Information Security Management FAQ s

(1)

(2)

Overview

The purpose of this document is to answer in detail any specific security or infrastructure

questions in regards to the controls Imaginatik have in place to ensure client data is adequately protected.

Frequently asked questons

Physical and Environmental Security

Where will my data be held?

We use two data center providers.

Our US data center is owned by Cybercon who is SOC-2 audit certified and also Safe Harbor compliant: http://www.cybercon.com/data-center-certifications. For specific data center controls in place at Cybercon please see: http://www.cybercon.com/data-center.

Our UK data center is owned by IOMart who is ISO/IEC 27001:2005 and ISO 9001:2008 certified as well as being AIM listed. See: http://www.iomarthosting.com/data-centres. For specific data center controls in place at IOMart please see:

http://www.iomarthosting.com/uk-data-centres.

What are the physical access procedures for your Hostng Provider's data centers?

Controls provide reasonable assurance that physical access to the facility is limited to authorized personnel. Here is a detailed description of the controls in place: a. The Network Operations Center (NOC) is fully staffed 24/7/365 with trained personnel. Digital cameras are deployed throughout the facility and cover all facility entrances and data center areas. Video is displayed continuously within the NOC and captured and digitally archived on the systems drives. The amount of data held in the video archive is dependent on facility activity, but our provider will maintain a 90-day minimum. During normal business hours, a security guard provided by building management for the security of all building tenants including our provider monitors the main entrance to the building. b. Outside of business hours, entrance to the building is secured by card access or by authorization from an on duty employee. Entrance beyond the reception area at the data center is controlled by both access card and biometric hand scanners or authorization from an on duty employee. All access information and video surveillance is date and time stamped and available to customers for review upon request. c. Our provider uses an Authorized Contact List, which is stored on the company Intranet.

Individuals who need to have physical access to their equipment in the data center must be on the Authorized Contact List and possess a matching government issued picture ID. Individuals who need to have remote hand service must submit the request via the password controlled Customer Support Portal or call in with a verbal password. d. Customers cannot enter our provider’s offices without authorization from on duty staff. e. Customers cannot enter the main

(6)

collocation space without authorization from one of the NOC staff on duty at the time. f.

Customers with equipment housed in the secondary collocation space can enter using a

proximity badge, but cannot access their equipment without keys from an on duty employee. g. All core network equipment is maintained in an isolated secure facility with limited access. h. All carrier equipment is maintained in an isolated secure facility with limited access. i. All of the main power systems, including Automatic Transfer Switches, UPS systems and batteries are maintained in an isolated secure facility with limited access. j. Other vendors of our provider, such as electricians, HV AC technicians, telecommunications providers, etc., must be authorized by a member of management in order to gain access to the data center for infrastructure

projects and maintenance. When a vendor is onsite, he/she must present his/her driver's license in exchange for a badge, which is kept for use while at the facility. k. Security/ID badges are required for all employees, and remain in the employee's possession at all times. The employee provides contact information, which is retained on file and a biometric hand scan is conducted. The employee's supervisor or manager must approve the issuance of a Security/ID badge, and the level of access to various areas of the facility. l. When an employee is terminated, Human Resource initiates a request to ensure that all access to our providers facilities and resources are removed.

What is a SOC-2 type II certfcaton?

SOC-2 (Service Organisation Control) reports are based on AT section 101 of the AICPA (American Institute of Certified Public Accountants) professional standards. A SOC 2 report covers controls at a service organization relevant to security, availability, processing integrity, confidentiality, and/or privacy:

1) Security – the system is protected against unauthorized access (physical and logical). 2) Availability – the system is available for operation and use as committed or agreed. 3) Processing Integrity – system processing is complete, accurate, timely and authorized. 4) Confidentiality – information is classified and protected as committed or agreed.

5) Privacy – personal information is collected, used, retained, disclosed and disposed of as committed or agreed.

SOC-2 reports can be based on one or more of the principles listed above.

As with SSAE 16, a SOC-2 report can be issues as a Type 1 or as a Type 2. A Type 1 report presents the auditors opinion as to the accuracy and completeness of the system description as well as the design of the controls. A Type 2 report includes all aspects of a Type 1 report and also includes a description of the tests performed by the service auditor and the results of those tests. A SOC-2 report is also a restricted use report intended for existing customers and their auditors.

SOC-2 type II renewal certfcatons: as customers, can we have access to full audit results?

Yes this can be provided as long as it is only distributed to those that directly need to review it and is not shared with anyone outside your organization.

(7)

What is ISO 27001:2005 certfcaton?

ISO (the International Organisation for Standardization) is the largest developer of standards in the world and is especially practiced in UK and Europe. ISO 27001 is a set of controls used to measure and verify that security standards have been implemented effectively. As with SOC-2 and SSAE16 (formally SAS70) these controls are independently audited and certification only provided if all controls are met. This certification also meets any internal or external audit requirements you may have as these audited controls meet those within SOC-2/SSAE16.

What is ISO 9001:2008 certfcaton?

ISO (the International Organisation for Standardization) is the largest developer of standards in the world and is especially practiced in UK and Europe. ISO 9001 is a set of standardized requirements for a quality management system, regardless of what a particular organisation does, its size, or whether it is in the private or public sector. It is the only standard within the ISO 9000 family of documents against which organisations can be eternally certified.

ISO certfcatons: as customers, can we have access to full audit results?

Yes this can be provided as long as it is only distributed to those that directly need to review it and is not shared with anyone outside your organization.

What does AIM listed mean?

AIM is an acronym for ‘Alternative Investment Market’ and is one of the equity markets of the London Stock Exchange, ensuring compliance with various UK legislation.

Do external partes have access to customer data?

No non-Imaginatik person has access to information held on Imaginatik servers. Access to Imaginatik servers is restricted to just those who need it. Imaginatik Service Delivery staff, who have secure remote access to the servers, handle the backup process.

