HRS Security

Software Security

The FileMaker security model is based on three key components:

1. Account Name - identifies the individual user

2. Password - proves the user is who they say they are

3. Privilege Set - defines access limits for user(s)

Account Names and Passwords control access to the file for each individual. Account Names and Passwords together are referred to in information security compliance guidelines as Identity. The Privilege Set controls what the user can see and do. The use of Privilege Sets allows you to define what is referred to in information security compliance guidelines as Role Based Security. Security settings defined within the file using FileMaker Pro are largely file specific. Accounts and privilege sets established in one file, control access to the information and schema stored in that file. Security settings configured within FileMaker Server are server specific and apply to all files hosted by the server.

 

 

HRS Documents are encrypted and only accessible using our HRS solution. Encrypted container fields are encrypted using AES-256. The Documents are self-contained within the Database so only accessible with a valid username and password.

An example of an AES-256 encrypted document is the following file path:

 

D:\FM_Backups\Daily_2014-08-27_2300\FM_Live\RNA\RC_Data_FMS\HRS_Docs\Files\HRS_Docs\Secure\00\6C\F2156EBB\CFA97E27\BC11F2E8\499E

 

The result of this is:

Hardware Security

We host all our servers on UKFast and Softlayer (an IBM company).

For more information on each provider's data centre capabilities visit the links below.

UKFast - https://www.ukfast.co.uk/colocation-data-centres-manchester.html

Softlayer - http://www.softlayer.com/data-centers

Both the above data centres follow the highest control on user access with 24/7 manned security.

 

Information on their security can be found here:

https://www.ukfast.co.uk/data-security.html

and

http://www.softlayer.com/security

You will see that they both meet the ISO 27001/2 standard.

Firewall and Administrative Access

All our servers sit behind UTM Firewalls ensuring the highest level of security. All Firewall rules are reviewed on a 3 monthly cycle to ensure that the only required rules are maintained on the devices.

Administrator access to our servers is only possible from certain IP addresses, and only granted to a set number of system administrators

Connection between Client Application and Servers

The connections between client applications and servers can be secured by SSL thus ensuring that snooping of Data by means of session hijacking or Man in the Middle attack methods are not possible. However, by default this is not enabled to prevent degradation of server performance.

HRS Security Controls

Here we will explain the security controls we have implemented to ensure data security.

Server Access

Server access is limited to a set number of system administrators and this access is reviewed every 3 months to ensure that appropriate access is maintained at all times.

Passwords Strength and Security

HRS follows a system of using complex passwords that have a minimum 10 characters and adheres to the below:

  • has uppercase letters
  • has lowercase letters
  • has numbers
  • has symbols, such as ` ! " ? $ ? % ^ & * ( ) _ - + = { [ } ] : ; @ ' ~ # | \ < , > . ? /

Password History

All passwords expire every 3 months and need to be replaced. The 6 last used passwords cannot be used to ensure compliance industry standards.

Data on Servers

All data on servers are stored in a database format which is password protected.

Data transferred is encrypted using 7zip and password protected to stop it from being compromised.

Data encryption is currently carried out on a request basis, as this impacts on the performance of the application. As we have very stringent controls on how we protect and control access to our data, we rarely have a request to encrypt the data stored on the servers.