Technical and Security Measures – Fusio – FAQ

Technical & Security measures – Fusio – FAQ

Data protection & security measures

Do you have a dedicated security team?

Yes, Ludovic Raymond ludovic.raymond@asklocala.com acting as CISO. Ludovic L’Hoir ludovic.lhoir@asklocala.com Head of IT Operations and Security

Has your organization formally appointed a focal point for security coordination (for example, a Chief Information Security Officer (CISO))?

Yes. Ask Locala has a dedicated security team that is composed of Ludovic Raymond ludovic.raymond@asklocala.com acting as CISO and Ludovic L’Hoir ludovic.lhoir@asklocala.com, Head of IT Operations and Security.

What is your security strategy? Describe any security procedures in place to keep all information processed in a secure way. In particular describe the physical, logical or organizational, administrative and technical aspects.

Ask Locala takes all reasonable measures to protect the security of personal data during transmission. We also take reasonable measures to safeguard personal data and to protect against unauthorized access, alteration, disclosure or destruction of such information through our data collection, storage and security practices. We have defined an Information Systems Security policy. It covers in particular:
  • Governance and risk management
  • Measures of physical security of offices and environments by zone (badge, camera, alarm, air conditioning, fire solution, redundant power source)
  • Measures of logical security of the environments (password policy, VPN, firewall)
  • Access management (boarding, journals)
  • Protection of workstations (encryption, antivirus, limited rights, confidentiality filters)
  • Security of data transfers
  • Protection of data by encryption
  • Business Continuity Plan
  • Securing of relations with partners
On demand we can provide Technical and Organizational Security Measures document.

Has the organization implemented an IT Governance or Cybersecurity framework such as ITIL, COBIT, NIST or ISO?

Organization has implemented an IT Governance and has integrated some COBIT and ITIL best practices.

Are your employees required to sign a non-disclosure agreement or comply with a code of conduct that includes rules regarding information system security, communications and data confidentiality?

Yes, Employees sign the Ask Locala Code-of-Conduct & IT charter.

Have your employees received formal training on information system security and/or data confidentiality?

Yes. All Ask Locala Employees are regularly trained on information system security, data protection and confidentiality and security preventive and responsive measures. The training plan is prepared in cooperation between Compliance and Security teams, approved by Data Protection Officer. Compliance onboarding training is delivered to all Ask Locala new joining employees.

Is a background check required for all employees accessing and handling the organization’s data?

Yes, references and academic certificates are requested.

Has the data center you use been the subject of a SOC 2 Type II assessment?

Yes, Amazon Web Service has performed SOC 2 Type II assessment. https://aws.amazon.com/fr/compliance/soc-faqs/ In addition Ask Locala includes this assessment in its own Risk Assessment Process.

Is the company certified in ISO 27001 or in any other information security and/or business continuity certification?

Ask Locala has put together dedicated resources to address data privacy & security compliance matters, but no certification is obtained.

Has a policy of BYOD (Bring Your Own Device) been implemented?

No.

Are the temporary files deleted?

Yes.

Have you subscribed to a cyber security insurance coverage?

We have not specifically subscribed cyber security insurance, however our business is covered for civil responsibility and exploitations of informational systems.

Is antivirus software installed on data processing servers and on workstations that access servers / systems involved in providing your solution?

Yes.

Are system and security patches applied to workstations on a routine bases?

Management is manual. We receive Security patch’s notifications from manufacturers. Workstations user rights are limited. OS security patch’s are applied from manufacturers. OS upgrade and software installations are tested, validated and deployed by the Ask Locala IT service. Chrome navigator security policy is defined and deployed.

Are system and security patches applied to servers on a routine bases?

Servers configurations are centralized into a configuration & deployment tools.

What controls are in place to segment and protect each customer on your multi-tenant platform?

The solution is going to be hosted in a location owned by a Third Party with whom the contracts incorporate information security requisites: Vendor Qualification Process. Specific clauses. DPA

Data encryption

Is the data stored encrypted? (all storage devices and media, including backups)

All data access are limited, controlled and reviewed. But for data treatment performance, it is not encrypted.

How do you protect your encryption keys?

Ask Locala uses Data bag principle to protect encryption keys.

