SECURITY ARRANGEMENTS AND ACCEPTABLE USE POLICY

This document explains in more detail the security arrangements that Nasstar has in place to secure any of the Customer Data as well as the Acceptable Use Policy.  This document forms part of the Master Services Agreement and the terms herein are incorporated by reference.  Any defined terms used here shall have the meaning ascribed herein or shall have the meaning set out in the Master Services Agreement.

 

overview

The Supplier’s systems are maintained in secure dedicated facilities known as “Server Farms”.  The standard system management policies employed in the server farms include:

 

Systems and networks managed, supported, monitored and available 24 hours per day 7 days per week 365 days per year

System management and administration by skilled personnel

Secure data backup


There are two server farms, each categorised as Tier 3 (or equivalent) located in Telford and London, each with:-


Multiple Tier 1 Internet access Suppliers

• Temperature control within tolerances consistent with reliable operation of computer equipment.

 Fire detection and suppression systems.

• On-site manned security.

 Monitored CCTV, picture ID and keycard door entry systems.

 Power from multiple diverse feeds

 Battery backup power to cover short power outages.

• Generator backup power to cover extended power outages.

 
 
PLATFORMS

 

The Supplier’s hardware is based on products from industry leading manufacturers. Currently the primary Suppliers to the Supplier include Hewlett-Packard, Dell, NetApp and Cisco.  These may vary during the Term as technology changes.

 
 
COMMUNICATIONS AND NETWORKING

 

Access to the Supplier’s systems is available via private connections over Leased Lines, MPLS, PWAN and securely via the Internet, ADSL or SDSL utilising encryption technology.

 
 
SYSTEM RESILLIENCE, BACKUP AND DISASTER RECOVERY

 

All servers are configured and managed with the following facilities:

Hardware disk mirroring and ‘hot swappable’ drives ensuring high data availability

Monitoring with a range of industry standard SNMP (Simple Network Management Protocol) tools

Power supply resilience through the use of UPS (Un-interruptable Power Supply) protection

 

The Supplier will employ the following backup regime for the Customer:

Daily incremental backups - held for 1 week

Weekly full backups - held for 1 month

Monthly full backups - held for 1 year

Annual full backups - held for 7 years

 

Resilient Server Farm communications are achieved by the use of separate physical connections delivered from separate POPs (Points of Presence)

 

 

SECURITY ARRANGEMENTS

INTRODUCTION

 

Security is implemented on a number of levels to the extent possible by maintaining the relevant technologies, with a number of aims in mind:

 

Protection of physical systems

Restriction of systems and data access to authorised users

Prevention of malicious attack on systems and/or data

Restriction of network access and usage to authorised users and purposes only

 

 

ISO 27001

 

The Supplier’s shall maintain technical and organisational standards in line with its ISO27001 certification.

 

 

PHYSICAL SECURITY

 

The Supplier’s Server Farms are built to high security standards, restricting access to authorised personnel only at all times.

 

 

SYSTEM SECURITY

 

Access to all non-public areas of the Supplier’s on-line systems and services is controlled by a system of authentication and encryption.  This ensures that access is restricted to authorised individuals and that attempts to intercept network traffic will not reveal data content or enable access to Customer information or Data.

 

In order to gain access to the Customers area, from which all Customer applications, services and data are accessed, a Customer has to enter a valid user name and password.  This initiates an authentication process, which identifies the Customer as an individual and provides them with access only to the systems and services to which he/she is entitled.

 

All communication between a Customer’s web browser and the Supplier’s services (other than access to the public areas), including entry of username and password is handled using SSL 3 (Secure Sockets Layer 3) 128-bit encryption.  This is the highest level of encryption available for this type of communication.

 

When Customers attempt to access applications from the Customer’s area they are prompted for an additional user name and password.  This is an operating system level authentication, which protects the individual application and its data.

 

The actual data controlling the configuration of each Customer’s personal Customers Area is stored in a separate part of the server file system from the web site, preventing would be hackers from locating it.  Access to this data for legitimate users is controlled by server based scripts.

 

All login attempts are tracked and any incorrect entries are recorded, with multiple incorrect password entries for any user account resulting in the account being automatically disabled and a security warning being sent to all system administrators.

 

 
ANTI VIRUS

 

All hosted systems, including e-mail have permanently active and frequently updated anti-virus software implemented.  This monitors system, application, data and e-mail files for viruses, isolating and treating any infected items.

 

In the event of new virus breakouts, all systems are checked for vulnerability and infection immediately and anti-virus tools updated to recognise the new virus as soon as an update is available.

 

 

NETWORK SECURITY

 

All communications aspects of the Supplier's service are built using stringent secure networking principles.

 

All Server Farm systems are connected to the Internet via a firewall, ensuring that all illegal and/or undesirable traffic which can be identified at packet or port level is disabled by default. 

 

All network traffic is monitored and checked routinely for consistent performance and attempted security breaches.

 

 

Acceptable UsE

The Services may not be used to facilitate, send, knowingly receive, upload, download, or use or store:

 

un-solicited e-mails (spam);

bulk email sending, where email recipient addresses exceed 1,000 on a single email, or the number of emails exceed 2,500 per day  

  per user;

illegal software or images, or any material considered to be illegal in the United Kingdom;

pornographic material (unless in relation to legitimate Customer business);

software in breach of the owner’s copyright;

material that is considered to be racist or likely to incite racist behavior (unless in relation to legitimate interests of business);

material which is offensive, abusive, indecent, defamatory, obscene or menacing, in breach of copyright, confidence, privacy or any

  other rights (unless in relation to legitimate interests of business).