Technical & Organisational Measures
Shireburn is conscious of its obligations to its Clients to ensure the security, confidentiality and availability of its own infrastructure and of the infrastructure provided by its Sub-contractors and Sub-Processors. In addition to hosting either internally or with reputable Sub-Processors, Shireburn’s software is designed with security features in mind and ensuring the correct configuration of the environment to assure this security.
This page provides an overview of the Technical and Organisational Measures that are in effect to ensure a level of security appropriate to the risk of processing of Personal Data. The measures vary dependent on the nature of the service provided related to the use of the Shireburn SaaS Software, the Shireburn On-Premises Software and other services and each of these situations is outlined below.
1. General Technical and Organizational Measures at Shireburn
Shireburn implements a stringent set of measures to ensure the security and availability of its systems to enable us to manage our own operation as well as to enable us to support the use of our software and services by our Clients. These general measures are listed below:
- Granular User and Group level access control on all servers, virtual machines and systems
- Physical access control to our offices at the SkyParks Business Centre including individual Smartcard access control, burglar alarm and recorded CCTV facilities at office entrance.
- Locked access to server rooms.
- Off-site encrypted data backup for disaster recovery
- Clustered servers environment with SAN
- UTM for threat management and access control including firewall, anti-malware, mail and web content filtering
2. Measures Applicable when using Shireburn On-Premises Software
Since by definition the Shireburn On-Premises Software is located on the Client’s own network and infrastructure, or a 3rd party hosted environment subcontracted by the Client to a 3rd Party other than Shireburn or one of its Subcontractors, the security and the Technical and Organisational Measures to protect the Personal Data are the responsibility of the Client or their Subcontractor.
3. Measures Applicable when using Shireburn SaaS Software
In addition to the Technical and Organizational Measures applicable in general at Shireburn, the following measures are applicable to the Shireburn Indigo software:
Data Safety & Security in Shireburn Indigo
a) Data storage – All Indigo data is stored electronically in a Microsoft SQL Azure database, hosted on the Microsoft Azure Platform in The Netherlands and is replicated to a secondary server in Ireland. Storage files such as attachments are kept on an Azure File Storage account in Netherlands and geo replicated to another server in Ireland.
b) Data access and backup – We use SQL Azure Database replication to keep your data safe in the case of system failure. We also keep a point in time recovery backup of the environment for the last thirty five (35) days.
c) Data Collection & Transmission:
- Application is hosted as a platform using Azure Application Services and there is no access via remote desktop to the machines
- All data sent to Indigo is encrypted in transit. Our API and application endpoints are TLS/SSL only and score an “A” rating on SSL Labs’ tests
- Implemented all security headers to block any click jacking and XSS attacks with a rating of “A” on security headers.io
- Tinfoil Security for constant scanning of vulnerabilities
- Transport Layer Security (TLS) provides protection of data in transit on SQL Database connections.
- Database Firewall – Only IP’s of the App Server & Shireburn IP Addresses (Only authorised Shireburn personnel which require such access to perform their job efficiently are given access) are white listed.
- We also useTransparent Data Encryption which protects data at rest by encrypting the database, associated backups, and transaction log files at the physical storage layer. This encryption is transparent to the application, and uses hardware acceleration to improve performance.
d) Auditing & Threat Detection
- We useAuditing for SQL Database and SQL Server audit to track database events and write them to an audit log. Auditing enables us to understand ongoing database activities, as well as analyse and investigate historical activity to identify potential threats or suspected abuse and security violations.
- We also useSQL Database Threat Detection to detect anomalous database activities indicating potential security threats to the database. Threat Detection can help meet the data breach notification requirement of the GDPR.
a) Indigo Users
- Full customised Password Complexity Policy – Minimum Length, Minimum Uppercase, Minimum Lowercase, Minimum Digits, Minimum Symbols, Disallowed Words
- Password Repeat Usage Policy – User cannot use the last x number of passwords used
- Password Expiry Policy – Password will expire after number of days
- Force user/users to change own passwords – System will ask user to change password with next login
- Locking of user account
- User record filters for Employee – Can set filters on any field on the employee
- Two factor authentication using SMS text message or email – Either personal choice or company policy
b) Roles & Permissions
- All Functions and screens are tied to either a role or a permission or both
- Permissions are organised in groups and allocated to a user
- Every successful/unsuccessful login in the system is audited
- Every URL visited in the system is audited
- Every record in the system maintains the created on, created by , modified on, modified by
- Sensitive information such as Employees & Payroll Calculations are audited when changed or deleted.
- Whitelisting / Blacklisting of IP Address for a specific tenant
Shireburn periodically commissions independent 3rd party, specialist companies to undertake penetration testing of its Shireburn Indigo environment.
These tests, referred to in the industry as Penetration Tests, consist of reviewing the practices, software and settings and in attempts to circumvent any security provisions in the infrastructure or the application software. The findings of these tests are reported to Shireburn Software which, if appropriate, would modify any appropriate issues prior to a re-test being undertaken.