INFORMATION SECURITY GOALS
- Admincontrol ensure the confidentiality, privacy and integrity to our clients data.
- The Admincontrol services must be available to authorized users in accordance with the customers SLAs.
- The continuity of Admincontrol AS and our services must be ensured for maximum possible predictability.
- Admincontrol work actively to minimize the risks and potential damage by preventing security incidents and reducing the potential impact.
- Admincontrol must comply to relevant customer requirements, laws and regulations for information security.
INFORMATION SECURITY STRATEGY
To achieve our security goals, we will work systematically on information security throughout the organization, including the development, operation, testing and support functions. This is achieved through clearly defined security management, and the implementation of an information ISO 27001 certified Information Security Management System (ISMS).
The key elements of our security strategy include;
- Security education and awareness program for employees
- Using established security standards and frameworks
- Building trust and security through transparency
- Conducting 3rd party security experts for auditing and security testing
ISO 27001:2013 certification
ISO 27001 is the most internationally recognised and accepted standard for information security.
The ISO 27001 standard provide a solid fundament for building an Information Security Management System (ISMS), defining how an organisation should manage and govern the information security, including industry best practices for applicable security controls.
The standard itself is a very comprehensive framework that include a set of security controls to be implemented. As a full-service provider where Admincontrol develop and operate the entire service offering we have implemented the full set of controls from the framework.
Maintaining data privacy and integrity is a top priority both for us to since we hold both sensitive and personal data for our clients. An information Security Management System (ISMS) is an effective way to ensure the effective management of information security and the reduction of risk of any information security breach and provide a solid base for achieving compliance with relevant Data Protection and privacy regulations such as the GDPR and at the same time comply with the needs and requirements of our clients to protect their information.
The certification covers the entire service offering including our business process and our SaaS platform. All our sub-contractors are also ISO 27001:2013 certified.
Authentication is done by entering the username and password. The password is not initially sent to the user, but is recorded by the user and transmitted in encrypted form during the registration process. The user will receive an encrypted authentication cookie at logon. On subsequent requests, the client passes the secured authentication cookie with the request.
Two factor authentication
The system issues a one-time password to the users mobile (SMS two-factor) for each time the user logs on. The user have to enter the one-time-password to complete the login process.
As an alternative to SMS two-factor, we have implemented support for Buypass Code. This is a similar solution, but based on a smart phone app and internet communication instead of SMS.
The portal can be configured to use SMS two factor for user registration. This means that the Administrator will have to register the users mobile number when inviting a new user. This function will prevent misuse of user invitations if they go astray.
For our Nordic clients we offer secure eID methods in Norway, Sweden, Denmark and Finland based on national eID solutions such as BankID, mobile BankID, Swedish BankID, and NemID.
User rights are role-based and provide access to folders. Users in an organization may have different rights, depending on their user role. All the information is linked to folders.
In addition, the user will be member of a system role. The system role defines the users permission level. There are five different system roles, Readers, ReadAndPrint, Users, ContentAdmin and Administrator.
Encryption in transit
All communication between clients/iPads and the server is TLS encrypted, using an Extended Validation SSL Server Certificate (https).
Encryption at rest
Documents is encrypted at rest using strong AES 256 encryption. The encryption key is unique to each customer, and stored in an encrypted key server.
Screening and background checks
Admincontrol has procedures for screening all new employees before employment is offered within the company. Screening includes background check on the employee’s previous employments, and public information about the employee being involved in incidents that are incompatible with employment at Admincontrol.
Our systems operating team with the highest access privileges are checked for criminal background and are required to hold a police certificate. This team has system admin access to all our systems, and can theoretically access all the information that is stored on our servers. Records can be provided for insider listing.
All Admincontrol’s employees have signed our “Statement Regarding Crimes”, which confirms that he/she have never been convicted of any felony in any country of the world, neither been convicted for any misdemeanour that may have any relevancy to his/her role and duties within Admincontrol.
All our employees have signed our “Statement Regarding Confidentiality And IPR”. All information contained in virtual data rooms and board portals hosted by Admincontrol, and the mere fact that Admincontrol hosts such virtual data rooms or board portals for specific clients, is considered as confidential information.
The production environment is secured to prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities, to prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.
