PROTECTION & SECURITY
COMPLIANCE

ibCom mydigitalstructure is a highly secure enterprise-grade fully hosted platform.  It runs on Amazon Web Services, a world-class infrastructure provider. ibCom's information security compliance depends on part on the inherent compliance encapsulated within Amazon Web Services.

Before reading about ibCom's information security compliance, we recommend reading:


View our ISO27001 & 270017 certifications

INFRASTRUCTURE COMPLIANCE

AWS is compliant with standards: HIPAA, SOC 1/SSAE 16/ISAE 3402 (formerly SAS70), SOC 2, SOC 3, PCI DSS Level 1, ISO 27001, ISO27017, ISO27018, FedRAMP(SM), DIACAP and FISMA, ITAR, FIPS 140-2, CSA, MPAA.

It covers the following area of compliance:

  • Supplier employees
  • Access management
  • External media
  • Environmental security
  • Network security

Find out more

IBCOM PLATFORM COMPLIANCE

The next layer in proving compliance is the application platform compliance, covering:

  • Authentication
  • Authorisation
  • Data validation - in terms of typing and general rules.
  • Error handling
  • Session management
  • Logging
  • Auditing
  • Encryption

We are constantly evaluating the ibCom platform service against industry best standards.

Deployment and maintenance is covered by 3rd party providers who build their apps on top of the ibCom platform.

ibCom employee access The ibCom platform is run by "machines" within the AWS service, with very little human access -onlyafewlongtermhighlyqualifiedemployeeshave access.

Being employeed by ibCom does not inherently give an employee access.

If an employee that has not yet been employed by ibCom for one (1) year requires operational access then they must have at least one years experience with an equivalent well-proven provider similar to ibCom.

All employees are bound by confidentiality / non-disclosure agreements.

Security ibCom mydigitalstructure is a fixed application platform developed over the last thirteen plus (13+) years and is now at a point in its lifecycle where it does not change.  All application changes occur by 3rd parties in the isolated "user mode" operating on top of the platform.
Disaster recovery ibCom runs a real-time duplicate service in "warm mode" in Singapore.

The warm service is constantly being tested for "ready-to-run" status.

more about regions

In-transit Security 2048/256 SSL - with DH cipher for Perfect forward security.
Authentication 2nd factor authentication is available.  Single-sign-on is a function of the "user mode" application layer and thus handled by the app provider.

more about authentication

Authorisation All of the 700+ platform methods can be functionally controlled for:
  • Read
  • Write
  • Delete

Data based restrictions are also available.

more about access control

Reporting ibCom offers a number of ways for reporting issues, including a reward for reporting.

Any issue that is applicable to more than one user (tenant) will be reported to all users (tenants) of the platform.

Rectification ibCom will fix any reported issue within 24 hours (maximum).
Certification ibCom is constantly updating its ISO/IEC 27001 Statement of Applicability, in relation to ibCom's plan-do-check-act framework in-conjunction with measuring-and-evaluating.  We are currently in the process of being independently certified (as at JUN2015).
Data Cleansing Within both the multi-tenanted and "isolated" modes all data is clearly segmented and can be cleansed by the owner of the data as-and-when they wish, using the standard platform API methods (functions).
Data Continuity Within both the multi-tenanted and "isolated" mode all data can be backed up by the owner of the data as-and-when they wish, using the standard platform API methods (functions).
Data geographical location ibCom platform is hosted at the AWS Sydney location.

more about regions

Data Access Data can only be accessed by users that the owner of the data has granted access to.

The owner of the data can remove access by users at any time they wish, using standard platform API methods (functions).

Data Backup Data is constantly being backed up and restored.
Data Encryption Space based at-rest data encrption is available with a "Isolated Data Space".
Logging All logging is in the context of a tenant space and the specific user that initiated the action.
Operating Systems All operating systems are constantly updated for critical security fixes.
Penetration Testing Systems are constantly being tested for vulnerabilities using OWASP based framework.  If a user wishes to conduct their own penetration testing, they need to contact ibCom to make arrangements.
Capacity Management ibCom uses a number of standard AWS functions to dynamically scale to meet demand.
ibCom's ISO/IEC 27001 Statement of Applicability
EU GDPR COMPLIANCE

The EU General Data Protection Regulation (GDPR) supersedes all member states’ data protection laws. The new Regulation expands the rights of natural persons, giving individuals more control over how their information is collected and processed, while putting pressure on organisations that process EU residents’ personal data to tighten their data protection processes.

In a broad sense ibCom at is core is about keeping data private and complies with all personal data privacy as per control 18.1.4 of the ISO27001/17 standard.

More about GDPR...

AWS compliance

AWS Processing Data Addendum

REVIEWS
Control 5.1.2

The reviews are triggered by either a predefined schedule or ad-hoc business/system change management scenarios (change management types include: employee, team, business process, systems, technology, enhancements, upgrades, partnerships, vendor agreements).

The information security review, audit and policy adjustment process covers: initiation of review/audit, audit checklist, audit and policy review, management approval, implementation, policy modification, redistribution, communication and training as required.

Policy Reference...

REVIEW SCHEDULE

Policy Documentation Annual (October)
ISMS Audit (Internal) Annual (Feb)
Risk Assessment Annual (October)
Access Audit 6 monthly (minimum)
Application Security On Change
Penetration Testing Constant, zenmap

DOCUMENTS STRUCTURE

ISMS Policy Reference -

Information security policy

ISMS policy reference

Operations manual

Internal training matrix

Risk assessment reports/analysis/treatment (control)

Internal audit report

ISO/IEC 27001/17 Statement of Applicability

 
|      
Management Minutes (including the decision to commit to ISO 27001/17,  

Evidence register

Asset register

 



 
BP-ISO27001-17-Small.png
Protection & Security
Risk Management
Amazon Web Services (AWS) Security
AWS Compliance
AWS Penetration Testing
operations@ibcom.biz
PGP Public Key
Information Security Management System
ibCom's ISO/IEC 27001 Statement of Applicability
SSAE-16 (ISAE 3402)
Cloud Security Alliance

 

 

 

Help!