Explain data storage in more detail for Innovaton Central

Our main data centers are located in the UK and US. Your data will reside within one of these depending on your location. Full backups of client data, including configuration information required to rebuild the sites, are taken on a daily basis and held in a separate data center within the US or UK. Copies of backups are also stored within the alternate backup data center. Data is transported from DC to DC via the Lotus Domino replication process with all data being encrypted in transit and rest. Data is only held at rest within the secure confines of the data center.

Data stored in the UK is stored and controlled to the same standard as if it was stored in the US, and clients have exactly the same rights over their data as if it was stored locally. The US data center is also Safe Harbor compliant. Data can be stored and backed up just within the UK or just within the US if needed.

(8)

Can Innovaton Central data just be stored within the EU?

Yes. Both live and backup data (including configuration information required to rebuild the sites) can be held just within our UK data centers. Our standard offering is to store data in the UK and US backup data centers, so should anything happen to one backup version we have another copy in the alternate location that can be used.

As we are a UK registered company we are required to protect customer and personal data in accordance with the strict requirements of the UK Data Protection Act 1988, therefore data is transported from DC to DC via the Lotus Domino replication process with all data being encrypted in transit and rest.

Can Innovaton Central data just be stored within the US?

Yes. We can ensure data is not held or backed up outside the US, however to get the most out of our offerings we ask that customer data is stored in the US and UK, which is currently the standard practice for our other US clients.

Data is backed up to the UK to ensure should anything happen to the US backup version/ data center we have another copy that can be used.

Explain data storage in more detail for Discovery Central

Full copies of client data, including configuration information required to rebuild the sites, are taken on a daily basis and held in a secure and fully audited 3rd party data center within the UK. Backup copies are also taken and stored in our UK backup data center.

As we are a UK registered company we are also required to protect client and personal data in accordance with the strict requirements of the UK Data Protection Act 1988.

Data can be stored and backed up just within the US at additional cost.

How does the technical (not legal) procedure work if there was a suspected data leakage at the data center?

Digital cameras are deployed throughout the data center facility and cover all facility entrances and data center areas. Video is displayed continuously and captured and digitally archived on the systems drives. The amount of data held in the video archive is dependent on facility activity, but our provider will maintain a 90-day minimum. All access information and video surveillance is date and time stamped and available to us for review upon request.

Are servers only logically segregated between customers, or do they really have physical “lockers”?

Servers are held on separate racks within the secured and restricted data center area. If required (at additional cost) servers can be kept in a lockable cage within the data center and secured with keyed locks.

What are the fre suppression controls within your data center?

The fire suppression system is a pre-action, dry pipe, which discharges water only from the appropriate zones/locations when the temperature in the data center increases to a specified level and triggers a fire sprinkler head. To prevent accidental sprinkler discharge it requires two

(9)

or more sensors to activate. A state-of-the-art VESDA air sampling fire detection system is capable of detecting invisible by-products of materials as they degrade during the

precombustion stages of an incipient fire by actively and continuously sampling air.

The facilities fire control system which is connected to the buildings fire control panel would notify the fire department upon an alarm condition.

In case of fre, for how long will the data center walls resist?

The data centers are engineered with the highest degree of protection against fire damage. Concrete floors, all steel ceilings, fireproof walls, and steel framed racks. There are no flammable materials inside the data center area.

What are the physical security controls in place within the data center?

The entire data center is monitored 24x7 by security cameras and on-site staff. Cameras are positioned at every entrance, each and every rack isle and customer cage areas. All security cameras are recorded. Card access controls, biometric identification and security guards are also in place to prevent unauthorized access.

How is visitor access to the data center handled?

Individuals who need to have physical access to their equipment in the data center must be on the Authorized Contact List and possess a matching government issued picture ID.

When a vendor is onsite, he/she must present his/her driver's license in exchange for a badge which is kept for use while at the facility.

Describe the environmental controls within the data center

Indoor cooling systems provide precise, reliable control of the data center temperature, humidity, and airflow that improves operating conditions for sensitive electronic equipment. Within the US data center the air conditioning system is configured with 133% built-in redundancy. Effectively, only 75% of the air conditioning units are required to support the data center at maximum occupancy.

How do you ensure a constant power supply with the data center?

Within the US data center (Cybercon) in the event of commercial power loss, each source of power is automatically transferred to a dedicated 1.5 Megawatt, diesel generator with a 2,000-gallon fuel tank. A fuel supply contract is in place to refuel the generator.

The generators are tested once a month using a 500kW load bank. To maintain constant power, commercial power is fed to critical systems through the facilities Automatic Transfer Switch (ATS), which is kept under a regular, scheduled preventative maintenance contract.

During the transfer from commercial to generated power, constant conditioned power is supplied to critical systems via the two 150 KVA and two 225KVA in- line Uninterruptible Power Supply (UPS) systems so that all equipment receives constant line voltage. The UPS units run a self-diagnostic test once every six months and the results are noted by NOC staff. The UPS units will note failures on an onboard LCD screen. These screens are checked every 4 hours during the normal walk-through by NOC staff. Cybercon’s facility features two 480 VAC, 3-phase, utility services, one 800 amp and one 400 amp, each provided from one of two sub-stations.

(10)

The UK data center gets its power from commercial utility underground conduits or a dedicated onsite substation with a 10-minute battery backup in the event of failure. Additionally, they also have multiple diesel generators with full-load capability, which are on standby to provide long-term power in the event of an emergency.

Put simply, if the world were to end, the data centers could still function for another 2 days.

Security Requirements of Informaton Systems

Is data encrypted?

All data within our offerings is encrypted.

Does your applicaton employ encrypton technologies to protect customer data during transit and rest?

