Embed Size (px)
Citation preview
Information security policy
1. Introduction
Primoforum is a tool to guide groups during work conferences (in a classroom setting). Such as brainstorming, training, co-creation, evaluation, consultation, multi-stakeholder and test/panel sessions. Primoforum can be used for extracting knowledge or ideas from a group, creating consensus or establishing a new course with support from the group. Fast, structured and with an active role for everyone. The group can consist of eight to eighty participants. They can participate individually or in teams.
Primoforum is an online web application—a cloud solution—meaning you do not have to install anything. You use Primoforum through your browser and the Internet. In a Primoforum session during which sensitive information is exchanged, you want to make sure that the information is shared only between participants and the facilitator of the session. As a Primoforum user, you want to be guaranteed that all session information is secure and not accessible to others.
Information security is a very important topic for us. It is not only an important theme in the development of Primoforum, but it is also very important to the organization itself. Even when selecting our partners. In this document, we explain how the information that runs through Primoforum is protected and how we organize access to our customer-related data.
For specific questions about information security, you are always free to contact us. Send an email to [email protected] or by calling us at +31 20 261 34 60.
2. Primoforum web application
Primoforum is a web application, accessible to anyone who creates an online account or subscribes. A Primoforum user has complete control over his/her data. Within Primoforum, we distinguish session-related data (questions and answers from a session) and customer/account-related data (contact details, payment data, etc.).
2.1 Primoforum session data A (paying) Primoforum user has access to his/her own session data. Session data consists of questions, voting rounds and input from the participants.
All traffic from and to the Primoforum web application servers takes place over secured connections. We use the Transport Layer Security (TLS) security protocol. TLS is a standard in terms of encryption protocols that secure communication between computers (e.g. online) and ensures that you know who you are communicating with.
During a one-time registration process, the user must create and enter his/her own password. Nobody other than the user has access to this password. Neither employees of the Forum1 organisation, nor developers can access Primoforum users' passwords in any way whatsoever.
Participants in a session can participate through a unique code generated by the Primoforum application when a session is started. This is a session-specific code. When a session is stopped, all participants are automatically logged out and the
©2017 Coöperatie Forum1 U.A. Page of 1 4
session code becomes invalid. From that moment on, participants will no longer have access to the session and/or session data.
All session data is stored on KPN Internedservices servers in the Netherlands. See section 3.8. Logging into these servers is only possible through encrypted connections from a limited number of IP addresses.
2.2 Customer account data All financial related customer data is stored out of Primoforum in Chargify (https://www.chargify.com/). Chargify uses payment provider Braintree.
Payment for the use of Primoforum is based on a subscription method; a system of recurring payments. A recurring payments system (also called a recurring billing system) is an online system in which periodic payments can be received and processed. Since 2009, Chargify has been fully committed to developing a reliable billing system and has proven itself as a reliable partner in this area. With Chargify/Braintree we are able to arrange payment transactions by credit card and PayPal in a reliable and secure manner.
There are many different standards for the security of IT systems and architectures. In terms of credit card data, the storage of payment data or the processing of payments, the standard for information security for the payment card industry (PCI or PCI-DSS) is very important. This standard is used all over the world for the protection of data used during credit card validation.
Chargify is audited annually in order to comply with the highest level of PCI compliance. Chargify is PCI DSS Level 1 Compliant. Its certificate is public and available from the Chargify website: https://www.chargify.com/images/Chargify-2017-PCI-Certificate.pdf For more information about security within Chargify, please visit https://www.chargify.com/security/.
3. Our organisation
Cooperation Forum 1 U.A. applies a strict security policy, which is documented and applicable to all members, employees, hired forces and collaboration partners of the Cooperation Forum 1 U.A. organization.
3.1 Passwords Various applications are used during daily operations. Access to business-related applications is subject to a strict password policy. Passwords within Forum1 are stored in two ways: (1) via Lastpass or a similar external service, whereby Forum1 takes full advantage of the secure environment of the tool, (2) on Forum1 members/employees' laptops and only if these laptops are equipped with anti-virus software and an encrypted hard drive. Additionally, passwords may only be stored within the tool for which they are intended. In other words, not in an Excel file or 'flat' files. A password protocol is observed that is established in a separate document.
3.2 Files All Forum1 documents are stored in a shared Dropbox folder. The main rule is that this folder may only be synced with computers that meet the demands set for the workstations (see section 3.1). This also applies to documents that are located outside of the shared Dropbox folder. A two-factor authentication is used for Dropbox.
