo de Confidencialidade): applicable to all of ACHIEVEMORE`s collaborators, the non-disclosure agreement seals the legal commitment of collaborators to the confidentiality and security of all information handled by ACHIEVEMORE, directly and indirectly; • Level-Based Access Policy: access to ACHIEVEMORE`s data and application centers is restricted and controlled. Only authorized and trained collaborators can access, configure and manage our data and application hosting resources. Compliance ACHIEVEMORE has a Privacy Policy that has the objective of establishing relations of commitment to the privacy and security of the personal information of its client users. By using ACHIEVEMORE's application and services, the users are in agreement with the conditions presented in this policy. The complete Policy is available in the document AchieveMore Privacy Policy. ACHIEVEMORE is committed to adopting the necessary measures to remove and prohibit the use of any material that infringe intellectual property rights. In case you hold intellectual property rights and believe that any content or material available in our solution violates your intellectual property rights, contact ACHIEVEMORE through our channel suporte@achievemore.com.br and tell us about it. ACHIEVEMORE commits itself to analyzing your request and take all necessary measures. ACHIEVEMORE does not monetarily reward for being notified of occurrences of intellectual property infraction. Hosting Security ACHIEVEMORE`s servers are hosted in the services of Amazon Elastic Compute Cloud (Amazon EC2) in the São Paulo datacenters. All servers are replicated in the two regions, this way ensuring the high availability of the environment. AchieveMore Brazil Al. Campinas, 977 – cj. 25 - São Paulo – SP Phone: (11) 2367-6776
  • 2. Detailed information of data centers can be found in the following addresses: http://aws.amazon.com/about-aws/ http://aws.amazon.com/choosing-a-cloud-platform/ http://aws.amazon.com/about-aws/globalinfrastructure/ Operations Security Security in the deployment of service: Functional Specification: at the parameterization stage of ACHIEVEMORE’s service, all processes and content related to the information flow, databases and calculation reports are specified by ACHIEVEMORE and validated by the client prior to its completion; Homologation to Go-Live: after the setup of the specified parameters, the product undergoes an approval process by the client in order to validate the parametrized content. Maintenance/ updating security: Product Updates/ maintenance: all product updates and maintenance occur through a continuous integration process, an automatized testing routine to detect integration errors or conflicts prior to them being added to the product, while they are added to all clients without interruption in the supply of the service. Updates/ maintenance in client parameters: the updating of parameters, calculations and/or business rules of all clients undergo the same security processes held for the deployment of services, including the mapping of of functional specifications of the requested changes and undergoing an approval process (homologation) before going live. Incident Management Backups: ACHIEVEMORE has a process of automatically backing-up all servers’ configuration, applications, clients’ files and databases performed at every hour. This backup is encrypted and sent to a secure repository, and can only be restored through a security process performed by key-collaborators from ACHIEVEMORE, duly oriented and authorized for its execution. Contingency: ACHIEVEMORE’s production environment features active-active and active-passive replication of all services (application servers, relational and non-relational databases and file receiving servers) in two distinct zones. In case of an incident at the physical installations where the data centers and the product application are located, the replication is immediately triggered, and the service is restored. AchieveMore Brazil Al. Campinas, 977 – cj. 25 - São Paulo – SP Phone: (11) 2367-6776
  • 3. Security during Traffic of Information: The connection to ACHIEVEMORE environment is made through a RapidSSL WildCard, using global step-up certificates by Geotrust, ensuring all users a secure connection to our services. In order to perform the monitoring of the doors for data input and output, ACHIEVEMORE uses perimeter Firewalls and cutting-edge routers, which block unused protocols. Security Monitoring In order to ensure the security of our application, ACHIEVEMORE systematically performs batteries of tests that cover different aspects related to the protection against attacks to the application, blocking them before they reach the origin servers and screening all incoming traffic (http and https) using controls in the network layers and application. The security parameters adopted are aligned to the OWASP guidelines (Open Web Application Security Project). These tests are held at every three (3) months and prevent: • Attacks by malicious scripts to the users' browser; • Unauthorized access through hidden data handled improperly; • Inadequate access to restricted areas; • Disclosure of sensitive information by unexpected use (handling of errors); • Inadequate encryption on sensitive data; • Data traffic through insecure channels; • Procedures to bypass authentication processes; • Failures on requirement specification. Whenever wanted, the client's contact point can request the latest report on security monitoring performed by ACHIEVEMORE through the channel suporte@achievemore.com.br. Audit Processes ACHIEVEMORE datacenters have SSAE16 certification (SOC 1 / SOC 2 / SOC 3), which replaces and outperforms the previous SAS 70 certification. SSAE16 ensures international audit standards in data security. ACHIEVEMORE undergoes quarterly auditing routines aiming at validating all its internal quality and security processes. The full report of such audits can be requested by the client's contact point whenever desired through the email: suporte@achievemore.com.br. AchieveMore Brazil Al. Campinas, 977 – cj. 25 - São Paulo – SP Phone: (11) 2367-6776

Related Documents