Data is encrypted in transit (TLS) using 128bit (or higher) encryption algorithms. Only TLS is supported for data transmission. Data is also encrypted at rest (via comprehensive database encryption). Servers use 128 or 256bit AES to encrypt data at rest.

Is the data encrypted with FIPS 140-2 compliant protocols while in transit?

Yes, if required. By default SSL3 and TLS1 is enabled. Ciphers are restricted to HIGH!ADH-AES128-SHA!ADH-AES256-SHA!ADH-DES-CBC3-SHA, but this can be reduced further as well.

Do you support email encrypton (SMTP/TLS or other)?

Yes. In addition, Innovation Central does not give users the ability to send custom emails, so it is not possible to include malicious content.

Does your applicaton perform both client-side and server-side data validaton?

Client-side validation is used to improve user experience. Server-side validation is used to prevent unauthorized interaction with the application or data. This includes user authorization for each request as well as sanitizing input to prevent CSS and other potential vulnerabilities.

Describe your methods and use of confguraton management

All modifications to the production environment follow a documented change control procedure that describes the migration path from development to test to production. Development, Test and Production Environments are separated, both in terms of hardware and of system domains. The Development and Test environments require different credentials to access them from the Production environment. All code must go though the Test environment before it reaches production. In the event of a bug being raised, fixing and testing also takes place in the Development and Test Environments before the code is released to Production.

(11)

What hardening standards are deployed?

All servers are hardened to disable unneeded services and tasks and further improve server security. We use Microsoft Windows and Linux servers. We perform regular software

maintenance, applying all relevant Windows and application server security fixes and patches after review and testing.

Describe the standard security confguratons that are in place.

In addition to requiring hardening standards to be followed when installing new systems, each system is reviewed by senior technical staff before entering production. This review is used to keep hardening requirements updated.

What is the change control process for approved changes/modifcatons that are made?

New features/ changes are discussed, planned and, if they are to be taken forward, added to the Project Plan. At this stage a change document is created for the feature/ change and added to the software version log. Change documents are updated throughout feature development, detailing new code and any elements added to the design or changed. Changed code is dated and initialed in the comments. The change documentation informs the testers what's new. When the test phase begins, change documentation is refined and used to produce the public release documentation for clients and prospects. During the test phase, any snags are documented for developers to fix. Developers then add details of their fixes to these documents, before they are signed off by testing staff.

At the end of testing, public release documentation is reviewed to check for further changes implemented during the testing phase. Historical change documentation remains associated with the relevant software version document.

Any bugs that are raised are documented and associated with the next software version document. Work-arounds and/ or fixes are documented in detail, along with instructions for patching production software, if required. If patching is not required, the change is released in the next version of the software.

What security practces are employed in the applicaton’s sofware development life cycle?

Technical Security affecting the SDLC

Development, Test and Production Environments are separated, both in terms of hardware and of system domains.

The Development and Test environments require different credentials to access them from the Production environment.

All code must go though the Test environment before it reaches production. In the event of a bug being raised, fixing and testing also takes place in the Development and Test Environments before the code is released to Production.

Code will not run on the Production environment unless it has a Production Signature. Application Security affecting the SDLC

Security assessment by the Service Delivery is conducted in the requirements phase, at the same time as functionality and features are being discussed. During the development phase, Service Delivery are on hand to consult on the implementation of security features, and must

(12)

sign off on these prior to the Test phase. Penetration testing occurs on code as a stage gate in the release process. This is also true for Beta software releases. This confirms that the security considerations outlined in the requirements phase have been met in the production

environment.

Describe how your change control practces insure that “data for test” is sanitzed to remove any potentally sensitve informaton?

As a rule we do not use production data for testing purposes. We would attempt to reproduce any issues in our Development environment using non-client data.

How do you regularly train your employees on secure coding practces?

In relation to secure coding practices new staff that have access to code receive comprehensive training as part of the induction process, including basic computer security awareness education when they first join, and mandatory information security awareness training on an annual basis. Those with access to code are further trained using our shared script libraries to prevent Cross-Site Request Forgery (XSRF), when writing new code in any of our predominant programming and scripting languages. We also use WhiteHat Sentinel who check our code on a weekly basis and produce a security report showing any outstanding vulnerabilities on our internal code. Any issues are flagged to the Development team who use this information to educate staff on

identified code issues.

How do you assess code that you develop for the threat of security or privacy vulnerabilites?

We use WhiteHat sentinel who check our code on a weekly basis and produce a security report showing any outstanding vulnerabilities on our internal code.

How does the applicaton perform data validaton for inbound data to identfy common atacks (e.g. SQL Injecton, XSS)?

All input is validated to prevent common attacks. We use WhiteHat Sentinel to test for application vulnerabilities prior to releasing updates to production.

How is sofware re-certfed against new releases of operatng systems, database and network components?

All new releases of software are tested in our test Lab environment. This includes OS, Database and any new networking components. Only once the test are fully verified and passed QA will Imaginatik attempt to plan release into the live environment. Tests include Functionality and Security.

Have you ever had a breach in your security where you notfed the customer?

No. Intrusion detection is used to monitor if servers are being attacked. Alerts are sent to our Service Delivery team to investigate. Server and network vulnerability scanning is also performed.

(13)

Do you monitor for unauthorized network connecton points such as wireless access points, modems, etc.?

Yes. Unused network connection points are disabled and wireless access is prohibited for production networks.

Can you share the results of your third party vulnerability assessments?

We have an independent company that performs network and server vulnerability scans on our hosted infrastructure on a weekly basis. We can provide results if required.

Would you support actvites by the client to conduct intrusion testng against those systems that house or process their data at your site?

Yes. Intrusion testing can be performed if required; however we already use a third party who performs such a check. Should you wish to see a copy this can be provided.

Do you perform periodic penetraton tests against your Internet-facing network and systems?

