Fourth Issue November 2017
Overview and Definitions:
MoreVision's governing principles regarding ExcelWraps services are described with regard to our security policy, development & testing policy, client data policy, client end user policy, fair server usage policy and backup policy. Compliance to these policies ensures MoreVision achieves the Service Level Agreement promised to our clients. Procedures for termination of the service are also described.
MoreVision - MoreVision Limited is the software developer and provider of ExcelWraps consultancy services.
Server Provider - ISO27001 accredited server provider contracted by MoreVision.
ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.
Client - MoreVision customers using an ExcelWraps website.
Business Clients work on a shared server configured by MoreVision (multi-tenant hosted).
Corporate Clients work on a dedicated server which can be configured to specific client requirements (single tenant hosted). Corporate clients have server inheritance rights and escrow software provision triggered in the event of MoreVision insolvency. They are also allowed direct contact and support from the Server Provider.
Client Administrators - Client staff responsible for management of the ExcelWraps subdomain.
Web application vulnerabilities account for the largest portion of attack vectors outside of malware. It is crucial that any web application be assessed for vulnerabilities and any vulnerabilities by remedied prior to production deployment. The purpose of this policy is to define web application security assessments within MoreVision ExcelWraps. Web application assessments are performed to identify potential or realised weaknesses as a result of inadvertent mis-configuration, weak authentication, insufficient error handling, sensitive information leakage, etc. Discovery and subsequent mitigation of these issues will limit the attack surface of MoreVision's ExcelWraps services as well as satisfy compliance with any relevant policies in place. This policy covers all web application security assessments requested by any individual, group or department for the purposes of maintaining the security posture, compliance, risk management, and change control of technologies in use at MoreVision ExcelWraps. All web application security assessments will be performed by the development team employed or contracted by MoreVision. All findings are considered confidential and are to be distributed to persons on a “need to know” basis.
MoreVision development policies are designed to not diminish security or any other aspect of the Service Level Agreement offered by the Server Provider.
Development Standards and Application Testing:
Scrum is an iterative and incremental agile software development framework for managing product development. MoreVision adhere to SCRUM development methodology using Microsoft 'Team Foundation Server' and Microsoft 'Visual Studio'. Microsoft 'Web Deploy' direct from Microsoft 'Team Foundation Server' streamline the deployment of Web applications to Microsoft IIS Web servers operated by the Server Provider. Initially new code is installed on the 'Test' server for testing purposes. When the new code makes it through testing it becomes a candidate for release and is installed on the 'Staged' server. Unit Tests and Selenium scripts are used to automate the testing process. Only after performing satisfactorily on the 'staged' server can it be published to the 'live' server.
Penetration Testing Policy:
Web applications on the 'staged' server are subject to security assessments prior to a 'live' server software update. Typically this occurs every month but as a minimum it must be completed every year. All security issues that are discovered during assessments must be mitigated based upon the following risk levels. The Risk Levels are based on the OWASP Risk Rating Methodology. Remediation validation testing will be required to validate fix and/or mitigation strategies for any discovered issues of Medium risk level or greater.
a) High – Any high risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure before deployment. Applications with high risk issues are subject to being taken off-line or denied release into the live environment.
b) Medium – Medium risk issues should be reviewed to determine what is required to mitigate and scheduled accordingly. Applications with medium risk issues may be taken off-line or denied release into the live environment based on the number of issues and if multiple issues increase the risk to an unacceptable level. Issues should be fixed in a patch/point release unless other mitigation strategies will limit exposure.
c) Low – Issue should be reviewed to determine what is required to correct the issue and scheduled accordingly.
The following security assessment levels shall be established by the development team that will be performing the assessments.
a) Full – A full assessment is comprised of tests for all known web application vulnerabilities using both automated and manual tools based on the OWASP Testing Guide.
b) Quick – A quick assessment will consist of a (typically) automated scan of an application for the OWASP Top Ten web application security risks at a minimum.
c) Targeted – A targeted assessment is performed to verify vulnerability remediation changes or new application functionality.
