Jedox Information Security Technical & Organisational Measures
This document is a high-level overview of the Jedox technical and organisational Information Security measures to protect personal data, and ensure ongoing confidentiality, integrity, and availability.
Jedox Information Security measures are created consistent with ISO/IEC 27001:2013, SOC 2 principles and the European Union General Data Protection Regulation (EU GDPR).
- ISO/IEC 27001:2013 is an international standard that specifies the requirements for establishing, implementing, maintaining and continually improving an ISMS including the assessment and treatment of information security risks.
- The SOC II type 2 report provides evidence of how an organisation has operated its controls over a period of time against trust service principles.
- EU GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU.
Jedox may undertake to changes these measures at any time according to risk determinations. This can mean that individual measures are replaced with new measures which serve the same purpose but do not diminish the security level.
1. Information Security:
To outline Information Security measures within Jedox to demonstrate commitment to manage the assessment and treatment of these risks and to continually improve its information security.
- Jedox has deployed an ISMS to manage information security professionally based on ISO/IEC 27001:2013 measures and is sponsored by the Executive board. The Jedox ISMS has been certified and continues to be audited by an independent, external auditor on an annual basis.
- Jedox employs full-time dedicated information security employee(s) who are responsible for information security.
- Jedox has a comprehensive set of information security policies and processes which are disseminated to all employees after approval from senior management.
- All employees must sign a commitment statement confirming they have read and understood Information Security polices and will adhere to the measures.
- Information Security awareness sessions are provided annually to all employees.
- Jedox ensures that Suppliers and Partners have appropriate Information Security measures in place and reserves the “right to audit” their Information Security measures at least annually.
- Jedox has a change management process which takes into consideration security implications in respect of introducing changes to existing systems or when implementing new systems.
- The Jedox Risk Management process includes Supplier risk Management and IT systems risk management.
- Jedox legal requirements mandate customers and suppliers/partners signing confidentially agreements and data processing agreements (DPAs). The DPA ensures data protection, privacy and confidentiality of an individual’s personally identifiable information.
- Jedox conducts regular internal and external audits of its security practices.
- Jedox ensures that all employees are aware of and comply with the technical and organizational measures set forth in this document.
2. Access Control
To ensure systems containing data are used only by approved, authenticated users.
To protect the physical assets that contain data.
To ensure only persons entitled to use systems gain access only to the data that they are authorized to access.
- Jedox internal users are given access to IT systems based on their role profile.
- All IT system access is based on least privilege and “need to know”.
- External users requiring access to Jedox systems are only given access once approved by the appropriate senior manager.
- External users will only be given access to Jedox IT systems when all contractual documents have been signed.
- External users are only given access based on external user role profiles. and are clearly identifiable in IT systems as being external.
- The Access management process only allows for access requests to be made by senior managers.
- All users access Jedox IT systems with a unique identifier (user ID).
- Jedox password control requires password complexity which follow alphanumeric and special characters methodology.
- Jedox has a thorough procedure to deactivate users and their access when a user leaves the company or a function.
- Jedox undertakes regular reviews of user access rights and role permissions based on the risk rating of each IT systems.
- Jedox physical access controls into Jedox premises only allows authorised personnel to enter.
- Jedox visitor’s process for any non-Jedox persons who enter Jedox premises mandates that these persons are logged in/out and escorted at all times by the host.
- Jedox classifies all information therefore ensuring confidentiality and integrity where only authorised audiences can view information assets based on the classification.
3. System Control
To outline Information Security measures within Jedox to demonstrate commitment to manage the treatment of system risks and to continually improve its information security.
- Jedox has a formal product development process which uses a Secure Development Lifecycle (SDLC). that includes a wide range of security testing and flaw reporting. All changes follow quality assurance and testing prior to implementation.
- Jedox has a central, secured repository of product source code, which is accessible only to authorised employees.
- Duties between test and production environments are segregated.
- There is restoration of back-ups on all IT systems.
- Jedox has an asset repository detailing system ownership and the risk rating for each system.
- Jedox installs anti-virus software on all devices.
4. Confidentially, Integrity and Availability
To ensure data remains confidential throughout processing and remains intact, complete and current during processing activities.
To ensure data is protected from accidental destruction or loss, and there is timely access, restoration or availability in the event of a service incident.
- All Jedox employees must sign confidentiality agreements which are included in their contractual agreements.
- All Jedox Suppliers and Partners are required to sign contractual agreements which include confidentiality and data protection requirements.
- Jedox restricts access to files and programs on a “need-to-know” basis
- Jedox has logging, monitoring and alerting in place to identify any unwanted access attempts into the Jedox environment. When detected these are investigated and treated accordingly.
- Local data centres have business continuity/DR plans for disaster events.
- A document retention policy ensures data required is kept or destroyed according to information classification and jurisdictional regulations.
- Jedox Data protection processes include the “right to be forgotten”, “right to amendment”
5. Customer Cloud
To outline measures taken which demonstrate commitment to manage the customer cloud environment.
To ensure Customer Data is not read, copied, altered or deleted by unauthorized parties during transfer/storage. To ensure each Customer’s Data is processed separately.
- Jedox uses logical separation within its multi-tenant architecture to enforce data segregation between customers. Each customer is provided with their own specific URL which is created as HTTPS. Each customer users are given unique user credentials.
- Jedox provides separate virtual machines (VM’s) per customer, so that no databases are shared
- All customer data is encrypted in transit and at rest.
- Data assigned to customers is deleted once no longer required.
- Customers can choose the geographical location for their data storage.
- Jedox can provide federated Active Directory (AD).
- All customer data is treated confidentially, and only authorised individuals can view this information and only on a “need-to-know basis”. As a matter of course, Jedox does not access customer data and where access is required to operate the service or assist in a customer issue, the request for access must be formally justified and approved by the customer. The customer can track the progress through their support portal.
- Duties between test and production environments are segregated.
- Back-up and restore is available for cloud environments.
6. Incident Management
In the event of any security incident or data breach, to ensure that the effect of the security incident or data breach are minimised and the relevant parties promptly informed.
- Jedox maintains an up-to-date incident management process that includes responsibilities, how information security events are assessed, classified and treated.
- The Jedox Data Breach policy defines how it is assessed, classified, treated, responsibilities and who to externally notify. Customers and the relevant authorities will be notified without undue delay after it has been confirmed that a data breach has occurred.