Purpose of this document
The steps we undertake to keep your information secure and to ensure that our services provide you with ease of access while at the same time maintain a high level of security are outlined in this document.
Here are some of the steps we take to minimise the risk of your information falling into the hands of unauthorised parties.
- Secure logins
- Protection of our external web servers
- Protection of our data servers
- Strong Password policies
- Account lockout policies
- Virus and spy-ware protection
- Restricted access to server ports
- Use of non-standard ports
- Regular Backups and data protection
- Regular updates applied to our servers
- Restricted personnel access to our servers
- Review of our security levels
Secure Logins: To ensure the highest levels of protection of user passwords and login information, we offer to all our clients a secure login (https) to their application site. This helps ensure that your login and password information is sent via the https (secure) protocol and it helps to minimise the risk of a breach.
Protection of our external web servers: We have two forms of external servers namely Web servers that provide https (web) services in the form of application sites and Terminal Services servers that provide access to our application sites via the remote desktop connection (RDP) protocol.
In order to secure these servers from the threat of an intrusion, we have all external servers protected by firewalls and other hardware and software protection mechanisms. These firewalls are used as a filter through which all connections are routed.
Protection of our data (internal) servers: Our data servers hold all your information from the use of application sites (web servers). These data servers are protected from external access as they do not have an external IP. They are hence not accessible directly. The only way to access them is through our Terminal Servers and Web Servers.
Strong Password Policies: We have a strong password policy providing further protection from unauthorised use. The passwords set for access to our external and internal servers have to be a mixture of characters, numbers and special characters (such as @, #, % etc) and have to be minimum of 12 (twelve) characters long. We further have a policy of expiring these passwords on a regular basis to ensure that they are always changing on a regular basis. These policies can be overridden by your own organisation’s policies in the use of TEAMS. It is up to you, in that case, to ensure that passwords are not compromised.
Account Lock-out Policies: We have an account lockout policy that upon 3 (three) unauthorised attempts, our servers automatically lock the account out and stop all access from that user account. This ensures that if someone was to find out an account name and try to guess the password, after only a limited number of attempts the account is locked out and the administrator is notified of the attempted breach. This can be overridden by your organisation and in that case, repeated attempts could be made without locking the account out.
Virus and Spy-ware Protection: All our servers have the latest updates of a suitable antivirus installed on them. They are regularly updated through automated updates and this ensures that they are protected from any virus threats. We further have spyware detection software installed on our external servers so that any spy-ware threats are also minimised.
Restricted Access to Server Ports: Except for HTTP, FTP, RDP, SMTP and other absolutely necessary protocols (as required from time to time), all our server’s external access ports are closed. This is done to ensure that only services that are required and absolutely necessary for the operation of the server are available and open. This minimises the threat from hackers that use port scanning and other such tools to try and breach server security.
Regular Backups and Data Protection: Our entire set of databases is backed up on a regular and frequent basis. By undertaking regular end of day backups we ensure that any disruption or information loss in the event of our servers being unavailable or in the event of a server being affected by a failure is minimal. We also undertake off-site and secure backups on a regular basis. Please refer to our Data Backup Policy for complete details of our backup processes.
Regular updates applied to our servers: Our servers are regularly updated with any latest critical and security updates and patches. This includes once-off updates, security packs, service packs and any other updates as available from Microsoft and any other software providers that we use. This ensures that we are always abreast with any new protection and safety facilities as they are released.
Restricted Personnel access to our servers: At any given time only 3 (three) personnel have access to our Data servers. 2 (two) of these personnel are technical employees from our firm and 1 (one) is from our data centre provider (for performing off-site backups). All the above personnel are bound by code of conduct and confidentiality agreements. We have direct agreements in place with our employees and a co-location agreement in place with our data provider that governs their use of these servers. By restricting the number of personnel that have access to our data servers and by ensuring that we have binding agreements in place we help to ensure the safety of your data from unauthorised access.
Review of our Security Levels: We have an internal security review meeting scheduled between technical and management staff every three to six months. This meeting is specifically to address any concerns, any upcoming developments or issues that we need to be aware of. We also discuss our current policies and update and revise them as necessary to keep our standards up to date. If there have been any breaches or attempted breaches they are also discussed as part of this review and audit meeting.
We undertake a range of security and data backup policies to minimise the risk of a breach in client security and data integrity.
Here are the steps we undertake in the unlikely event of a security breach. This should be read in conjunction with the Data Security Policy and Software Licence Agreement (if applicable) and which are mention within this statement.
- What is a security breach?
- What types of security breaches are there?
- What are the various levels of security breaches?
- How can you protect yourself from a security breach?
- What happens in the event of a security breach?
- What are your obligations?
- What are our obligations?
- What is the extent of our liability?
- Review of this policy
What is a security breach?
A security breach quite simply is someone or something (such as a virus) gaining unauthorised access to restricted information (such as application or user data, web pages or other information). This breach may be detected or un-detected and other factors such as the type of breach, the period that the breach occurred for and the likelihood of it reoccurring are also important considerations.
What types of security breaches are there?
A security breach is primarily from any of the following 3 (three) sources –
- External breach of security or intrusion – A third party or a third party agent (such as a virus) not linked to either RTO Software or your organisation has broken through the security measures in place and gained unauthorised access to our servers. This may include the external web and terminal services servers or the internal database servers.