Physical entry controls
Secure areas is protected by appropriate entry controls to ensure that only authorized personnel are allowed access.
Storage media and servers
Admincontrol will only use dedicated servers and storage for total control of how data is processed and stored. On the disposal of our production system storage media, we guarantee that all information is erased by degaussing. Admincontrol use a certified provider for data storage media deletion.
Intrusion Prevention System
Admincontrol are able to detect and stop intrusion attempts, ddos attacks and unwanted network activity at an early stage, 24/7/365.
Metadata is stored in a relational database. The documents and files are encrypted and stored in its original format. A file checksum is stored along with the file for integrity check purposes.
Backup is performed on the following levels:
- Full daily backup, which is transmitted to secondary data centre
- Weekly incremental backup, which is transmitted to secondary data centre
- Transaction log backup is transmitted every hour to secondary data centre
All the data is stored in our geo-redundant datacentres. All the hardware and infrastructure within each datacentre are also redundant and configured for high availability in all aspects. In addition, we make use of redundant connectivity, using Hot Standby Routing Protocol.
Admincontrol will ensure redundancy in all critical components. Nonetheless, we have documented procedures in place for ensuring information security continuity and service continuity in case of unwanted incidents and disasters. The procedures are maintained and tested periodically to ensure that they works effectively at all times.
INFORMATION SECURITY GOVERNANCE
Admincontrol performs an internal risk assessment on a regular basis, in order to identify new risks and to reduce existings risks. Based on the result of the risk analysis, a risk treatment plan is defined. This process forms the basis for the selection and prioritization of security controls. Admincontrol will ensure that that all risks are understood and taken into account by the management.
Admincontrol has documented incident management procedures, in order to restore normal condition, identify the cause of the incident and prevent recurrence of the problem. All information security incidents is recorded in an incident register.
Vendors and sub-contractors
Vendors and sub-contractors is also subject to our information security policy. Admincontrol supervise and follow up the subcontractor’s information security. When applicable, the vendor contracts contain detailed security requirements, and Admincontrol follow up on security requirements on a regular basis.
Segregation of duties
Conflicting duties and areas of responsibility is segregated to reduce opportunities for unauthorized or unintentional modifications, or misuse of the organization’s assets. There is a clear definition of roles in place, including management, sales, support, test, development and operation.
Security training and awareness program
All employees are trained in information security, and Admincontrol conducts regular measures to maintain a high security focus throughout the organization. The training is customized to the individual’s role and function.
Admincontrol’s web-based services shall not contain any security vulnerabilities as defined in the OWASP top 10 list. Security testing performed by 3rd party security consultants are carried out on a regular basis to assure the security level, and potential findings from a test are documented and corrected as soon as possible.
Admincontrol conducts an annual information security audit. The audit is performed by Deloitte and results in an SOC 2 Type II report issued under the ISAE 3000 standard
SOC 2 is developed by the AICPA (American Institute of CPA’s) and defines criteria for the management of user organizations’ data based on the Trust Service Criteria – The Trust Service Criteria relate to security, availability, confidentiality and privacy associated controls. A SOC 2 report ensures that a service organization keeps data private and secure while processing or in storage, that data is accessible at any time and that specific controls are implemented relating to confidentiality and privacy of information.
A Type II report assesses how effective the implemented controls are over time, versus a Type I report which only assesses the design of the security processes at a specific point in time.
The SOC 2 Type II report of Admincontrol, cover the entire calendar year and are ready in Q1, each year for the previous calendar year. Access to the report is provided under NDA to clients and prospects upon request.
Admincontrol comply with the following Norwegian laws and regulations concerning IT security for banks and finance institutions, and the regulations for protection of personal data. The Data Protection requirements are similar within the EU/EEA:
- EU General Data Protection Regulation (EU GDPR)
- Regulation on use of information and communication technology (ICT)
(Norwegian: «IKT Forskriften, bank og finans»)
- Norwegian Personal Data Act with Regulation
(Norwegian: «Personvernloven med Forskrift»)
Information Security Policy
Our information security policy is approved by the management. All managers are responsible for implementing our information security policy and ensuring staff compliance in their respective department. Compliance with the information security policy is mandatory.
For further data processing details, compliance and security, Read more about data security here.