Do you have a Workstation Disk Encryption Policy? If yes, please explain how do you provide accountability of the encryption state of a workstation.

Workstations hard-drives are encrypted. Disk encryption (Windows Bitlocker AES-CBC 128, Mac OS Filevault AES 128 , Linux Lucks or eCryptfs AES 128). Data on platform is encrypted with AES 128.

Are connections between servers and back-office systems encrypted (e.g., using Secure Sockets Layer (SSL), Transport Layer Security (TLS) or IPsec)?

Digicert SSL Certificates (Signature SHA-256 RSA, 2048 bit RSA key) TLS 1.2.

Does your solution store passwords in plaintext and uses hashes to identify users?

As required by the Ask Locala Password Policy, the Platform stores the passwords with bcrypt. https://en.wikipedia.org/wiki/Bcrypt Bcrypt is a password hashing function based on the Blowfish cipher. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

Data transfer

If your servers/third parties who you are sharing information with are located outside of the EEA do you have the appropriate measures in place to allow for safe transfer of data?

The Platform is hosted by Amazon Web Services, that complies with the principles of the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield. This framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes. More information about EU-US Privacy Shield on the Official European Commission site.

Please describe the security measures implemented to protect information while in transit with other organizations.

The information is encrypted during transit. Connections between servers and back-office systems are encrypted with Digicert SSL Certificates (Signature SHA-256 RSA, 2048 bit RSA key) TLS 1.2. Data transfer is done accordingly to Secured Personal Data Transfer Process, through HTTPS and link secured with encrypted password sent separately. Data is transferred to third parties for audience providing, measurement and tracking as defined on the campaign brief and vendors are disclosed to the client on the IO or data processing schedule. Some of our partners can have their data centers outside the EU. Our partners are asked to sign our Business Code of Conduct which includes a section on their Privacy and Security measures and how data transfers are secured also if outside EU.

Are data transmissions encrypted? (secure transmission)

Ask Locala uses SSL (https, sftp) or other data encryption solution on data transmissions.

In the event that communications are protected, please specify if there is a communication filter (firewall, ip filter), if the content of the communications is encrypted and if the encryption methods are updated.

There are communication protection mechanisms in the organization. E-mail systems are protected by technical security controls: Google Gsuite / Gmail. E-mail systems are placed behind a firewall with a relay server on the DMZ, and AV software and an anti-spam filter are in use. External network connections are monitored by an IPS/IDS that are in place on our primary network. Platform is hosted on AWS cloud platform that provides security reinforcement. Plan in 2020 to increase security management with AWS WAF implementation. Employees are required to use a VPN when accessing the organization’s systems from all remote locations.

Are there information security policies which dictate the relationship with suppliers and define information security requirements for mitigating the risks associated with supplier access to organization assets?

Yes, we have put in place Vendor Assessment Policy that identifies Ask Locala’s minimum requirements for managing risks associated with data access, sharing, storage and processing while working with vendors and partners.

Data storage

Please indicate the location of the storage systems (cloud, physical servers).

Cloud: USA, Ireland, France, Singapore

Is secret data encrypted when copied to a removable media?

It is allowed to store the secret, confidential, restricted or internal corporate data only on corporate removable media, stored in safe and secure closet, and with data encryption.

Physical access control

Please specify if there is a physical access control system and access log to the DC (Data Center).

AWS measures.

Are security measures in place to protect servers and workstations implemented? Please describe the security measures implemented to protect both laptops and workstations.

Servers: Physical access control is ensured by our hosting providers AWS (for our US, EU and SG production site) Workstations: Limitations and controls with badge access control. Ask Locala’s Password Policy.

Is the installation of applications on computers carried out according to administrator privileges?

Yes.

Logical access control

Please specify if there is a list of individual users, are their functions differentiated, is the access block after the lack of use and is there an inventory of administrators. If an inventory of administrators exists, please confirm/specify if those administrators/privileged users have two accounts, personal and role account?

Individual users set by default, functions are differentiated. Ask Locala’s password policy defines that the system should include a sanction after multiple connection attempts: froze account after 6 connections attempts as minimum. User has to contact an administrator to reset password and reactivate account and this is followed when applicable. Application is currently in deployment on all services where is applicable. Administrators use individual accounts.