As part of the service that WhiteHat provide Imaginatik with their Threat Research Center (TRC) perform automated vulnerability testing and manual penetration testing, where they attempt to compromise the infrastructure in a safe and ethical manner (such as executing commands and/or retrieving data). Their reports include any potential vulnerabilities discovered by either of those two processes.

Should you wish to run your own application scan this can be arranged with advance notice and agreement of timings.

Communicatons and Operaton Management

What are your system access requirements?

We have two separate web-accessed applications, Innovation Central and Discovery Central. Innovation Central is compatible with Internet Explorer (V8 or above), and the most recent versions of Firefox, Safari, or Chrome. Discovery Central is compatible with the latest versions of Chrome, Firefox or Safari.

There are no plugins nor extensions such as ActiveX controls, or Java Applets required, so there are no additional requirements for software to be installed on client computers.

What are your security protocols and system architecture?

Our networks are protected by powerful firewalls configured to follow industry best practices for network ingress/egress security. We also implement intrusion detection / prevention systems for shunning connections of known malicious IP addresses. Any incidents are logged, prioritized and tracked though to resolution. The client will be immediately notified of any incidents affecting their data.

Innovation Central runs on clustered servers with automatic failover, so that any outage on one server won’t cause an interruption in service. Load balancers in front of the clustered servers ensure that performance is maximized across the cluster. In addition to the data being spread

(14)

over the cluster servers it is also replicated to our alternate data center, so that we can recreate the environments in that other data center in the event of a disaster.

Data is transmitted to and from Innovation Central over HTTPS.

Discovery Central runs on dedicated server. All data is copied to our backup data center so that we can recreate the environment in that other data center in the event of a disaster.

Data is transmitted to and from Discovery Central over HTTPS.

Client data in Innovation Central and Discovery Central is stored in a separate data store module that is only accessible by the users registered for that environment. All website URLs are unique to each client requiring an id and password to enter, and can only be accessed by the users registered for that environment. Innovation Central and Discovery Central also support groups & role based authorization for users that can be customized to meet the client’s

requirements.

Advanced Content Distribution uses a huge network of servers deployed worldwide to provide a secure, fast and reliable path to our data centers, ensuring that you get the fastest possible response times wherever your users are located.

What is Imaginatk virus protecton and patch management procedure?

Virus protection is enabled on all Innovation Central servers and is updated on a daily basis. Operating System patches are installed at least monthly (we have a scheduled maintenance slot on the 12th day after the second Tuesday of each month, i.e. the 3rd or 4th Sunday). Application server patches are promptly installed, to allow our clients to benefit from improvements to the core software.

Explain your Intrusion detecton / preventon tools?

Imaginatik Servers are all configured to restrict the number of protocols available to just the minimum required, to turn off all unneeded services and applications, and the firewalls set to block all traffic other than minimum required to operate the service. Web Application Firewalls are used to detect and prevent potential intrusions. Reports are sent to our Service Delivery team and Security Officer to investigate. Server and network vulnerability scanning is also performed.

Describe your frewall security including equipment provider and name and version of frewall applicaton sofware/hardware.

We use Juniper and Cisco frewall equipment and other data center clients have no access to

our network.

Are any DoS and DDoS mitgaton type of services deployed?

In regards to DOS and DDOS mitigation we have countermeasures to detect unauthorized activity as our networks are protected by firewalls and intrusion detection systems. Also when a client chooses to have IP restriction (there is an additional cost for this), our firewall will only allow TCP traffic from the designated ranges supplied to us by the client. Any traffic outside of this range will be automatically discarded and will not reach the environment.

(15)

We also have a separate DNS provider (DNS Park) that is not affiliated with our data centers that host our application servers, and who have multiple locations which provide DNS services for the Domain Names we use. Additionally our data centers have their own protection services that help identify and mitigate the effects of Distributed Denial of Service attacks using a three tier approach that accurately locates suspect traffic at the advent of an attack and sanitizes it without disrupting the free flow of legitimate network traffic, while dramatically shortening detection and resolution times.

Innovation Central and Discovery Central are hosted solutions entirely supported by us, and we have been able to successfully and securely do this for 95% of our clients, the remaining being for the Department of Defense who had strict internal hosting requirements. Our service

availability is for Innovation Central is 99.9% and 99.5% for Discovery Central, excluding

scheduled maintenance periods. Service availability is reviewed internally, as well as the activity and response times of each client’s environment.

How do you ensure segregaton of each client module so they cannot be accessed or shared by other customer?

Each client’s data is stored in a physically separate module and only accessible by the users registered for that environment via an access control list (ACL). All website URLs are unique to each client. No non-Imaginatik person has access to information held on Imaginatik servers. Access to Imaginatik servers is restricted to just those who need it.

What safeguards exist against the public hacking-in and discovering any confdental informaton that might be contained in any of our events or the ideas therein?

Our networks are protected by firewalls and intrusion detection / prevention systems. Any incidents are logged, prioritized and tracked though to resolution. The client will be immediately notified of any incidents that could affect its data. All user activity in Innovation Central is logged in the tracker module to ensure a full audit trail. Regular server, network and web application vulnerability scans are also performed.

What impacts the data transfer rate on your system; are there any conditons that could cause slow performance? If so, what?

As web applications, Innovation Central and Discovery Central are not network intensive.

What are the databases supported by your product?

Innovation Central and Discovery Central are hosted solutions (SaaS) entirely supported by Imaginatik. Imaginatik employ various technologies to offer the solutions, including IBM database and application servers. Operating systems used are Microsoft Windows and Linux.

How do general system upgrades afect the customer or need to be applied?

Upgrades are planned for outside client office hours: UK morning for US clients and US pacific afternoon for European clients. There is no effort required from the client as we manage this process. Patching can be done as and when required by us with no impact or client effort.

