PROTECTION & SECURITY
COMPLIANCE

ibCom mydigitalstructure is a highly secure enterprise-grade fully hosted platform.  It runs on Amazon Web Services, a world-class infrastructure provider. ibCom's information security compliance depends on part on the inherent compliance encapsulated within Amazon Web Services.

Before reading about ibCom's information security compliance, we recommend reading:


View our ISO27001 & 270017 certifications

INFRASTRUCTURE COMPLIANCE

AWS is compliant with standards: HIPAA, SOC 1/SSAE 16/ISAE 3402 (formerly SAS70), SOC 2, SOC 3, PCI DSS Level 1, ISO 27001, ISO27017, ISO27018, FedRAMP(SM), DIACAP and FISMA, ITAR, FIPS 140-2, CSA, MPAA.

It covers the following area of compliance:

  • Supplier employees
  • Access management
  • External media
  • Environmental security
  • Network security

Find out more

IBCOM PLATFORM COMPLIANCE

The next layer in proving compliance is the application platform compliance, covering:

  • Authentication
  • Authorisation
  • Data validation - in terms of typing and general rules.
  • Error handling
  • Session management
  • Logging
  • Auditing
  • Encryption

We are constantly evaluating the ibCom platform service against industry best standards.

Deployment and maintenance is covered by 3rd party providers who build their apps on top of the ibCom platform.

ibCom employee access The ibCom platform is run by "machines" within the AWS service, with very little human access - only afewlong term highly qualifiedemployeeshave access.

Being employeed by ibCom does not inherently give an employee access.

If an employee that has not yet been employed by ibCom for one (1) year requires operational access then they must have at least one years experience with an equivalent well-proven provider similar to ibCom.

All employees are bound by confidentiality / non-disclosure agreements.

Security ibCom mydigitalstructure is a fixed application platform developed over the last thirteen plus (13+) years and is now at a point in its lifecycle where it does not change.  All application changes occur by 3rd parties in the isolated "user mode" operating on top of the platform.
Disaster recovery ibCom runs a real-time duplicate service in "warm mode" in Singapore.

The warm service is constantly being tested for "ready-to-run" status.

more about regions

In-transit Security 2048/256 SSL - with DH cipher for Perfect forward security.
Authentication 2nd factor authentication is available.  Single-sign-on is a function of the "user mode" application layer and thus handled by the app provider.

more about authentication

Authorisation All of the 700+ platform methods can be functionally controlled for:
  • Read
  • Write
  • Delete

Data based restrictions are also available.

more about access control

Reporting ibCom offers a number of ways for reporting issues, including a reward for reporting.

Any issue that is applicable to more than one user (tenant) will be reported to all users (tenants) of the platform.

Rectification ibCom will fix any reported issue within 24 hours (maximum).
Certification ibCom is constantly updating its ISO/IEC 27001 Statement of Applicability, in relation to ibCom's plan-do-check-act framework in-conjunction with measuring-and-evaluating.  We are currently in the process of being independently certified (as at JUN2015).
Data Cleansing Within both the multi-tenanted and "isolated" modes all data is clearly segmented and can be cleansed by the owner of the data as-and-when they wish, using the standard platform API methods (functions).
Data Continuity Within both the multi-tenanted and "isolated" mode all data can be backed up by the owner of the data as-and-when they wish, using the standard platform API methods (functions).
Data geographical location ibCom platform is hosted at the AWS Sydney location.

more about regions

Data Access Data can only be accessed by users that the owner of the data has granted access to.

The owner of the data can remove access by users at any time they wish, using standard platform API methods (functions).

Data Backup Data is constantly being backed up and restored.
Data Encryption Space based at-rest data encrption is available with a "Isolated Data Space".
Logging All logging is in the context of a tenant space and the specific user that initiated the action.
Operating Systems All operating systems are constantly updated for critical security fixes.
Penetration Testing Systems are constantly being tested for vulnerabilities using OWASP based framework.  If a user wishes to conduct their own penetration testing, they need to contact ibCom to make arrangements.
Capacity Management ibCom uses a number of standard AWS functions to dynamically scale to meet demand.
ibCom's ISO/IEC 27001 Statement of Applicability
EU DATA PROTECTION DIRECTIVE COMPLIANCE

The EU Data Protection Directive relates to data that is considered "personal data" i.e. when someone is able to be linked to the information, even if the person holding the data cannot make this link. Some examples of "personal data" are: address, credit card number, bank statements, criminal record, etc.

More about the Directive 95/46/EC

EC Justice Information on privacy

Directive 95/46/EC

In a broad sense ibCom at is core is about keeping data private and complies with all personal data privacy as per control 18.1.4 of the ISO27001/17 standard.

Also, mydigitalstucture utilises the AWS Infrastructure as a Service via an agreement.  That agreement has model causes (as defined in "Standard Contractual Clauses 2010/87/EU") in it that set the terms of AWS acting as a data-contoller/processor and these clauses have been accepted by the EU Article 29 Working Party.

If you use mydigitalstructure to control/process personal data, with the correct implementation of standard "model" clauses in your contract you can potentially meet this directive.

AWS compliance

EU accepting AWS agreement with model clauses

AWS Data Processing Addendum with model clauses

What is the AWS Data Processing Addendum?

AWS provides a data processing addendum to help customers meet their data protection obligations. AWS can also add the Standard Contractual Clauses 2010/87/EU (often referred to as “Model Clauses”) to a customer’s data processing addendum if the customer needs this to transfer personal data from the EU to a country outside the European Economic Area.

On March 6, 2015, the AWS data processing addendum, including the Model Clauses, was approved by the group of EU data protection authorities known as the Article 29 Working Party. This approval means that any AWS customer who requires the Model Clauses can now rely on the AWS data processing addendum as providing sufficient contractual commitments to enable international data flows in accordance with the Directive. For more detail on the approval from the Article 29 Working Party, please visit the Luxembourg Data Protection Authority webpage here: http://www.cnpd.public.lu/en/actualites/international/2015/03/AWS/index.html.

Now that the EU-U.S. Safe Harbour program has been ruled invalid, can customers still use AWS and comply with EU law?

Security of our customers' data is our number one priority, and AWS has already obtained approval from EU data protection authorities, known as the Article 29 Working Party, of the AWS Data Processing Addendum and Model Clauses to enable transfer of data outside Europe, including to the U.S. With our EU-approved Data Processing Addendum and Model Clauses, AWS customers can continue to run their global operations using AWS in full compliance with EU law. The AWS Data Processing Addendum is available to all AWS customers that are processing personal data whether they are established in Europe or a global company operating in the European Economic Area. For additional information about EU Data Protection, please visit the AWS EU Data Protection FAQ."

[Source: Amazon Web Services]



 
BP-ISO27001-17-Small.png
Protection & Security
Amazon Web Services (AWS) Security
AWS Compliance
AWS Penetration Testing
operations@ibcom.biz
PGP Public Key
Information Security Management System
ibCom's ISO/IEC 27001 Statement of Applicability
SSAE-16 (ISAE 3402)
Cloud Security Alliance