InfoSum Logo

Security Policy

Updated: 8 March 2018

This InfoSum Link Security Policy (the “Security Policy”) outlines the technical and procedural measures that InfoSum undertakes to protect Customer Data from unauthorized access or disclosure. This Security Policy is referenced in and made a part of the Terms of Service of InfoSum Link (“Terms of Service”). In the event of any conflict between the terms of the Terms of Service and this Security Policy, this Security Policy shall govern. Capitalized terms used but not defined in this Security Policy have the meanings set forth in the Terms of Service.

1.1 Customer Data Access and Management  

1.2. The Customer controls access to its Project via User IDs, passwords (with strong password enforcement) and optionally with 2-factor authentication tokens.

1.3. InfoSum Personnel may not access unencrypted Uploaded Data without the Customer’s consent. “InfoSum Personnel” means InfoSum employees and individual subcontractors.

1.4. InfoSum uses Uploaded Data only as necessary to provide Link and as set out in clause 4.1 of the Terms of Service.

1.5. Uploaded Data is stored only in a dedicated virtual server hosted on AWS, which is allocated exclusively to the Customer (a “Bunker”).

1.6. InfoSum shall create and maintain flow diagram(s) indicating how Uploaded Data flows through Link. InfoSum shall provide such flow diagram(s) upon Customer’s reasonable request..

1.7 Handling of Uploaded Data

1.8. All traffic within Link including the initial transmission of Uploaded Data to the Bunker is secured and encrypted by a TLS 1.2 secured HTTP session that utilises the Elliptical Curve Diffe Hellman Cipher suites (AES128-GCM-SHA256, AES256-GCM-SHA384 & CHACHA20-POLY1305-SHA256). Bunkers enforce HTTPS Strict Transport Security and support forward secrecy as well as secure renegotiation.

1.9. Uploaded Data is held in the Bunker initially in a raw state pending normalisation. Access to the Bunker is secured in accordance with section 1 above, with no other access available to the other InfoSum systems. The connection between the Customer’s browser and the Bunker is secured with HTTPS.

1.10. Upon completion of the normalisation process all Identifying Data within the Uploaded Data is hashed according to FIPS PUB 108-4 standards and the raw Identifying Data is deleted.  Direct access to the Bunker by the Customer is also disabled and the Uploaded Data may only be accessed by InfoSum’s data analysis systems.

1.11. The hashed Identifying Data remains in the Bunker. To provide Link, InfoSum’s data analysis systems transmit a probabilistic representation of a set of hashed Identifying Data and/or Non-Identifying Data to InfoSum’s cloud system and to the Bunkers of any third party within the relevant Project.

1.12. Where Bunkers for a specific Project are all hosted by InfoSum, then they are deployed into a dedicated, isolated subnet within a private VPC supernet. Layer 3 IP routing between Bunkers is prohibited; layer 3 reachability between the Bunker and the InfoSum cloud service is achieved with a VPC peering connection. All traffic entering or leaving a Bunker is subject to both dedicated and inherited AWS security groups to restrict what TCP traffic can enter or leave a Bunker.

1.13 InfoSum Service Infrastructure Access Management

1.14. Access to the systems and infrastructure that support the InfoSum Service is restricted to InfoSum Personnel who require such access as part of their job responsibilities.

1.15. Unique User IDs are assigned to InfoSum Personnel requiring access to the InfoSum servers that support Link.

1.16. Server password policy for Link in the production environment adheres to UK Government National Cyber Security Centre recommendations and industry best practises.

1.17. Access privileges of all InfoSum Personnel are monitored and adjusted accordingly as circumstances require.

1.18. User access privileges to the systems and infrastructure that support Link are reviewed quarterly.

1.19. Access attempts to the systems and infrastructure that support Link are logged and monitored.

1.20 Risk Management

1.21 InfoSum manages risk in accordance with industry best practices as detailed by the ISO27001 and SOC2 standards.

1.22. InfoSum conducts risk assessments of various kinds throughout the year, including self- and third-party assessments and tests, automated scans, and manual reviews.

1.23. Results of assessments, including formal reports as relevant, are reported to the Director of Security and reviewed by senior management together with recommendations for new or improved controls and threat mitigation strategies.

1.24. Changes to controls and threat mitigation strategies are evaluated and prioritized for implementation on a risk-adjusted basis.

1.25. Threats are monitored through various means, including threat intelligence services, vendor notifications, and trusted public sources.

1.26 Vulnerability Scanning and Penetration Testing

1.27. Vulnerability scans are automatically performed weekly on the systems that operate and manage the InfoSum Service. The vulnerability database is updated regularly.