(16)

Does the system allow you to modify existng reports and/or create reports using 3rd party tools?

Innovation Central's data-export options, available in our SharePoint integration, allow clients to export ideas into systems like Microsoft Office Project Server and Excel.

Can reports can be exported? Into what data formats?

Our Web Services API provides the capability to call virtually any Innovation Central content or metric securely over the web and return it in XML, which can then be transformed into HTML, CSV, JSON or plain text. This technique can also be deployed in other enterprise systems such as IBM Lotus Notes/Domino, SAP, or Oracle.

What Technical/Customer Support do you ofer?

Online support for your Innovation Central program is available 24 hours a day with Imaginatik’s wiki resource, providing up-to-date information and access to technical support. It is a mixture of FAQ assistance, technical support and virtual consultancy rolled into one easy-to-use format. Customer service support is available by phoning either dedicated US or UK number, Monday through Friday from 0800-0100 (UK time) / 0300-2000 (US Eastern).

Issues can also be raised 24 hours a day by e-mail and will be acknowledged within 30 minutes of commencement of customer service support hours.

Customer support team members are located in the UK, US Eastern and US Pacific time zones.

Access Control

What types of security does your system provide?

Groups and role based authorization / User ids & Passwords / Single Sign-On / Audit Logging / Firewalls & Intrusion Detection & Prevention / Virus Protection & Patch Management / IP Restriction (there is an additional cost for this).

How is access to the applicaton controlled? How are users identfed and authentcated?

Given the importance of intellectual property, it is crucial to allow only authenticated users into Innovation Central and Discovery Central. Therefore both can either use the native Domino authentication process (Internet username and password), or they can integrate into a variety of Single Sign-On (SSO) technologies that allow clients to use the login information in their own directories. Imaginatik has extensive experience in implementing SSO for Innovation Central with various systems. In most implementations, SAML 2.0 is used to provide SSO (please see the ‘what single sign-on capabilities are available’ question further below for more detail).It can also restrict access based on source IP address (at additional cost).

The system uses session cookies to maintain authentication between browser requests.

How are passwords managed within the system?

The password change process is automated in Innovation Central and Discovery Central. Users can request a password reset or password hint, if this is enabled. Any further account

(17)

Password requirements are also configurable within Innovation Central and can be set to match the client’s policies. The standard settings are:

Minimum Password Length: 8 Minimum Password Quality: 8 Password Expiration Days: 30 days Maximum Login Retries: 3

Maximum Password Repetitions: 7 Password Lockout Time: 1440 minutes

Quality: Passwords can be of the same length and have different password quality ratings because of the difference in character complexity. For example, "password" is rated 3, "pAssw0rd" is rated 10, "pwd46dwp" is rated 10, and "PwD46dWp" is rated 12. A good setting for reasonably strong passwords which can still be easily remembered is 8.

How does the applicaton perform data validaton/fltering for outbound data to ensure that sensitve informaton (e.g. username or password) is not presented back to the end-user following data validaton errors?

Sensitive information like passwords, is stored after one-way encryption so that it can never be presented back to the user in a readable format.

How does the applicaton provide protecton (encrypton/hashing) for stored passwords and other sensitve data?

Passwords are stored as a hash, after one-way encryption. All other data is encrypted in transit and rest.

Is two-factor authentcaton used for access?

Yes. User id / password and physical location (plus IP address).

Do you provide data masking capabilites at the database level to obscure/replace sensitve data elements?

In addition to only storing password hashes, in a single sign-on configuration, the username (such as NTID or employee ID) can be hashed using MD5 if this is required.

How does the system capture and log successful and failed user authentcaton (login) atempts and user authorizaton failures?

The Tracker module, that your chosen user admins can access, reports on all user activity within Innovation Central and all login attempts.

How are inital user ids created?

User accounts are normally imported into the Innovation Central web application by importing a CSV file into the directory. This file import process can be automated, and the transfer of the file is typically done through SFTP. Using this CSV method, Imaginatik does not require access to client's Directory servers, and therefore doesn't require access to client's networks. User ids can also be created manually. Profile information can include a photo of the user and his/her

statistics within challenges.

(18)

How does user access management work?

The user account creation and deletion process, as well as granting/revoking user access rights, is fully delegated to the Innovation Central administrators. These are designated employees within the client’s organization.

Within Imaginatik a formal user registration and de-registration procedure is in place for granting and revoking access to all information systems and services. This ensures once the Security team is notified that a user has transferred departments, changed job responsibilities, resigned, taken leave of absence or been terminated, they take prompt action and arrange for the users application access to either be deleted, amended or disabled depending on the employment status change and circumstances surrounding the change. The process also ensures that redundant user IDs are not issued to other users.

How are diferent levels of access assigned within the applicaton?

Innovation Central and Discovery Central supports groups & role based authorization for users that can be configured to meet the client’s requirements.

Within Innovation Central we have 8 roles ranging from Normal User, Reviewer, Review Team Leader, Master Reviewer, Management, Executive, Oversight, and Administrator. Each role has a set of features available to them. The Administrators can do / see everything.

Within Discovery Central we have two roles, Normal User and Administrator.

What level of access does each user role provide within Innovaton Central?

You can give Special Roles to anyone with an Innovation Central profile. Each person must be configured individually. You can combine roles to create the desired level of access, e.g. give someone the roles Administrator, Master Reviewer and Reviewer to give them full access. Core Roles

· Administrator: Access to Admin Space, all documents and all functionality (except review features)

· Oversight: Access to all documents and Reports space; Ability to delete documents, apply access restrictions to individual documents, release documents from embargo and edit ideas (if enabled)

· Executive: Access to all documents and Reports space

· Normal User: Access to collaboration space and personal space. Ability to view documents that do not have restricted access

Review Team Roles

· Review Team Leader: Admin access to Review Process Setup sections; Ability to review ideas, conclude ideas and apply access restrictions to individual documents; Access to all documents; Must also have Reviewer role

· Master Reviewer: Ability to review ideas, conclude ideas and apply access restrictions to individual documents; Access to all documents; Must also have Reviewer role

(19)

Other Roles

· Management: Can be given read access to ideas with a restricted audience through Document Security otherwise this role does not have any additional access rights.