The current approved web application security assessment tools is OWASP ZAP. Other tools and/or techniques may be used depending upon what is found in the default assessment and the need to determine validity and risk are subject to the discretion of the Development team. Client's may request a summary of the penetration test results. In the event of any security breaches being identified by either MoreVision or their Server Provider the Client administrators will be alerted by email.
MoreVision adheres to the Data Protection Act 1998 (c 29); a United Kingdom Act of Parliament designed to protect personal data stored on computers.
Client data is never allowed on local development environment and all client data is retained on the Server Providers ISO 27001 compliant infrastructure and procedures. The only exception to this is that developers work with data from the ExcelWraps main site (ExcelWraps.com) and the ExcelWraps Trial site (Trial.ExcelWraps.com).
If a bug cannot be reproduced in the development environment then it may be necessary to copy live data to the development environment. In the first instance individual Wrap data should be exported as a single XML wrap data package which is much smaller than a full SQL database thus the threat of a security breach is low. A developer must export the data via the site dashboard to work on the bug. A second developer is required to test that the bug is resolved. After resolution of the bug the data must be permanently removed from any development machine and a separate task to remove Client data will be raised in the Scrum environment.
Should the 'Special Circumstances' procedure not be adequate in reproducing and resolving the bug then the full SQL database may be require to exactly replicate the live site. In these circumstances the full SQL database is in the local development and the threat of a security breach is high. In mitigation the data must be held there for as short a time as possible with the full knowledge of the Client. To proceed permission must be given by the client's representative via a digital signature. The developer may then copy the live SQL database using secure RDP to his local machine. The developer will provide a digital signature to indicate when this has been done. The issue can then be investigated and resolved. The developer must digitally sign when all client data has been permanently deleted from his development machine. A second developer must digitally sign to verify that this has been done. The clients representative will finally sign to acknowledge that the extraordinary event has been closed.
All data is owned by the Client. Data from an individual Wrap can be downloaded in an XML format by Client administrators. MoreVision can also assist to provide the full SQL data under the consultancy services provision. Client administrators have access to the website dashboard, user management controls, content controls and data export controls. All content available to Client users is controlled by Client administrators. Client users have access to the data via the front end of the ExcelWraps website. MoreVision development team and the Server Provider have access to your data on the cloud servers. When accessed by the Server Provider you have the reassurance of their ISO 27001 accreditation. MoreVision can also access your data held on the ISO 27001 accredited Server but they will never take it off (unless the exceptional circumstances procedure is triggered). MoreVision will never show your site to anyone outside the Client organisation unless special permission is obtained from the client. UK law will apply regarding any disputes regarding data.
ExcelWraps user charge assumes that an average user requires 2GB of file storage (i.e. a 50 user system is contained within 100GB). Typically Wrap data storage is extremely compact and this limit is unlikely to be exceeded. However some Client's may require larger file storage capabilities and in these circumstances MoreVision will provide additional space for an additional monthly cost.
Backup taken daily and retained for 7 days. Backups include both SQL data and site content. Backups are not held in the same site as the server. The backup encryption is AES-256. Corporate Clients can customise their backup options.
A 15 minute lockout will be applied to any user after 4 failed login attempts. In addition Client administrators may configure site password policies to strengthen site passwords:
Force password change every N days (typically N = 60)
At least 1 upper case letter.
At least 1 lowercase letter.
At least 1 number.
At least 1 special character.
All Wrap Data and MyWraps report will be delivered to end users via HTTPS TLS 1.2. Any other content can be configured to be delivered in this way by Client administrators.
Clients can witness any aspect of our working procedures. It will be demonstrated to them by MoreVision Staff under the consultancy service provision.
Any exception to the policy must be approved by the MoreVision Development team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. Web application assessments are a requirement of the change control process. All application releases must pass through the change control process. Any web applications that do not adhere to this policy may be taken offline until such time that a formal assessment can be performed at the discretion of the MoreVision Development team.