- Breach by RTO Software employee or affiliate – An employee or affiliate working for or on behalf of RTO Software gaining unauthorised access to a server that they were not authorised to use.
- Breach by Your organisation’s employees or affiliates – An employee or affiliate working for on behalf of your organisation gaining unauthorised access to the data or website that they were not authorised to use.
What are the various levels of security breaches?
Security breaches are primarily of the following levels:
- Low risk – These are breaches that occurred but no user and application data information was exposed. The period of the breach may also be so brief that it may be physically impossible for any secure and private information to be transmitted to the unauthorised intruder. Such breaches constitute minimal risk to the data and the integrity of the information held. These breaches are not considered a serious threat do not affect the data held on the servers.
- Medium risk – These may be breaches that occur once only where some data was transmitted and some information was captured by the intruder. This may include user-specific information or information pertaining to specific sections of the data held. Such breaches constitute a serious risk.
- High risk – These may be breaches that are caused over repeated attempts (possibly over a number of days) and with a sustained data access. This may include data, reports and other cumulative information being captured by the intruder. This may include complete information store being downloaded or otherwise compromised by the intruder. Such breaches constitute an extreme threat and are considered a high-level risk.
How can you protect yourself from a security breach?
Security breaches in the form of hackers or third parties or viruses or spy-ware constitute only a very small percentage of all possible breaches that have occurred. While they are the ones focussed on by the media, generally they do not have any material effect on the operations nor do they compromise the integrity of the data (in most cases).
The highest form of risk comes from your own employees and contractors. RTO Software ensures that our employees and contractors are bound by confidentiality obligations and we also have other items in place such as strong password policies (refer to our data security policy) and other measures to minimise risk from our employees and contractors.
We recommend that you take the following security measures:
- Ensure that all employees that have access to your confidential data are obligated to sign a confidentiality agreement.
- Make a rule within the organisation that your access passwords are not shared and kept sure. All passwords should also be a minimum of 8 (eight) characters in length and be a mix of letters, numbers and special characters. All passwords should also expire on a regular basis (at a minimum every six weeks if not sooner).
- As soon as an employee leaves or resigns, all their access accounts should be disabled and their passwords changed. If they have worked closely with any employees it is recommended that the access passwords of those employees should also be changed in the event of a password being shared between employees.
- Any breaches that happen within your organisation should be recorded and kept on file to help build up information that can be used at a review.
- A security meeting is held on a regular basis between management and staff that highlights any issues that may result in or may cause a breach in security and confidentiality. Any staff concerns should be noted on file and any suspicious behaviour should be brought to the attention of the management staff.
What happens in the event of a security breach?
In the unlikely event of a security breach, the following steps are taken depending on the type of breach and its possibility of reoccurrence.
If the breach was a low risk event and has a minimal chance of reoccurring, it is noted in RTO Software’ internal security logs and recorded. Steps are taken to rectify the cause of that breach and any updates or changes are applied immediately.
In the event of a breach being a medium or a high risk event, you are notified immediately. If necessary the services and applications that are affected are taken offline and steps are taken to remedy the breach. If the steps can be taken successfully and the possibility of a reoccurrence is minimal, the services and application sites are re-instated. A security breach meeting is requested between yourself and us to discuss the ramifications of this breach and further action that may be necessary.
In the event of a breach occurring from your side (such as a disgruntled employee gaining access and printing off information), upon notification by you, we take steps to remedy that breach from occurring in the future. A security breach meeting is requested with your organisation to prevent such breaches from occurring in the future.
What are your obligations?
Your obligations are to ensure that all measures are taken to ensure that your staff members and affiliates have suitable access to the applications provided to you by us. Appropriate security permissions setup, strong passwords, confidentiality
agreements and other such measures deemed to be reasonable and responsible must be implemented within your organisation.
You are under obligation to inform us of a breach as soon as possible to allow us to remedy it.
You are further obligated to act based on our written recommendations in response to a security threat or a breach or an attempted breach.
Failing to act based on our recommendations or taking the due diligence to ensure that your data is kept safe and only available to appropriate personnel based on security permissions may null and void the obligations of RTO Software and you will be deemed liable for any further breaches.
What are our obligations?
We are obligated to inform you immediately of any medium or high risk security breach. Any low level breaches are recorded in our internal security logs and are made available upon request to any client.
We are obligated to take any and all steps necessary to try and remedy a breach at the earliest possible time and to undertake steps necessary to minimise the risk of a similar breach occurring in the future.
We are obligated to inform you of any suspicious activity occurring on your application websites such as greatly increased traffic, failed logins and any other suspicious activity that we can track and report on.
What is the extent of our liability?
Our liability is limited to:
- Notifying you immediately (upon detection) of any medium to high risk breach,
- Remedying the breach and taking all steps necessary at our cost to remedy the breach (unless it was a breach caused by your employee / agent in which case charges may be applicable),
- Taking steps to reduce the possibility of such a breach occurring in the future,
- In the event that you are not satisfied with any of the above, stopping the use of the application and its related websites and returning you your data and all related information to allow you to use a different application or business process from another provider/party.
Under no circumstances does RTO Software undertake any financial liability resulting from a breach be it in the form of a loss (real or perceived), business disruption or any other costs associated with the security breach.
Review of this policy:
We undertake a review of this policy from time to time as deemed fit or upon request from our clients. Any changes made to this policy are notified to all clients and this policy is made available upon request to any third party auditors or security auditors as required.