Is audit logging provided?

All activity within the Innovation Central package is logged and tracked within the tracker module that the clients chosen admins can access and report upon, for example first access, number of logins, last access, actions performed.

Do you retain system log fles for a specifed period of tme to assist in access control monitoring and security investgatons?

Tracker logs are kept for the duration of the engagement, along with all other Innovation Central and Discovery Central data.

What Single Sign-On (SSO) capabilites are available?

To facilitate and improve participation, Imaginatik offers Single Sign-On (SSO) integration as standard on all full Innovation Central engagements. The technology used to implement SSO is the industry standard SAML 2.0 protocol.

The communication with the Imaginatik Innovation Central and Single Sign-On Service Provider (SP) server will always be over HTTPS. Although this normally provides sufficient security, we do support additional signing and/or encryption of the assertion itself, on top of transport-level encryption.

Service Provider initiated SSO is used in all cases. The SP server uses the RelayState to track the ultimate destination URL and it needs to be preserved throughout the authentication

process.

In ordinary SSO, the SAML Assertion only needs to contain the userid. We can use any single-byte alphanumeric string, up to 32 characters long, as the userid. This can be an employee ID, NT or network ID, or an MD5 hash of these, so long as it is unique to each user.

Implementing SSO delegates authentication to the Identity Provider. As a consequence, all Innovation Central users have to be able to connect to the existing identity management and authentication systems.

What additonal SSO confguraton informaton can you provide?

For the best results, please begin to configure your SSO services connection with Innovation Central as follows:

· SAML 2.0 is used to provide SSO.

· SAML assertions are digitally signed. Certificates can come from a Private Certificate Authority.

· The Connection should be “SP initiated SSO”.

· The RelayState is used to preserve the originally requested URL and this needs to be preserved throughout the authentication process.

· The critical component in the assertion is the SAML Subject, which only needs to contain _____________________________________________________________________________________

(20)

the userid. We can use any alphanumeric string, up to 32 characters long, as the userid. This could be an employee id, sAMAccountName, NT or network id, or an MD5 hash of the same, as long as it is unique to each user.

We'll need the following from your SSO environment before we can set up the connection on our end:

· The public key of server certificate your SAML assertions are signed with.

· If possible a MetaData export. If your SSO service provides the Export MetaData feature, this will tell our SSO servers what to expect in terms of the mapping of the and your SSO services features.

· Perimeter security devices, such as Proxies and Firewalls, will need to allow clients to use SSL connections to SSO servers.

Once the connection is set up on both ends, we will need to arrange time with all relevant parties to do real time tests of the connections.

In parallel to the steps above, you will also need to arrange the user import which is a CSV file transferred to us using SFTP. The format of the file's name and content are documented separately. If you don't have the document, please request this from us.

Do you use a third-party SSO soluton?

Imaginatik uses PingFederate by PingIdentity. For more information on the SAML protocol and the PingFederate software, including introduction videos, integration guides and case studies, please visit www.pingidentity.com.

How do you ensure user ids remain secure when using SSO?

As well as the existing security controls we have in place we can also take additional steps to secure user ids by accepting an MD5 hash of the user id. This will ensure the id is not displayed in its initial format.

Is Just-In-Time Auto Provisioning for Single-Sign-On available?

Yes. We have a just-In-Time (J.I.T) auto provisioning solution for SSO clients. J.I.T negates the need to provide a pre-defined list of users who would require access to Innovation Central, by automatically creating a new account for a trusted user when that user first attempts to access the system.

This will provide seamless integration between the clients existing systems and Imaginatik, removing obstacles and driving participation. Profiles will only contain those users who have accessed the system improving response times.

How does Imaginatk deploy Web Acceleraton?

CloudFlares web application accelerator service is used to ensure users have the best possible experience. Requests and application responses between users and our server are sent over the CloudFlare platform. Website traffic is routed through their global network, which is powered by 34 data centers around the world.

(21)

When a user requests an application, dynamic mapping technology directs the request to the closest server. Using route optimization, it identifies the fastest, most reliable path back to our server to retrieve the application content, and employs connection techniques to optimize communication between servers, improving performance and reliability of both retrieval and delivery.

Are Records Retenton Schedules applied?

Yes. Data is removed at the end of the engagement with the client, who can specify when it should be removed (i.e. immediately or in 12 months time). Data can be destroyed at any point during the engagement process, should the client request this.

Who within Imaginatk has access to customer data?

Only those who need to provide direct customer support have this type of access. It is controlled via a customer specific Access Control List (ACL). Access to a customers environment would only be via a work order (that would provide details of what needed to be done along with a business justification), or a direct request raised by the customer or their Innovation Consultant. All activity within the Innovation Central package is logged and tracked within the tracker

module. The customers admins can access and report on these details.

Describe how your administrators access the systems that will support its clients.

Our end points are not used to access Innovation Central / Discovery Central, or any part of the infrastructure used to host the applications and your data. Only those Imaginatik staff with strong business justification (along with the clients approval when required) is granted access to client data. This is controlled by two-factor authentication using a One Time Password (OTP) and end-to end encryption. The OTP is a randomly generated number that is unique to a user at a particular time for about a period of 40 seconds.

The two-factor authentication and OTP process then gives the user access to a Secure Management Console (SMC) where client data can be accessed but cannot be downloaded onto the users computer or any other type of removal media device.