Server Provider's 24/7/365 Staffing and Monitoring:
The Server Provider runs multiple, redundant monitoring systems. These ensure that the Server Provider always knows when there are potential performance issues and helps them to quickly put them right. Qualified engineers staff their data centres 24 hours a day, 7 days a week, 365 days a year so they can always act rapidly to resolve problems. What’s more, their network is intelligent and self-healing so any failure is immediately and seamlessly routed around, usually without the need for human intervention.
Server Provider's Security:
The Server Provider is certified to the internationally recognised data security standard ISO 27001. This is an independently audited certification and ensures security runs through everything they do. Their data centres were constructed with security in mind; they are equipped with the latest in access control and intruder protection systems. They also have several levels of building security restricted by electronic key access, with CCTV recording systems constantly monitoring all internal and external areas of their buildings. Server Provider Data Centres feature: Multiple connections to the Internet, Advanced Fire Suppression, 24/7 Monitoring and Security Network Operations Centre, Multiple Uninterruptible Power Supplies and Backup Generators.
Server Provider's 100% Network Availability Guarantee:
The Server Provider can guarantee 100% availability of network resources at all times. The Server Provider have extensive measures in place to ensure infrastructure resilience, overall speed, performance and reliability, and provide strong defences against the latest generation of attacks. The Server Provider also has a policy of continuous improvement to hardware and infrastructure and invest significant amounts to ensure they deliver a superior hosting service. The Server Provider is a member of RIPE, which gives them control over our IPs and therefore high flexibility. They run their own Autonomous Network to ensure that performance is always optimised for their servers.
Server Provider's Financially Backed Guarantee:
The 100% Network Uptime Guarantee is a financially backed agreement with the Server Provider. So, in the unlikely event that the network is unavailable they will compensate you financially or add credit to your account. MoreVision will act on behalf of their Clients in pursuing such a claim with the Server Provider. When MoreVision or the Server Provider need to perform scheduled maintenance, we will give you as much notice as is possible and, apart from during maintenance slots, we guarantee that our network infrastructure will be available 100% of the time. Please note unavailability due to maintenance is rare and we usually carry it out without any interruption to our services. If we think there is a chance that the maintenance will cause a period of downtime, we will keep this to an absolute minimum (usually just a few minutes) and schedule, where possible the work at weekends in the early hours of the morning.
Corporate Client Support from Server Provider:
Corporate Clients can contact our Server Provider who provide 24/7/365 support services. Their UK support team work within their data centres and are fully trained to operate at second and third level. What this means is that no issue is too big or small and you won’t find yourself speaking to a first level support person that is just following a script and insisting that you answer unnecessary questions. You can contact them anytime using the phone, email or contact us via live chat for help (we also have a dedicated support website).
Business Client Support from MoreVision:
Business Clients cannot contact our Server Provider directly so the support element of the SLA cannot be extended to them. For Business Clients MoreVision offer support services during UK office hours.
MoreVision are covered by Professional Indemnity insurance with a £5,000,000 limit per claim, Employer's Liability cover with a limit of £10,000,000 per claim. A separate Cyber and Data Risk policy pays the costs of restoring data and equipment in the event of an attack on our servers.
Clients should give 30 days notice of termination. In this time they are free to take all their data and the site will be closed. At the month end after the notice period the site will be suspended. The website, all its data and any backups will be permanently deleted from the server after a further 30 days.
Server Provider's Exit:
There are many ISO 27001 compliant Server Provider companies in operation. MoreVision reserve the right to change the Server Provider at any time.
In the event of MoreVision insolvency the Service Provider will contact the Corporate Client's representative directly and allow them to inherit the Corporate Server. Corporate servers hold the full source code and MoreVision grants a source code license to the Corporate Client for the purposes of maintaining their service (not for resale).
First issue March 2017.
Second issue June 2017 - Scope broadened beyond security to include all MoreVision policies. Addition of fair usage after a client expressed a request to upload large quantities of video data.
Third issue August 2017 - Addition of Insurance Policies.
Fourth issue August 2017 - Addition of Data Protection and minor alteration to Insurance Policies.