What is the vetting process for new hires?

Federal and state background checks are conducted, and references are contacted for all employees.  A random drug testing program is in place for all SAFER Systems field service engineers.

Is there a process for prompt handling of user accounts and system access following employment termination?

HR and the involved department manager provide proper notification to IT, such that accounts can be immediately deactivated upon termination of a staff members’ employment.

Is there an ongoing security awareness and training program for all employees?

Yes, security awareness training is provided to all new hires.  An annual refresher training program is in place, along with a sign-off requirement to validate that all staff completes this program.

Does your company have a corporate security policy?

Yes. SAFER Systems corporate security policy is overseen by our President and formal training is provided annually to all employees.

Does your company have a dedicated security team?

Yes. Our security team is responsible for oversight, management, and communication of our security program.

Is there a formal procedure for reporting suspected security violations?

Yes. SAFER has internal and external escalation procedures for security violations.

How and when will you notify me about any scheduled maintenance? How can I contact you to get more information about unscheduled or extended downtime?

The SAFER support team will notify all users and admins via email of upcoming scheduled maintenance. If you experience accessibility issues, please contact our technical support team by phone after hours at USA/Canada: 800-621-7237, or Global: 805-383-9711, then press #2 or via email at techsupport@safersystem.com.

Does SAFER Systems have a documented disaster recovery plan to be used in the event of a service outage?

Yes.

Will SAFER Systems bring SAFER One systems down for maintenance?

SAFER One is implemented in such a way as to virtually eliminate downtime. The services should be accessible and reachable during new deployments due to the use of A/B environments and other mechanisms that allow for live-cut over with no externally visible downtime.

Does SAFER Systems have a business continuity plan for SAFER One?

Yes, SAFER systems has a business continuity plan for SAFER One. Additionally, AWS offers a business continuity program and SAFER One is designed to run out of multiple regions and multiple availability zones, or data centers.  The design, architecture, and implementation of SAFER One utilizes data redundancy replication, and multi-region/availability zone deployment architectures. For more information please refer to Using AWS for Disaster Recovery White Paper.

 

References:

1. Using Amazon Web Services for Disaster Recovery, October 2014

Does SAFER Systems have a documented disaster recovery plan to be used in the event of a service outage?

Yes. The plan is reviewed at on an annual basis.

Is an annual security audit/penetration test conducted and will the customer have access to that data? Is it performed internally or outsourced? When was the last test? What were the results?

Yes.  Customers may request access to the most recently available audit report by contacting their Regional Business Manager.

Can SAFER Systems staff see customer data?

Yes. A select group of SAFER Admins can be granted verbal or written consent from the customer  to access their data to provide technical support. If a SAFER Admin accesses a customer’s information, at any time, said customer will receive an automated email notifying them that their data has been accessed.

Who is responsible for customer user account management?

An initial set of customer user accounts is created by the provisioning team based on guidance from customer.  After delivery and training, user account management is then handed off to the customer’s organization administrator(s).

Is single sign-on supported?

SAFER One™ offers Microsoft® Azure Active Directory SSO with support for SAML 2.0 Authentication Protocol.

Is two-factor authentication available?

SAFER One supports Federated Single Sign-On (SSO) using identity providers supporting the SAML 2.0 standard.

For organizations that implement SSO, it’s then possible to utilize features offered by the chosen identity provider (i.e. Azure AD) to implement additional security precautions such as TFA.

Note: For organizations that opt to implement SSO, all users within the organization (at all provisioned sites) must login using SSO.

What is the password policy?

• A username (email) and password is required for authentication.
• The web browser session expires after 30 minutes of inactivity (after you close the browser).
• User passwords are stored, encrypted, and salted.
• Passwords must be at least 8 characters long and include at least one uppercase, lowercase, and numeric character.
• After 6 failed attempts to login with an incorrect password, the account will be locked for 3 minutes.
• Users can reset passwords at any time if the account is not disabled. Proof of email access and existing credentials are required for a password reset.
• Users are reminded to reset their passwords every 90 days.
  • Administrators can make 90-day password resets mandatory.
• Administrators can disable/enable other user accounts with equal or lower roles.
• Users receive email notifications when unusual activity is suspected (i.e. successful login from a new IP address, account temporarily locked due to 6 failed logins).