All databases are also secured by an ACL so that only the authorized people with the ACL are allowed to access the environment.

Administrative access is secured at the data center so that physical access to one of the Imaginatik offices does not grant more access that what could be achieved through direct remote access. The two-factor authentication and OTP process also applies to our Admins.

How are applicaton interfaces restricted by an access control mechanism? How are fle uploads/downloads (e.g. SFTP) restricted appropriately?

The only application interfaces we provide are the normal http access and secure file transfer. In both cases access is only granted to those with authorized account access.

(22)

How does the applicaton implement tmeout afer a certain period of inactvity?

Inactive sessions should shut down after a defined period of inactivity. Within Innovation Central and Discovery Central this is customizable to meet your requirements.

Business Contnuity Management

What is your disaster recovery business process model and implementaton process?

Imaginatik has two data center providers, which allows us many options when it comes to disaster recovery. Daily off-site backups ensure that we have the ability to recover and rebuild client environments even in the event of total loss of one data center.

Interruptions to our service are extremely rare, most commonly being caused by network issues between the client network and the Imaginatik data center concerned. In the event of a problem affecting a client server, we will do everything possible to recover the service as quickly as possible.

If this takes longer than a few minutes, the customer concerned will be notified and kept

informed until normal service is resumed. If the service interruption looks likely to be extended then we will start to restore the existing environment on a server in the other data center. This will then normally be available for use within 72 hours of the disaster, although the annual Disaster Recovery test consistently shows restoration could be 24 hours, or less. The data used will be no more than one day out of date.

Where are your backup data centers?

Backup servers are located in secure data centers, which are managed for us by a third party called IOMart. They provide us the servers and network connectivity, but have no access to any Imaginatik client data. Our UK backup data center with IOMart is in Maidenhead:

http://www.iomarthosting.com/uk-data-centres. It is ISO/IEC 27001:2005 and ISO 9001:2008 and certified. Our US backup data center with IOMart is in Boston. It is SOC 2 Type IIand Safe Harbor certified: http://www.iomarthosting.com/global-data-centres.

What is your program for data back up and the accessibility/security of online and stored data?

Full backups of client’s data, including configuration information required to rebuild the sites, are taken on a daily basis and held in secure off-site locations (currently in the UK and the US). Innovation Central data is backed up by replication to a RAID (Redundant Array of Independent Discs) storage unit. If one disc fails data is already held on another disc within the array. It is encrypted in transit using TLS and rest (Lotus Domino database encryption).Media is not transported physically. The backup process is handled only by authorized Imaginatik Service Delivery staff, which have secure remote access to the servers. Accessibility/Security online - Each client’s data is stored in a physically separate module that is encrypted and only

accessible by the users registered for that environment. All website URLs are unique to each client. Each participant will be given a unique user id and password that must be entered correctly. All passwords are stored using one-way encryption. All input is validated by server-side code before being accepted by the application.

(23)

What is the Recovery Point Objectve (RPO)?

The maximum amount of data in time that would be lost between replications is 24 hours. However, depending on the situation, this is usually limited to a matter of seconds, or up to an hour due to the server cluster replication process, and hourly replication to our backup servers.

What is the Recovery Time Objectve (RTO)?

Imaginatik will use commercially reasonable efforts to promptly notify clients of the decision to move to the alternate facility, and an expectation of the time required to restore the system. The RTO is 72 hours.

What is your company’s internal Disaster Recover/Contngency Site program?

The purpose of our Internal Business Continuity Plan is to outline the primary systems and services that are used by staff of Imaginatik, to complete the tasks required for the running of the company, and to provide internal guidance to implement work-arounds or solutions to outages. These tasks include administration, sales, development, marketing, support and consulting tasks, as well as the provision of a hosted Innovation Central infrastructure to our clients. Invoking the continuity plan largely depends on what has been affected and any

potential client impact. The IT Director will make the decision to invoke a continuity plan should a critical system or area be affected. If the impact is department specific then the department Manager will invoke any department specific requirements.

Are the Disaster Recovery plans reviewed and tested at least annually?

Most parts of the Business Continuity Plan, for example the actions to be taken in the event of partial system failures and power outages, and the restoration of individual client environments in our alternate data center are tested on a regular (at least yearly) basis. The Chief Technology Officer is responsible for Business Continuity and reviews these plans annually.

Can your backup plan enable recovery from accidental deleton or corrupton of data or fles?

Yes. The system doesn't allow modification of ideas, comments, etc, after submission (when they are no longer in draft). The submissions can be marked as deleted, but they will be kept in the back-end for retrieval by us if needed.

Do you periodically test backup media to ensure data completeness and consistency, and to ensure that data can be restored within a defned tmeframe?

Yes. Because data is replicated, rather than backed up to removable media, data completeness and consistency is ensured. We regularly perform restores to confirm the data is reliable and to measure the time needed to perform a restore.

Do you have a documented “Chain of Custody” or “Investgaton Escalaton” process?

We have a four-tier incident response policy designed to track all investigative actions taken to determine the route cause of an incident, a client support and escalation process, as well as an internal management escalation process.

A Tier 1 Incident is the most critical. This is when a system has been compromised and is actively being altered or manipulated by someone with unauthorized access. This system must _____________________________________________________________________________________

(24)

immediately be contained so that no further action will be available to the malicious user. This type of event must be handled within 15 minutes of notification. If any incident affects client data, the client affected must be notified immediately.

A Tier 2 Incident Impacts a non-critical server or system. This incident must be acknowledged and repaired within 6 hours of notification.

A Tier 3 Incident required a solution within 24 hours. This involves the discovery of hacker tools. This system is to be monitored heavily until the warning signs of the incident are no longer present

Tier 4 Incident must be resolved within 1 Week. If someone threatens or warns that they heard a system was targeted or will be targeted, that rumor will be investigated to its source and settled. All rumors will be reported to the Security department. All incidents will be reviewed once resolved, in order to better protect the assets of Imaginatik.

