If you are evaluating Facilities Management Software applications then your IT department likely has questions about security. All this month we have been addressing the most Frequently Asked Questions (FAQs) on the security of our portal. Today's topic covers our: Operational Security.
Operational Security refers to security practice in day-to-day tasks and ongoing operations.
1. What is the process for evaluating OS and application vendor security alerts and installing security patches and service packs?
As mentioned in the previous post Rackspace handles all patching and OS upgrades for software provided by it. Patch updates are thoroughly tested in Rackspace test environment prior to installation in iOffice environment to confirm that they will not adversely affect your system.
Rackspace typically deploys critical patches immediately, with limited testing. All other patches are tested and delayed for at least 7 business days to allow for assessment of impact. Notifications of standard patches are released to iOffice on a monthly basis with critical patch notifications performed within 7 business days.
Rackspace's process for implementation updates is as follows: As security fixes are released, Rackspace will proceed to test the updates internally to make sure that these will not cause complications on your system. Once the patches have been tested and approved a ticket will be generated to notify you of the updates ready to be applied to your servers. You will have 2 days from the time the ticket is created to respond with your request to not be updated or specific instructions concerning updates. If there are no further instructions from the customer, Rackspace will proceed to apply the released patches to your configuration by the end of the week. When servers are kicked in the managed segment, the schedule day and schedule time are randomized. This means that these servers will patch at different times. The default patching week is week 4 of the month. Starting the 4th Monday of the week, these servers will patch according to the setting on server.
2. How does iOffice store audit trails and security logs?
There are multiple logging processes around the application itself along with infrastructure. The application provides logging of certain transactions by individual users. Administrative changes are logged including changes performed by those who have operator role. We also keep modification logs so we can see when and by whom items were changed in the application.
System logs are kept for all of our servers and are routinely monitored for performance and exceptions.
3. Can iOffice show documented procedures for incident response and incident escalation/investigation?
Yes, Rackspace and iOffice have a 24x7x365 operation to provide constant awareness and coverage. Each customer will define a call tree, order of contact etc. that they wish iOffice to employ in their Incident Management process. The point of reference would start with the customers Account Manager, internal team members work with the account teams to notify any customer concerning issues that may affect their environment.
4. What is the data backup process?
Servers are backed up to Rackspace's centralized Managed Backup Storage System. The configuration is to perform Weekly Full and Daily Differential with retention rates of two or four weeks. Backups are stored off-site with a retention rate of 12 weeks.
Managed Backup utilizes an independent private network for all backups running on an all Cisco equipment switched network. This was done to minimize Network Security concerns with the following results:
- Each server is in a port level VLAN.
- Each customer's server can only see the backup servers and other servers on the network, including their own.
- No one customer can see any other customer's server on another port level VLAN.
5. Do you hold any current information security or quality certifications such as ISO 270001 or ISO 9000 certification?
Rackspace has policies that meet best Industry Standards following the ISO 27001 framework. However, Rackspace policy prohibits external distribution of company policies and procedures. All Rackspace policies and procedures are confidential and proprietary. Rackspace policies and procedures are sensitive and the prohibition on external distribution was adopted in part to protect our entire customer base.
The following list represents the security policies that currently make up the Rackspace Security Policies and a brief description of what they cover:
- Rackspace Security Organization - establishes corporate security department and outlines responsibility for security at Rackspace.
- Personnel Security - outlines security requirements associated with the Rackspace workforce.
- Physical Access- defines requirements for physical security controls and processes.
- Asset Controls - outlines expectations that establish control for physical assets within the company.
- Information sensitivity - defines the categories of information that support Rackspace business and controls to protect them.
- Business Continuity - defines the corporate approach to ensuring that the Rackspace customer support infrastructure is always available.
- Incident Response - provides expectations for the development of a defined corporate response to security incidents.
- Acceptable Use - establishes requirements and prohibitions for the appropriate use of Rackspace's service by customers.
6. Do you have any SSAE 16 (formerly know as SAS70 Type II) or equivalent audit reports that can be shared?
Yes. All requestors must execute an NDA with Rackspace in order to receive the latest copy of the SSAE 16. If you are a prospective customer interested in receiving this
7. Can iOffice recover lost data?
Yes, in most cases if a customer accidently removes or corrupts data we can restore from data backups and do deltas for affected data to revert up to two weeks prior.
We hope this article has covered many of your questions you may have had regarding operational security. Our goal is to provide you with all of the information you need to make an informed decision on which IWMS software is right for you. As always if you have any additional questions please submit them in the comments below.