Does SAFER Systems utilize separate development, test, and production environments?

Yes.

Can SAFER Systems provide assurance that customer data is never utilized within non-production environments?

Yes.

Are the systems servicing customers segregated from other network zones logically and physically? (Separate firewalled areas for Internet DMZ, production databases, back office, and software development areas).

Yes.

How does SAFER Systems encrypt SAFER One™ customer data?

SAFER One uses the TLS 1.2 protocol to establish a secure connection between the client and the server application. Data transmitted across the connection is encrypted using AES-128-GCM with ECDHE-RSA as the key exchange mechanism. Keys are created by and stored by SAFER Systems. AWS Key Management Service (KMS) is used to managed data encryption keys.

Is SAFER One™ customer data encrypted at rest?

Yes. SAFER encrypts the Amazon RDS and EFS instances and snapshots at rest by enabling encryption in our Amazon RDS and EFS DB production instance(s). Data that is encrypted at rest includes the underlying storage for a DB instance, its automated backups, read replicas, snapshots, and logs.

We use the industry standard AES-256 encryption algorithm, which is facilitated using native functionality within the AWS RDS service.

How long is customer data retained?

All customer data is retained in perpetuity, unless other terms have been arranged in the SaaS Agreement between customer and SAFER Systems.

Can I get an export of my data and assurance of data deletion upon contract termination?

All data is retained in perpetuity, unless other terms are arranged in the SaaS Agreement between customer and SAFER Systems. Please reference your SaaS Agreement with SAFER Systems to determine the arrangements made for data export and deletion.

Where is SAFER One hosted?

SAFER One is hosted on Amazon Web Services (AWS), including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Relational Database Service (RDS), and Amazon Elastic File System (Amazon EFS), in the United States and EU. AWS offers a reliable platform for software services used by thousands of businesses worldwide. AWS provides services in accordance with security best practices and undergoes industry-recognized certifications and audits (aws.amazon.com/security/).  This means that SAFER One members benefit from Amazon’s ongoing commitment to security practices for stored assets.

Where does customer data reside?

Customer data is primarily stored in Amazon RDS instances with some additional data stored on Amazon EFS SAFER Systems designates which physical region individual customers’ data and servers will be located. Data replication for Amazon RDS and EFS objects (i.e. directory, file, and link) is redundantly stored across multiple Availability Zones. SAFER Systems operates SAFER One out of two regions: United States, and EU.

Example: By default, all data from SAFER One customers in the EU will have their cloud data stored in the AWS data center in the EU and that data will not be transferred to data centers outside the EU.

Who controls the SAFER One data centers?

Amazon Web Services controls the physical components and data centers that host the SAFER One digital infrastructure. To help customers better understand what controls AWS has in place and how effectively they are operating, AWS publishes a Service Organization Controls 1 (SOC 1), Type 2 report with controls defined around Amazon EC2, Amazon RDS, Amazon EFS, and Virtual Private Cloud (VPC), as well as detailed physical security and environmental controls. These controls are defined at a high level of specificity that should meet most customer needs.

Are AWS data center tours by customers allowed by Amazon?

No. Due to the fact that AWS data centers host data for multiple customers, AWS does not allow data center tours by customers, as this exposes a wide range of customers to physical access by a third party. To meet this customer need, an independent and competent auditor validates the presence and operation of controls as part of a SOC 1, Type 2 report. This broadly accepted third-party validation provides customers with an independent perspective of the effectiveness of controls in place. SAFER Systems has signed a non-disclosure agreement with AWS and can obtain a copy of the SOC 1 Type 2 report (aws.amazon.com/security/). Independent reviews of data center physical security are also a part of the AWS ISO 27001 audit, the PCI assessment, and the ITAR audit process.

Are third parties allowed to access AWS data centers?