Are authentication mechanisms implemented? How do you ensure authentication and what is your procedure to cut off such access when people who had access to the Personal Data leave your company?

According to Ask Locala’s password policy login and strong password are required. 2FA is recommended and currently in deployment. Accesses are revoked by IT based on outboarding tickets created by HR and mandatory monthly reviews.

Specifically describe your password policy (complexity, rotation, accepted failed attempts…).

Password Policy specifies: complexity: (8 characters, upper and lower-case letters use, at least one digit and special character, prohibition of special words from blacklist etc.); Required change : every 90 days; Account frozen after 6 failed connection attemps; Non reversible encryption methodology to store the password in database;

How do you verify password strength?

The password criteria are set in the system and tested on the filling in of the password.

Are hashing methods are used for storing passwords?

As required by the Ask Locala Password Policy, the Platform stores the passwords with bcrypt. https://en.wikipedia.org/wiki/Bcrypt Bcrypt is a password hashing function based on the Blowfish cipher. Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

Are accounts locked or frozen at failed login attempts?

Ask Locala’s policy defines that the system should include a sanction after multiple connection attempts: froze account after 6 connections attempts as minimum. User has to contact an administrator to reset password and reactivate account and this is followed when applicable. Application is currently in deployment on all services where is applicable.

Provide information regarding the minutes before a log-out / timeout if you provide an automatic log-out/idle timeouts configured?

The user is automatically signed out after 14 days of not using any of the Fusio applications or not opening the fusio.asklocala.com page while being signed in.

Access log. Please indicate if the access of the users and administrators is registered, what information is collected, if such registry is reviewed and for how long is it preserved.

Connections to the FUSIO application are made centrally (SSO) and each connection is logged. The logs contain the following information: client public ip, user-agent, user_id, token updated, action performed, time, last date of connection and the list of auth tokens used with the associated user_id that are stored up to 13 months.

Are third party penetration tests performed on your network and against your solution?

No.

Is there formal control of access to System Administrator privileges?

Access is restricted by IPSec and connection through bastion & personal key.

Is there a documented standard/procedure for security event logging which covers generation, storage, protection and retention of security-related events (e.g., user login attempts, service creation, deletion of user accounts) and event attributes associated with each event (e.g., date, time, UserID, filename and IP address)?

No, a documented procedure that covers security event logging is not available. Security event logging is managed. Plan in 2020 to define a general security event logging policy.

Back-Ups

Is there a back-up policy in place implemented? If back-ups exist, please indicate if backups are performed, where are they stored, if restore trials are carried out and if their storage is encrypted.

There are backups of specifics systems and Infrastructure as Code for anything else (terraform + chef + AMI). Backups/restores on a daily basis for specific systems. Restores on a monthly basis for mostly used systems (instance bootstraps & AMI builds for example). Last full rebuild (100% of the system: 2017). Last major rebuild in November 2019. Back ups are stored offsite for restricted content only: storage in US / EU (Dublin, Paris, Marseille) on multiple hosting provider (AWS / Colt / Ovh). There is no backup encryption but data transfer is encrypted and accesses limited to specifics sources, VPNs and secured access.

Are computer systems (servers) backed up according to a regular schedule?

There are backups of specifics systems and Infrastructure as Code for anything else (terraform + chef + AMI).

Is restoration of backups tested regularly?

No. Backups are continuously performed. Backup restoration tests are not performed yet. Plan in 2020 to implement additional solution to cover this requirement.

Does the organization store backups offsite?

For restricted content only: storage in US / EU (Dublin, Paris, Marseille) on multiple hosting provider (AWS / Colt / Ovh).

Does the organization encrypt its backups?

There is no backup encryption but data transfer is encrypted and accesses limited to specifics sources, VPNs and secured access.

