SECURITY ARRANGEMENTS AND ACCEPTABLE USE POLICY
This document explains in more detail the security arrangements that Nasstar has in place to secure any of the Customer Data as well as the Acceptable Use Policy. This document forms part of the Master Services Agreement and the terms herein are incorporated by reference. Any defined terms used here shall have the meaning ascribed herein or shall have the meaning set out in the Master Services Agreement.
The Supplier’s systems are maintained in secure dedicated facilities known as “Server Farms”. The standard system management policies employed in the server farms include:
• Systems and networks managed, supported, monitored and available 24 hours per day 7 days per week 365 days per year
• System management and administration by skilled personnel
• Secure data backup
There are two server farms, each categorised as Tier 3 (or equivalent) located in Telford and London, each with:-
• Multiple Tier 1 Internet access Suppliers
• Temperature control within tolerances consistent with reliable operation of computer equipment.
• On-site manned security.
• Monitored CCTV, picture ID and keycard door entry systems.
• Power from multiple diverse feeds
• Battery backup power to cover short power outages.
• Generator backup power to cover extended power outages.
The Supplier’s hardware is based on products from industry leading manufacturers. Currently the primary Suppliers to the Supplier include Hewlett-Packard, Dell, NetApp and Cisco. These may vary during the Term as technology changes.
COMMUNICATIONS AND NETWORKING
Access to the Supplier’s systems is available via private connections over Leased Lines, MPLS, PWAN and securely via the Internet, ADSL or SDSL utilising encryption technology.
SYSTEM RESILLIENCE, BACKUP AND DISASTER RECOVERY
All servers are configured and managed with the following facilities:
• Hardware disk mirroring and ‘hot swappable’ drives ensuring high data availability
• Monitoring with a range of industry standard SNMP (Simple Network Management Protocol) tools
• Power supply resilience through the use of UPS (Un-interruptable Power Supply) protection
The Supplier will employ the following backup regime for the Customer:
• Daily incremental backups - held for 1 week
• Weekly full backups - held for 1 month
• Monthly full backups - held for 1 year
• Annual full backups - held for 7 years
Resilient Server Farm communications are achieved by the use of separate physical connections delivered from separate POPs (Points of Presence)
Security is implemented on a number of levels to the extent possible by maintaining the relevant technologies, with a number of aims in mind:
• Protection of physical systems
• Restriction of systems and data access to authorised users
• Prevention of malicious attack on systems and/or data
• Restriction of network access and usage to authorised users and purposes only
The Supplier’s shall maintain technical and organisational standards in line with its ISO27001 certification.
The Supplier’s Server Farms are built to high security standards, restricting access to authorised personnel only at all times.
Access to all non-public areas of the Supplier’s on-line systems and services is controlled by a system of authentication and encryption. This ensures that access is restricted to authorised individuals and that attempts to intercept network traffic will not reveal data content or enable access to Customer information or Data.
In order to gain access to the Customers area, from which all Customer applications, services and data are accessed, a Customer has to enter a valid user name and password. This initiates an authentication process, which identifies the Customer as an individual and provides them with access only to the systems and services to which he/she is entitled.
All communication between a Customer’s web browser and the Supplier’s services (other than access to the public areas), including entry of username and password is handled using SSL 3 (Secure Sockets Layer 3) 128-bit encryption. This is the highest level of encryption available for this type of communication.
When Customers attempt to access applications from the Customer’s area they are prompted for an additional user name and password. This is an operating system level authentication, which protects the individual application and its data.
The actual data controlling the configuration of each Customer’s personal Customers Area is stored in a separate part of the server file system from the web site, preventing would be hackers from locating it. Access to this data for legitimate users is controlled by server based scripts.
All login attempts are tracked and any incorrect entries are recorded, with multiple incorrect password entries for any user account resulting in the account being automatically disabled and a security warning being sent to all system administrators.
All hosted systems, including e-mail have permanently active and frequently updated anti-virus software implemented. This monitors system, application, data and e-mail files for viruses, isolating and treating any infected items.
In the event of new virus breakouts, all systems are checked for vulnerability and infection immediately and anti-virus tools updated to recognise the new virus as soon as an update is available.
All communications aspects of the Supplier's service are built using stringent secure networking principles.
All Server Farm systems are connected to the Internet via a firewall, ensuring that all illegal and/or undesirable traffic which can be identified at packet or port level is disabled by default.
All network traffic is monitored and checked routinely for consistent performance and attempted security breaches.
The Services may not be used to facilitate, send, knowingly receive, upload, download, or use or store:
• un-solicited e-mails (spam);
• bulk email sending, where email recipient addresses exceed 1,000 on a single email, or the number of emails exceed 2,500 per day
• illegal software or images, or any material considered to be illegal in the United Kingdom;
• pornographic material (unless in relation to legitimate Customer business);
• software in breach of the owner’s copyright;
• material that is considered to be racist or likely to incite racist behavior (unless in relation to legitimate interests of business);
• material which is offensive, abusive, indecent, defamatory, obscene or menacing, in breach of copyright, confidence, privacy or any
other rights (unless in relation to legitimate interests of business).