AWS strictly controls access to data centers, even for internal employees. Third parties are not provided access to AWS data centers except when explicitly approved by the appropriate AWS datacenter manager per AWS’ access policy. See Amazon’s SOC 1, Type 2 report for specific controls related to physical access, data center access authorization, and other related controls.

Who is responsible for patching?

SAFER Systems is responsible for patching our own guest operating systems (OS), software and applications running in AWS.  AWS is responsible for patching systems supporting the delivery of AWS services, such as the hypervisor and networking services. This is done as required per AWS policy and in accordance with ISO 27001, NIST, and PCI requirements.

Are privileged actions monitored and controlled?

Controls in place limit access to systems and data or data is restricted and monitored. In addition, customer data and server instances are logically isolated from other customers by default.  Privileged user access control for AWS infrastructure is reviewed by an independent auditor during the AWS SOC 1, ISO 27001, PCI, ITAR, and FISMA audits.

Does the cloud provider address the threat of inappropriate insider access to customer data and applications?

AWS provides specific SOC 1 covered in the SOC 1, Type 2 report. In addition, SAFER Systems conducts periodic risk assessments on how insider access is controlled and monitored.

How does SAFER One isolate customer data?

All data stored by SAFER Systems, whether on Relational Database Service (RDS) or Elastic File System (EFS), on behalf of customers has strong tenant isolation security and control capabilities. SAFER One Storage utilizes Amazon RDS and EFS, which provide additional advanced data access controls.

Is customer segregation implemented securely?

The AWS environment is a virtual, multi-tenant environment. AWS has implemented security management processes, PCI controls, and other security controls designed to isolate each customer from other customers. AWS systems are designed to prevent customers from accessing physical hosts or instances not assigned to them by filtering through the virtualization software.

Has AWS addressed known hypervisor vulnerabilities?

Amazon EC2 currently utilizes a highly customized version of the Xen hypervisor. The AWS Xen hypervisor security is regularly evaluated by independent auditors during assessments and audits. See the AWS Security Whitepaper for more information on the Xen hypervisor and instance isolation.

Do the provided services support encryption?

SAFER One encrypts data in transit with TLS 1.2.

What are the cloud provider’s rights over customer data?

SAFER One customers retain control and ownership of their data.

Individual SaaS Agreements will dictate additional terms and conditions regarding customer data. Please review the SAFER Systems SaaS Agreement for more information.

Does AWS publish its physical and environmental controls?

Yes. Physical and environmental controls are specifically outlined in the SOC 1,Type 2 report. Additionally, AWS supports ISO 27001 and FISMA certification, which require best practice physical and environmental controls.

Can customers secure and manage access to SAFER One from clients such as PCs and mobile devices?

Yes. SAFER One allows customers to manage client access to their own requirements.

Does AWS allow customers to secure their virtual servers?

Yes. SAFER Systems has implemented its own security architecture on top of AWS based on industry best practices including SANS Top 20 Controls for Internet Security, Consensus Audit Guidelines, NIST guidelines, and Internet standards.

Does AWS include identity and access management (IAM) capabilities?

AWS has a suite of identity and access management offerings, allowing SAFER Systems to manage user identities, assign security credentials, organize users in groups, and manage user permissions in a centralized way. This applies to internal access to the AWS environment, AWS IAM is not utilized for customer user account management.

How does AWS protect against Distributed Denial of Service (DDoS) attacks?

The AWS network provides significant protection against traditional network security. See the Overview of AWS Security Practices Whitepaper for more information on this topic, including a discussion of DDoS.

Does AWS specify data durability?

SAFER One stores data in Amazon RDS and EFS, which provides a durable storage infrastructure. Every file system object (i.e. directory, file, and link) is redundantly stored across multiple Availability Zones. In addition, a file system can be accessed concurrently from all Availability Zones in the region where it is located, which allows SAFER One to replicate from one AZ to other AZs in the region in order to ensure the highest level of application availability. Mount targets themselves are designed to be highly available.

 

References:

1. Overview of AWS Security Practices Whitepaper, March 2013
2. AWS Risk and Compliance Whitepaper, January 2013