Have the Business Contnuity/Disaster Recovery Plans ever been tested?

On a regular (at least yearly) basis we test the actions to be taken in the event of partial system failures and power outages, and the restoration of full client environments into our alternate data center. We also have contingency plans for various other scenarios including the total (and extended) failure of a data center.

What is your service availability?

Service availability is an impressive 99.9% for Innovation Central and 99.5% for Discovery Central, excluding scheduled maintenance periods. We measure end-to-end response times – not just as measured in our data centers, but right out to the end user on your network. Our target is to have key pages in Innovation Central load in less than two seconds on average. Our technology allows us to identify those clients whose networks are most in need of improvement, compared to those clients who are achieving very fast response times. This improves participation and enables those clients to get better results from their challenges.

Compliance

What IT governance or security framework do you use for your control environment (COBIT, ISO17799, ISO 27002 internal policies and standards, etc.)?

Our policies and procedures are based on ISO Standard 27002 in order to set the minimum Security requirements for Imaginatik in line with our client’s regulatory responsibilities. Imaginatik datacenters are hosted by 3rd_{party organizations that are either SOC-2 certified,}

SSAE 16 attested or ISO 27001 certified.

Do you have a comprehensive customer informaton security program in place? Can you explain the details of this plan?

Imaginatik Security polices were developed to meet Imaginatik strategies and goals relating to Information Systems Security throughout the company. These strategies and goals address and incorporate methodologies to ensure Imaginatik’s compliance to client and legal requirements.

(25)

The key security principles include: Information Security Awareness; Data Privacy / Confidentiality; Segregation of duties; Password management; Clear desk and screen

requirements; A strong Access Control policy to mitigate possible data loss; Network Security; Disposal of Media policy; Change Management; Audit Logging; Backups; Virus Protection / Patch Management; Intrusion Detection / Prevention.

What provisions do you have in place to address compliance concerns such as HIPAA and European Data Privacy?

HIPAA – All data is encrypted (128bit or higher) in transit and rest. Only authorized persons with a specific requirement have access to the client’s environment.

Data Privacy – We comply with the EU Data Protection Act however we do not generally store client ‘personal data’ (any information, which on there own or referenced against other data held by Imaginatik, can be used to identify a living individual). All data is stored to the same high standards, and encrypted, regardless of its content. Should client data need to be held on CD, DVD, USB, and other forms of removable media, this is only do so with the express written permission of the client concerned and is securely removed once finished with. While on removable media, data will be password protected / encrypted.

What is Imaginatk Management's commitment to Informaton Security?

All Imaginatik staff have a responsibility to ensure the data they are exposed to is protected to the best of their abilities. The Information Security policies that provide directions on how to achieve this are written in line with ISO 27002 and are fully endorsed by the Executive Management team.

Do you have a Security Ofcer is responsible for Data Security?

Imaginatik employs a dedicated Information Security Officer who has over nine years

experience of information security within a financially regulated environment. The Information Security Officer is responsible for advising the Company on all security matters, managing the overall strategic security program, performing security reviews, and ensuring non public client and company data is adequately protected.

How are staf made aware of their Informaton Security requirements?

A key part of Information Security is the education of Imaginatik staff in relation to security training and awareness to ensure all users are aware of their responsibilities. This is achieved by annual Information Security training which includes: password management, secure

management of client data and data classification, physical security of laptops and other media, mobile computing, and email and internet usage guidelines. New hires are required to read and adhere to an Information Security guide that outlines their responsibilities. They are also sent Information Security policies that are relevant to their role and an acknowledgment is obtained to verify they have been read and understood.

Are you Safe Harbor compliant?

Our US hosting provider is Cybercon who is Safe Harbor Certified. The direct URL for their Safe Harbor policy is: http://www.cybercon.com/safeharbor.html.

(26)

How do you support legal hold?

Access to Innovation Central data is available 24/7 and content can be exported into CSV format using the available export facilities.

How do you address coding for companies that have a “Records Retenton Schedule” or have a need for “eDiscovery” controls?

Data is removed at the end of the engagement with the client who can specify how and when it should be removed (i.e. immediately or in 12 months time). If data that has reached a certain age needs to be deleted during the engagement this can be done via a manual process.

Human Resources Security

What Data Privacy / Confdentality agreements do you have in place?

All employees and third party staff are required to understand and comply with our Information Security policies. Every person signs a Non-Disclosure Agreement, an employment contact and a non-compete agreement when they are hired. This covers their duties and obligations

regarding the handling of Confidential Information and Intellectual Property as well as their adherence to Imaginatik polices and procedures.

Our policies clarify Imaginatik and employees’/contractors’ obligations regarding protecting confidential information.

What hiring practces insure that your employees conduct themselves in an ethical fashion?

All staff sign an NDA and Contract upon joining that lays out the terms and conditions of employment. Pre employment checks are also performed and include: Previous employment verification, social security trace, wants and warrants search, and statewide and federal criminal search.

What methods do you use to insure tmely account terminaton when needed?

Due to our size the Service Delivery team that processes these requests are fully aware of all starters and leavers. Managers also advise the team in advance of a person leaving.

Do you have a Code of Conduct policy and Computer and Internet Acceptable Use policy and provide assurances that these policies are adhered to by your employees?

Yes we have a number of security policies, including Internet and Email Use that contain code of conduct requirements. The employment contract stipulates that these must be adhered to as part of the employment terms.

Do you have a company policy that includes Security Topics such as: Customer Data Privacy, Clean Desk Practces and Basic Computer Security Awareness?

Yes we have a Data Protection and Privacy policy and a Mobile computing policy. New staff receive basic computer security awareness as part of the on-boarding process and sign a declaration that they will adhere to it.