3.3 Workstations / laptops Forum1 members/employees exclusively use Apple computers. Every computer's hard drive must be encrypted with a password that must be entered at every reboot of the computer. Additionally, it must not be possible to use a computer or laptop after the device has not been in use for longer than 10 minutes. We maintain this by, for example, using a screen saver that ensures the computer goes into standby. Furthermore, properly functioning antivirus virus software must always be installed and active. Antivirus software and operating system updates must be installed as soon as possible, but no later than one week after release. Laptops in unsecured rooms may never be left behind. As soon as the person using the laptop leaves the room, the software must be software-locked.
3.4 Telephone / mobile devices If a phone is linked an account used by Forum1 (e.g. email apps), then the telephone must be provided with a password/pin code.
3.5 Email security The Google email account of Forum1 employees and members must always be secured by two-factor authentication. A device from which email is accessible through POP3 or IMAP must always be provided with a password or pin code.
3.6 Sales and marketing tools To support sales and marketing, we used the cloud application ZOHO CRM and email marketing system MailChimp.
©2017 Coöperatie Forum1 U.A. Page of 2 4
ZOHO CRM tracks the contact details of all Primoforum users. ZOHO has its own information security policy. For details, please visit the website https://www.zoho.eu/security.html
MailChimp stores names and addresses of people who have indicated to be interested in the Primoforum newsletter via the website and of those who have a Primoforum account. The MailChimp information security policy meets our stringent requirements. For details, see https://mailchimp.com/about/security/
3.7 Authorization matrix The following overviews shows who has access to which system.
3.8 Partners
Development partner Our technical partner, involved in the (continued) development of Primoforum, has its own security policy that has been assessed on the basis of the requirements in this document prior to collaboration.
Hosting party For the storage of session-related data and hosting of the Primoforum application, we use KPN Internedservices, which has a triple ISO certification (9001, 27001 and 20000), complies with the NEN 7510 standards and has an ISAE 3402 type II accreditation and PCI-DSS-compliant and ISO-14001 certified data centers.
ISO 27001 is a security standard that includes the directives ('best practices') for information security. ISAE3402 is an audit standard for reporting on the outsourced processes.
For example, the government focuses on ISO27001 because it is in line with the Government Baseline Information Security. Healthcare on the other hand, focuses on the NEN7510, which is based on ISO27001. In the financial world, ISAE3402 is the standard.
Complying to these standards gives us the certainty that processes are properly secured and monitored within the organization and we do not have to be worried about them.
Also see https://www.internedservices.nl/over-isg/werkwijze/assurance/
4. Certification KPN Internedservices
ISO 2000 - Service Management on the basis of international best practices By means of a hosting SLA, we have made clear agreements regarding service, availability, recovery, monitoring and solution and response times.
ISO 9001:2008 - Delivery of high quality ISO 9001 requires an organization to continuously strive for improvement. KPN Internedservices does this by continually making processes more effective and efficient.
Autorisatie matrix
Primoforum Website
Primoforum Webapplicatie Server Chargify/
Braintree ZOHO CRM MailChimp
Management Primoforum Management Mgt. administration
environment - Management Management Management
Primoforum employees Read Personal account - - Use Use
Employees development partner - Personal account Use Management - -
Employees hosting party - - Management - - -
Users Primoforum Read Personal account - Own payment
data - -
Non-customers Read - - - - -
©2017 Coöperatie Forum1 U.A. Page of 3 4
ISO/IEC 27001:2013 - Information securely managed All data is professional secured and managed, fully in accordance with the ISO/IEC 27001 standard. This standard covers a wide range of assets. From digital information, paper information and physical equipment such as computers and networks to knowledge among individual employees.
NEN 7510:2011 - Information security in the healthcare sector In the area of information security, we also want extra security for the healthcare sector. We therefore consider it important that our hosting party has a NEN 7510 certification.
PCI-DSS - Information security for the Payment Card Industry Just like Chargify, KPN internedservices is a registered PCI-DSS Level-1 Service Provider.
ISAE-3402 - Certainty about internal processes and measures The ISAE-3402 type 2 statement gives certainty about how internal processes and the management measures that are taken to ensure quality of the service work. With ISAE-3402, information is always provided uniformly to clients and external auditors who asses all management measures.
ISAE 3402 - Management of processes ISAE-3402 type II accreditation ensures that the processes outsourced to KPN Internedservices are properly managed. A legal requirement for financial service providers.
©2017 Coöperatie Forum1 U.A. Page of 4 4
