Dedicated to safeguarding your information
To protect the privacy of its customers and the safety of their information, Infor® maintains high standards of data security. Infor Birst® relies upon state-of-the-art and secure data centers, enforces strict internal product controls, and regularly audits its policies and procedures using third-party auditors.
The following sections of this white paper cover the key areas of Birst security in detail, including physical security, system security, operational security, reliability, and application and data security.
The key tenets of Infor Birst’s security initiatives are:
• Security is designed from the ground up in the application, network, hardware, and operational procedures.
• Birst is SOC 2 Type 2 audited, HIPAA/HITECH attested, and ISO-27001:2013 certified.
• Modern Tier-4 data centers that are SOC 2 Type 2 audited and are ISO 27001 certified or follow ISO 27001 policies.
• Infor’s global GDPR privacy program is independently validated by TRUSTe.
• Adherence to security best practices for code development, testing, and operations is followed.
• Regular external review of the policies and procedures for Birst security and operations is conducted.
• Regular penetration and vulnerability testing by third parties is completed.
• Birst personnel maintain security and privacy certifications.
Physical security
A key aspect of security is the physical security of the hardware containing customer data. Infor Birst uses the leading data center and hosting providers—INAP® (US) and Amazon® (EU, APAC, Canada, and GovCloud).
Birst data centers have the following physical safeguards:
• Data center staffed 24 hours a day, seven days a week.
• At INAP, data center access is limited to INAP technicians and the Birst operations team. At Amazon, data center access is limited to Amazon data center technicians only.
• Entry to the data centers is regulated by photographic identification, biometric scans, man traps, and secured shipping/receiving areas isolated from the data center floor.
• Interior and external security camera surveillance monitoring, with the video stored for review.
• Unmarked facilities maintain a low profile.
• Physical security audits are conducted by third parties.
Further information about Birst data center operations, security policies, and procedures are available at:
• Inap/data-centers
• Amazon/compliance
• Amazon/security
In addition to ensuring that the infrastructure containing customer data is physically secure, Birst ensures that the networks and hardware containing customer data are hardened and tested against attack.
Hardware security requirements include:
• New servers are provisioned with CIS level-1 hardened operating systems.
• Security patches are applied on a regular basis.
• All systems are firewall protected, with firewalls at multiple points in the network.
• All public-facing machines are in a demilitarized zone (DMZ), in which a firewall separates public-facing from internal hardware.
• Intrusion prevention systems and host-based intrusion detection systems constantly monitor the internal network, providing alerts to operations staff, daily status emails, and weekly vulnerability scans of all internal machines.
• Web application firewalls (WAF) are utilized.
• Virus scanning and detection on all machines, with signatures updated every 24 hours.
• Internal and host scanning performed daily.
• All machines can only be accessed by named accounts so that a detailed log of activities is available.
Operational security
It is not enough to have a secure physical and network environment; they must also be operated securely. Infor and its data center providers work as a team and have the following operational security provisions:
Data center operational security includes:
• Policies and procedures that are SOC 2 Type 2 audited and ISO-27001:2013 certified.
• Access to confidential information is limited to authorized personnel only, by documented processes.
• All employees are trained on documented information security and privacy procedures.
• Multiple and thorough background security checks are conducted for all data center personnel.
• Systems access is logged and tracked for auditing purposes.
• Secure document destruction policies and procedures are followed.
• Change management procedures are fully documented.
• Independently reviewed and regularly tested disaster recovery and business continuity plans.
Infor corporate operational security includes:
• Infor has fully documented policies and procedures that are independently reviewed.
• All employees are trained and tested (on hire and annually) on documented information security and privacy procedures. Regular updates on security are provided via email and forums.
• Background checks (on hire and annually) are performed on all employees who have access to customer data.
• Access to the production network is limited to authorized personnel, who access it using a secure, site-to-site virtual private network (VPN) with multifactor authentication through a jump server.
• Access to customer data is limited to authorized personnel only, according to documented processes.
• Access to disaster recovery and business continuity plans are independently reviewed and regularly tested.
To read the full White Paper Click Here.
And, as always, contact ICCG to help provide you with insight and information. Schedule a complimentary consultation to review your questions.