Project

General

Profile

Data »

Cyber Preparedness & Why It's Important

In this day and age of continual technological advancement, it has become vital to ensure that we are taking all necessary steps to protect our data and our client's data from the ever increasing number of threats to online security and safety.

The process of ensuring that we have developed, tested, and validated our capability to protect against, prevent, mitigate, respond to, and recover from a significant cyber incident is commonly known as Cyber Preparedness.

A major threat to online security is having to rely upon and continually move data between other third party products outwith your organisation.

By using Potentiality to manage all your Events, Mailings, Payments, Database **and Payment Gateway** rather than having multiple separate systems; not only saves your schools time and money, it also removes unproductive inefficiencies, the associated complexities of having different pieces of software trying to sync and communicate with one other but most importantly the opportunity for hackers to try and intercept your data during data transmission.

All Potentiality databases and sites are hosted on the Amazon AWS cloud. In relation to data security there are 3 issues which are of key relevance; physical security, cyber security and data ownership.

Physical security:

This is best addressed by Amazon themselves. The best way to consider this is to compare the security at the Amazon data centre to the security at any school. Clearly the physical security at Amazon far exceeds that of any school. The AWS Cloud Security article also deals with some of the Amazon related cyber security issues. As a managed service, Amazon EC2 is protected by the AWS global network security procedures that are described in the Amazon Web Services: Overview of Security Processes whitepaper.

Server software: Potentiality has a policy of updating servers with the latest patches for all installed software. In some instances a major patch will be installed on our staging server first to ensure no negative impacts for our clients, this decision is made on a patch by patch basis depending on the significance of the patch and the implications of any security flaws that have been resolved. In general all patches will be installed within a week of release.

Cyber security:

Potentiality utilises 4 layers of security to help protect the data.

  • Firstly, the Amazon EC2 firewall. We only have 2 ports visible through this firewall, HTTP and SSL (which are required to run our services, by default the ports are 80 and 443 respectively).
  • The second layer is the Windows Server 2016 Firewall, IIS web server with all the latest security patches, and the recently released inbuilt Windows 2016 Defender Service.
  • The third layer is our custom code sitting under the IIS asp.net pages. Even if a hacker were able to penetrate the IIS system, they’d then have to penetrate our custom built code which is compiled off site and unrelated to any publicly available software.
  • The final layer is the fact that the data is held on a completely different server instance, only accessible by an Amazon Virtual Private Cloud, not visible to the internet and accessed securely over an encrypted connection with limited command access. The separated database has completely separate usernames and data tables per client to ensure no cross client data access. We run periodic online penetration tests using a third party supplier to double check all of this.

Data protection:

This is dealt with within our Service Agreement. Essentially, all Potentiality clients own their data and Potentiality gains permission to use it for the purposes of the site and for administration such as backups. The transactional nature of the database means that backups are ongoing and we can restore to any time point within a 2 week time frame, then we keep 1 ongoing backup per month. The administrators of the site always have full access to the data through the database export facility.

  • Users can login securely via SSO to update their profiles and track their online payments.
  • Users can store their CC details securely or approve direct bank transfers allowing for single click payments.
  • Exports are flagged with the Synergetic ID (and any other tags you choose to add) to allow for syncronising with finance systems.
  • Two-factor authentication for administrators

NOTE: We are able to install our system onto a remote client server, however this would incur additional costs and would remove inherent benefits such as our ongoing monitoring for security and uptime guarantees, as well as our ongoing upgrades.

Data encryption in transmission:** **

All Potentiality sites use the https protocol to secure all webpages that carry or transfer personal data and/or payment data.

sub-pages

Tags:

0 0