Business continuity

Please indicate if there are systems of redundancy and recovery (clusters, raids…) and if there is a written procedure to act against the possible disasters and regulate the business continuity

Business continuity and disaster recovery plans includes measures concerning office space and resources (Network equipment configured in pairs for offices containing advances technical rooms, relocation of activity to a backup site, use of cloud services, full backup of local data at least every 24 hours at a different site from the main storage site), and production service (Network equipment configured at least in pairs). Inter-site redundancy: Autonomy of front-end sites. Reallocation of traffic (all production environment equipment has a redundant power, air conditioning and fire solution, complete hot and automatic backup of data at least every 24 hours at a different site from the main storage site, code History management and source code backup in a dedicated system).

Is there a Business Continuity Management (BCM) clause or an official SLA which includes BCM requirements (BCP, BRTO, RPO)?

Yanco benefits from its DSP SLA.

Does the organization have a “Hot” recovery site?

No.

Network security and Vulnerability Management

Is there a vulnerability management process in the organization? Please indicate if a vulnerability management process exists to ensure that all vulnerabilities in systems, servers, storage, communication equipment, are identified and remedied.

For production the centralized control of operating system updates, security patches and environment application. Plan in 2020 to formalize Risk and Vulnerability Assessment Policy.

Are anti-DDoS mechanisms in place at infrastructure and application level?

No. Platform is hosted on AWS cloud platform that provides security reinforcement. In addition a circuit breaker is implemented to reduce risks. Plan in 2020 to increase security management with AWS WAF implementation.

Is regular network vulnerability scanning performed?

Yes.

Are Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) used by your organization?

Yes. IPS/IDS are in place on our primary network. Platform is hosted on AWS cloud platform that provides security reinforcement. Plan in 2020 to increase security management with AWS WAF implementation.

Are employees required to use a VPN when accessing the organization’s systems from all remote locations?

Yes.

How the wireless access is protected in your organization?

Authentication mechanism for main wireless networks: WPA2-PSK (AES): 32 characters. WPS disabled. Dedicated and isolated public wireless network, reserved for visitors with authentication mechanism: WPA2-PSK (AES). WPS disabled.

Change Process

Does the organization have a formal change control process for IT changes?

Change Management Process is defined and in place. Manual Code reviews and QA validations are performed before release into production and assessments logged in Jira issues. Plan in 2020 to reinforce our checks and assessment with our CI and implementation of the SonarQube tool (https://www.sonarqube.org/).

Production environment

Are there different environments for the pre-production, production and post-production (testing) phases?

Testing, development and production systems are hosted in separate environments.

Are the same security measures in place in production environment as in the development environment?

In the production environment hosted by AWS the security measures are higher than in the development environment. Development environment it’s a segregated environment and developers only have the necessary access. It may happen that obfuscated production data is used in the development environment. Version control is enforced through the use of specific tools. Nevertheless for development environment all internal measures are implemented, the vendor has been reviewed and validated for security measures.

In the development environment is anonymized or mock data used?

Anonymised and mock data.

Do software developers receive periodic secure coding training?

We follow business tendencies and we participate in conferences and trades whenever it is pertinent. In addition all Ask Locala Employees are regularly trained on information system security, data protection and confidentiality and security preventive and responsive measures.

Audit

Are the systems in the organization audited? Please indicate if system audits are periodically performed (pen testing, ethical hacking…) and the frequency.

We have been audited and accredited by the MRC in 2015, 2016, 2017. We have planned to perform internal audits and intrusion tests.

Have you been audited by an independent security auditor ?

As part of our MRC accreditation, Ask Locala was audited annually by EY. Certification renewed in 2016, 2017, 2018.

Are you able to proceed to a security check of your IT System upon client’s request?

We are able to proceed, subject to prior discussion and agreement on the scope and planning (subject to availability of the teams).

Are you able to assist the Client in case of an Audit of the Client by its Clients?

We are able to proceed, subject to prior discussion and agreement on the scope and planning (subject to availability of the teams).

Information Management

There is a formal asset management program which includes an inventory of all mission critical assets and all assets potentially accessible by any Third Party.

The inventory of all personal data processing together with information on transfers to 3rd parties is held in our formal records of personal data processing. In addition, we have created an Information Security Management Policy which describes asset categories based on data criticality and storage and sharing rules.

Is there a formal information classification ?

We have created an Information Security Management Policy which describes asset categories based on data criticality and storage and sharing rules.

Ready to get started?

Get in touch