1.28. Scans that detect vulnerabilities meeting InfoSum-defined risk criteria automatically trigger notifications to security personnel.

1.29. Potential impacts of vulnerabilities that trigger alerts are evaluated by staff.

1.30. Vulnerabilities that trigger alerts and have published exploits are reported to the Director of Security, who determines and supervises appropriate remediation action.

1.31. Security management monitors or subscribes to trusted sources of vulnerability reports and threat intelligence.

1.32. Penetration tests by an independent third party expert shall be conducted at least annually.

1.33. Penetration tests performed by InfoSum Security are performed regularly throughout the year.

1.34. Remote Access & Wireless Network

1.35. All access to the InfoSum infrastructure requires authentication through a secure connection using approved methods such as VPNs and enforced with mutual certificate authentication and/or multi-factor authentication.

1.36. InfoSum maintains a strict policy of not storing Account Data or Uploaded Data (where access to InfoSum Personnel has been granted by the Customer) on local desktops, laptops, mobile devices, shared drives, removable media, as well as on public facing systems that do not fall under the administrative control or compliance monitoring processes of InfoSum.

1.37. Location of Data in Link

1.38. Uploaded Data is stored in AWS servers physically located in the UK.

1.39. System Event Logging

1.40. Monitoring tools and services are used to monitor systems including network, server events, and AWS API security events, availability events, resource utilization and internal service performance metrics.

1.41. InfoSum infrastructure security event Logs are centralised in an industry standard SIEM. Logs are stored for 12 months.

1.42. System Administration and Patch Management

1.43. InfoSum maintains system administration procedures for systems that access Uploaded Data that meet or exceed industry standards, including without limitation, system hardening, system and device patching (operating system and applications).

1.44. InfoSum Security reviews various vulnerability announcements weekly and assess their impact to InfoSum based on a InfoSum-defined risk criteria, including applicability and severity.

1.45. Applicable security updates rated as “high” or “critical” are addressed within 24 hours of the patch release.

1.46. InfoSum Security Training and InfoSum Personnel

1.47. InfoSum maintains a security awareness program for InfoSum Personnel, which provides initial education, ongoing awareness and individual InfoSum Personnel acknowledgment of intent to comply with InfoSum’s corporate security policies. All Personnel are contractually obliged to abide by the InfoSum Information Security Policy and undertake training on security procedures.

1.48. All InfoSum Personnel acknowledge they are responsible for reporting actual or suspected security incidents or concerns, thefts, breaches, losses, and unauthorized disclosures of or access to Customer Data.

1.49. All InfoSum Personnel are required to satisfactorily complete quarterly security training.

1.50. InfoSum performs criminal background screening as part of the InfoSum hiring process of Personnel to the Security Team, to the extent legally permissible.

1.51. InfoSum will ensure that its subcontractors, vendors, and other third parties that have direct access to the Customer Data in connection with the Services adhere to the data security standards of ISO27001 and SOC2.

1.52. Physical Security

1.1. The InfoSum Service is hosted in AWS and all physical security controls are managed by AWS. InfoSum reviews the AWS SOC 2 Type 2 report annually to ensure appropriate physical security controls:

1.1.1. Visitor management including tracking and monitoring physical access.

1.1.2. Physical access point to server locations are managed by electronic access control devices.

1.1.3. Monitor and alarm response procedures.

1.1.4. Use of CCTV cameras at facilities.

1.1.5. Video capturing devices in data centres with 90 days of image retention.

1.2. Notification of Security Breach

1.3. A “Security Breach” is (a) the unauthorized access to or disclosure of Uploaded or Account Data, or (b) the unauthorized access to the systems within Link that transmit or analyse Uploaded or Account Data.

1.4. InfoSum will notify Customer in writing within seventy-two (72) hours of a confirmed Security Breach.

1.5. Such notification will describe the Security Breach and the status of InfoSum’s investigation.

1.6. InfoSum will take appropriate actions to contain, investigate, and mitigate the Security Breach.

1.7. Customer Responsibilities

1.8. The Customer is responsible for managing its own user accounts and roles within Link and for protecting its own account and user credentials. The Customer will comply with the Terms of Service as well as all applicable laws.

1.9. The Customer will promptly notify InfoSum if a user credential has been compromised or if the Customer suspects possible suspicious activities that could negatively impact security of Link or the Customer’s accou

1.10. The Customer may not perform any security penetration tests or security assessment activities without the express advance written consent of InfoSum.

Updated: 8 March 2018