Simacan ISMSInformation Security Management System is a “product” developed by Simacan for internal use. An ISMS is a systematic approach to managing sensitive company information so that it remains secure, and it includes people, processes and IT systems by applying a risk management process. The governing principle behind the ISMS is that Simacan has designs, implements and maintains a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.
In the Plan phase Simacan designs the ISMS, assesses information security risks and selects appropriate controls to mitigate those risks.
The Do phase Simacan implements and operates the controls.
In the Check phase Simacan reviews and evaluates the performance (efficiency and effectiveness) of its own ISMS.
In the Act phase Simacan makes the necessary changes to constantly keep the ISMS at peak performance.
(Last update: December 2016)
At Simacan we deploy countermeasures against Risks by developing and implementing four different types of controls. These include technical controlse.g. encrypted protocols for transferring data, infrastructural redundancies, auto-scaling cloud infrastructures, etc., administrative controlse.g. clearly outlined internal policies and procedures and a short line of communication with the clients in case of incidents., legal controlse.g. transparent and clear contractual agreements, NDAs, etc., and managerial controlse.g. Awareness and Training programs for employees and clients, policies for the re-direction of organizational resources in case of security incidents, specialization courses for employees, etc.. The proper use of controls makes existing vulnerabilities harder to exploit. Technical and legal controls aim to ensure information security in the short-to-medium period, while administrative and managerial controls aim to ensure information security in the medium-to-long period.
Simacan places strict information security controls over its clients’ data, its suppliers’ data, and its own data. Simacan is committed to ensuring that client data is not seen by anyone (or anything) who should not have access. Simacan employees have access to the information systems in which client data is processed and stored. For example, in order to diagnose a production problem, Simacan employees may need to access data owned by the client. Simacan employees are prohibited from using these permissions to view client data unless it is necessary to do so. We have technical controls in place to ensure that any access to client data is monitored and logged. Simacan employees are bound to our Information Security Policy and Simacan treats these issues as matters of the highest importance.
Simacan employees are required to read Simacan’s Information Security Policy. The Policy covers the security, availability, and confidentiality of the Simacan ISMS. Also, Simacan Employees are required to sign an ISMS Acknowledgement as an addendum to their employment contract.
The environment that hosts all of Simacan Cloud information systems is Amazon Web Services (AWS). AWS is compliant with multiple certifications for its data centers, including ISO/IEC 27001, 27017, and SOC reports (1, 2, and 3). For more information about the certification and compliance of AWS, please visit the AWS Security website and the AWS Compliance website.
The following security-related audits and certifications are applicable to the Simacan ISMS:
- ISO/IEC 27001: Simacan is not yet ISO/IEC 27001 certified. However, Simacan has successfully undergone the phase 1 of the ISO/IEC 27001 audit, the phase 2 of the certification audit is planned for December 2016.
AWS Auditing Security Checklist: Simacan runs yearly an internal audit of its cloud infrastructures against the auditing security checklist published by Amazon Web Services.
Simacan implements in its ISMS several security controls to protect its clients’ data, its suppliers’ data, and its own data.
Monitoring and Logging
Simacan monitors and logs 24/7/365 every aspect of what happens in its Cloud information systems. These technical security controls allow the Simacan employees to timely prevent possible security incidents and effectively assist the client in case of service deterioration or disruption.
Company-Wide Two-Factor Authentication Policy
Simacan employees are required to set up two-factor authentication on all the accounts where client data is processed or stored.
Single Sign On
The environment hosting Simacan’s Single Sign On is Stormpath. Stormpath’s services are compliant with multiple certifications, including SOC2 and EU-US Privacy Shield. For more information about the certification and compliance of Stormpath, please visit the Stormpath website and the Stormpath Compliance website.
Data retention is agreed in the Data Processor Agreement with the client.
Deletion of Customer Data
Timeframes and modality for the deletion of customer data is agreed in the Data Processor Agreement with the client.
Return of Customer Data
Timeframes and modality for the return of customer data is agreed in the Data Processor Agreement with the client.
Simacan implements the latest recommended SSL encryption security controls for all traffic in transit through its information systems.
Simacan monitors the changing cryptographic landscape closely and works promptly to upgrade its ISMS to respond to new cryptographic weaknesses as they are discovered and implements best practices as they evolve.
Simacan understands that its clients rely on Simacan Control Tower in their primary business functions. Simacan is committed to making Simacan Control Tower a highly-available product the clients can count on. The Simacan Cloud infrastructure runs on fault-tolerant systems, whether the failure invests individual servers or entire data centers. All Simacan clients who have a SLA contract in place benefit of the 24/7/365 service of the Simacan Support Team. The Support Team is available to quickly resolve all production problems.
To ensure availability, clients’ data is stored redundantly at multiple locations within the European Union at AWS data centers. Simacan has well-tested backup and restoration procedures, which allow recovery even from major disasters. Clients’ data and our source code are automatically backed up. Simacan has 24/7 monitoring and logging controls in place alerting Simacan employees in case of failures of the backup systems.
In addition to sophisticated system monitoring and logging, Simacan has implemented two-factor authentication for all server access across its production environment. Also, all of Simacan’s office networking infrastructure is configured according to industry best practices.
Incident Management & Response
In the event of a security breach, Simacan promptly notifies the client. Simacan has incident management policies and procedures in place to handle such an event.
External Security Audits
Simacan has contracts with respected external security firms who perform regular audits of the Simacan ISMS to verify that the implemented security practices are sound, and to monitor for new vulnerabilities. Simacan runs penetration tests either upon clients’ request, or upon Simacan’s own request.
Product Security Practices
New features, functionalities, and design changes go through an information security review process. In addition, all Simacan source code is extensively tested, and manually peer-reviewed prior to being deployed to production. Simacan employees work closely with one another to resolve any additional security concerns that may arise during development.
In July 2015 Simacan entered a trajectory to certify its own ISMS against the ISO/IEC 27001:2013 standard. ISO/IEC 27001:2013 is a risk-based information security standard which helps organizations to keep information assets secure. Certification to ISO/IEC 27001:2013 is possible but not obligatory. Simacan chose to implement the standard in order to benefit from the best practice it contains and to reassure its clients of the quality of the processes behind the Simacan SaaS products.