Simacan employs an ISO 27001/2013 certified Information Security Management System (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure, and it includes people, processes and IT systems by applying a risk management process. The governing principle behind the ISMS is that Simacan has designs, implements and maintains a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.
Simacan Information Security Policy
Information should always be protected and Simacan has many critical information assets which are crucial in conducting business, maintaining clients’ trust, and keeping the future of the company strong. This policy outlines Simacan’s commitments to its employees, its clients, and its suppliers, on how all business-critical information assets will be handled by Simacan.
Every Simacan employee, every client, every supplier, must be aware of the significance of the information being handled, and ensure that proper controls are applied to prevent unauthorized disclosure, loss or lack of accessibility to the information.
The Simacan Information Security Policy is a part of the overall security and privacy effort carried out by Simacan. Simacan relies upon employees, clients, and suppliers to properly develop, maintain, and operate its systems, networks, and processes which keep sensitive information safe and properly used. Penalties for violating these policies may include disciplinary actions up to termination of employment, or termination of the business relationship with Simacan.
- [11-04-2016] version 2.1, Section 2.2: the information security objectives were rewritten to better fit the services offered by Simacan.
- [29-01-2016] version 1.3, First published version.
- [19-01-2016] version 1.2, (Unpublished) working version.
- [12-07-2015] version 1.1, (Unpublished) first version.
(Last update: December 2016)
At Simacan we deploy countermeasures against Risks by developing and implementing four different types of controls. These include technical controls, administrative controls, legal controls, and managerial controls. The proper use of controls makes existing vulnerabilities harder to exploit. Technical and legal controls aim to ensure information security in the short-to-medium period, while administrative and managerial controls aim to ensure information security in the medium-to-long period.
Simacan places strict information security controls over its clients’ data, its suppliers’ data, and its own data. Simacan is committed to ensuring that client data is not seen by anyone (or anything) who should not have access. Simacan employees have access to the information systems in which client data is processed and stored. For example, in order to diagnose a production problem, Simacan employees may need to access data owned by the client. Simacan employees are prohibited from using these permissions to view client data unless it is necessary to do so. We have technical controls in place to ensure that any access to client data is monitored and logged. Simacan employees are bound to our Information Security Policy and Simacan treats these issues as matters of the highest importance.
Simacan employees are required to read Simacan’s Information Security Policy. The Policy covers the security, availability, and confidentiality of the Simacan ISMS. Also, Simacan Employees are required to sign an ISMS Acknowledgement as an addendum to their employment contract.
The environment that hosts all of Simacan Cloud information systems is Amazon Web Services (AWS). AWS is compliant with multiple certifications for its data centers, including ISO/IEC 27001, 27017, and SOC reports (1, 2, and 3). For more information about the certification and compliance of AWS, please visit the AWS Security website and the AWS Compliance website.
The following security-related audits and certifications are applicable to the Simacan ISMS:
- ISO/IEC 27001: Simacan has successfully undergone the phase 2 of the ISO/IEC 27001 audit.
Auditing Security Checklist: Simacan runs yearly an internal audit of its cloud infrastructures against the auditing security checklist published by Amazon Web Services.
Simacan implements in its ISMS several security controls to protect its clients’ data, its suppliers’ data, and its own data.
Monitoring and Logging
Simacan monitors and logs 24/7/365 every aspect of what happens in its Cloud information systems. These technical security controls allow the Simacan employees to timely prevent possible security incidents and effectively assist the client in case of service deterioration or disruption.
Company-Wide Two-Factor Authentication Policy
Simacan employees are required to set up two-factor authentication on all the accounts where client data is processed or stored.
Single Sign On
The environment hosting Simacan’s Single Sign On is Stormpath. Stormpath’s services are compliant with multiple certifications, including SOC2 and EU-US Privacy Shield. For more information about the certification and compliance of Stormpath, please visit the Stormpath website and the Stormpath Compliance website.
Data retention is agreed in the Data Processor Agreement with the client.
Deletion of Customer Data
Timeframes and modality for the deletion of customer data is agreed in the Data Processor Agreement with the client.
Return of Customer Data
Timeframes and modality for the return of customer data is agreed in the Data Processor Agreement with the client.
Simacan implements the latest recommended SSL encryption security controls for all traffic in transit through its information systems.
Simacan monitors the changing cryptographic landscape closely and works promptly to upgrade its ISMS to respond to new cryptographic weaknesses as they are discovered and implements best practices as they evolve.
Simacan understands that its clients rely on Simacan Control Tower in their primary business functions. Simacan is committed to making Simacan Control Tower a highly-available product the clients can count on. The Simacan Cloud infrastructure runs on fault-tolerant systems, whether the failure invests individual servers or entire data centers. All Simacan clients who have a SLA contract in place benefit of the 24/7/365 service of the Simacan Support Team. The Support Team is available to quickly resolve all production problems.
To ensure availability, clients’ data is stored redundantly at multiple locations within the European Union at AWS data centers. Simacan has well-tested backup and restoration procedures, which allow recovery even from major disasters. Clients’ data and our source code are automatically backed up. Simacan has 24/7 monitoring and logging controls in place alerting Simacan employees in case of failures of the backup systems.
In addition to sophisticated system monitoring and logging, Simacan has implemented two-factor authentication for all server access across its production environment. Also, all of Simacan’s office networking infrastructure is configured according to industry best practices.
Incident Management & Response
In the event of a security breach, Simacan promptly notifies the client. Simacan has incident management policies and procedures in place to handle such an event.
External Security Audits
Simacan has contracts with respected external security firms who perform regular audits of the Simacan ISMS to verify that the implemented security practices are sound, and to monitor for new vulnerabilities. Simacan runs penetration tests either upon clients’ request, or upon Simacan’s own request.
Product Security Practices
New features, functionalities, and design changes go through an information security review process. In addition, all Simacan source code is extensively tested, and manually peer-reviewed prior to being deployed to production. Simacan employees work closely with one another to resolve any additional security concerns that may arise during development.
In July 2015 Simacan entered a trajectory to certify its own ISMS against the ISO/IEC 27001:2013 standard. ISO/IEC 27001:2013 is a risk-based information security standard which helps organizations to keep information assets secure. Certification to ISO/IEC 27001:2013 is possible but not obligatory. Simacan chose to implement the standard in order to benefit from the best practice it contains and to reassure its clients of the quality of the processes behind the Simacan SaaS products.
Questions about Information Security?
Contact us on firstname.lastname@example.org
From time to time it is necessary to notify our clients, suppliers, and business partners about relevant security-related events. In the security bulletins below we only publish notifications relevant to events related to the Simacan ISMS. Information about incidents is available on the Simacan status page.
- [2016-04-28] published version 2.1 of the Information Security Policy.
- [2016-03-29/31] an internal audit was performed on the Simacan ISMS.
- [2016-03-22/23] Simacan employees received an Awareness & Training session about the Simacan ISMS.
- [2016-03-01] Simacan ISMS has been initiated.