Security & Operations
ClusterSeven utilizes best-practice policies and processes to develop and manage our solutions, as well as secure our applications and environment. Customers and partners can be confident that ClusterSeven can support the commitments they make to their own customers.
The International Standard of Service Assurance (ISAE) 3402 SOC report is the global standard for documenting and auditing the internal controls at a service organization. The standard grew out of the phenomenon of organizations outsourcing critical aspects of core business processes, typically using Software-as-a-service (SaaS) applications, where they have little or no influence of the management, technology or data controls they would be expected to have in place within their own IT environment.
ClusterSeven is certified to ISO/IEC 27001:2013 across our business, to ensure that:
- We systematically assess our information security risks, taking account of threats, vulnerabilities, and their impact on the business;
- We design and implement a coherent and comprehensive suite of information security controls in order to bring down any risks to within our risk appetite.
- We adopt an overarching information security management process to ensure that our security controls continuously meet our information security needs on an ongoing basis.
ClusterSeven aligns to the ISAE 3402 standards for our Cloud-based CSM solution. The ISAE 3402 standard provides assurance for our clients that CSM is supported by rigorously defined business processes, development processes, as well as management controls, which ensure that CSM is fully aligned with their own controls, standards and management processes.
- Our CSM platform is powered by Microsoft Azure, which provide security, performance and scale.
- We utilize Azure data centers that run 365x24x7, with redundant cooling, power, network connectivity and intrusion controls.
These data centers are certified to numerous standards including ISO 27001, IS0 27018, HIPAA, SSAE-16 and many others.
- Audit log data from application and infrastructure resources are captured consolidated in a centralized monitoring and alerting platform, to provide a secure and proactive security and management regime.
- Anti-virus and anti-malware capabilities are deployed across all servers within the Cloud service, and are integrated with the monitoring and alerting system.
- Distributed denial of service (DDoS) attacks are mitigated with standard detection and mitigation techniques, e.g. scrubbing.
Updates and Patches
- Product updates are deployed on a regular basis, during scheduled maintenance windows outside business hours.
- ClusterSeven provides advanced notice of changes of significant impact on end users.
- Where Microsoft apply patches to their infrastructure, our high availability environment ensure that these updates do not impact the availability of the service.
- Application authentication is provided by the industry standard OAuth 2.0/OpenID Connect protocols.
- Passwords are managed and stored in the Azure Active Directory, and a password policy enforces complexity, expiry and account lock-out.
- The management access model utilizes a least privilege framework to provide access to the service, and its operation. The production environment is locked down, so that operations team staff are the only ones with permission to grant access.
- ClusterSeven’s operations team utilizes an incident response plan that covers initial response management, root cause analysis, as well as retrospective analysis and escalation routes.
- Our application support model covers a tiered support framework and contractual SLA.
- We undertake extensive background checks on staff, to ensure the integrity of the business. We also train them extensively to help develop the environment and adopt new technologies as required.
Development Life Cycle
- Security is embedded in the Software Development Lifecycle (SDLC), utilizing a agile development model to implement changes and upgrades
- Testing is a core element of our development processes, delivered boy our Quality Assurance (QA) function, which is operationally and functionally separated from our development function.
- Our developers use a source code control system that authenticates users, and monitors changes to the software baseline and the configuration files. This process is central to developing robust, error-free functionality.
- Third party security specialists conduct regular penetration testing against our environment, in addition to the penetration testing Microsoft carry out on their on their own Azure platform.
Privacy & Data
- Customers remain the data owners of the information stored and processes within the ClusterSeven service. Customer may chooses to delete or retain their data in line with their data management policies.
- ClusterSeven offers a selectable choice of data center in the US and EMEA, allowing customers to address jurisdictional privacy requirements.
- ClusterSeven is a data processor and has no visibility of the classification or type of data input to the system.