Touch Support's Environment
Posted by on 14 January 2015 06:22 PM
Strong security measures ensure your data is protected from exploits while your applications keep running at peak performance. Understanding the Touch Support infrastructure security measures will give you the freedom to develop and operate your environment within the scope of our secured infrastructure. This document is designed to give you an overview of these security measures and how they may effect your website.
Do you provide a segregated environment (physically or logically) so that each customer’s data is isolated and protected against any unauthorized access? Please describe.
Logical separation is achieved through separate filesystem roots for each customer. Attempts to access data outside of your own environment are prevented and logged.
We also offer physical separation in many cases. This is of course more expensive compared to public cloud services or virtual environments because we’re provisioning hardware just for you.
Do you conduct or arrange in-house vulnerability scanning for all infrastructure, servers, databases and applications, on at least a quarterly basis? Please describe how vulnerability scanning reports are used by your company and how remediation of vulnerabilities occurs.
Yes, both. We have tools and custom scripts in-house for vulnerability scanning, both externally (i.e. through network connections) and internally (i.e. scanning disk and database for known vectors and exploits).
Reports are processed internally and remedied as fast as possible with the assistance of third party vendors (as necessary). Any changes are reported to affected customers, but only after we’ve made the changes to reduce the chance of exposure.
Can we (your customer) perform penetration testing of our environment hosted in your infrastructure?
Please contact us for further information.
Does your data center environment undergo a SAS 70 Type II examination at least annually?
Is all computing equipment located in a physically secure facility, where electronic access controls are used to prevent unauthorized access to computing facilities?
Are firewalls configured based on the principle of least privilege, where firewalls only allow approved applications, protocols, and services required to meet business needs?
Are intrusion detection or intrusion prevention systems used to monitor and/or protect your network?
Yes. They are updated monthly, or as-needed.
Do you conduct or require background screenings for all personnel (employees and contractors) that have access to critical infrastructure, servers, applications, or data?
Do you maintain reasonable security precautions consistent with industry best practices?
Yes, we adhere to all industry standard best practices. These change over time as new information and processes are put into place.
If an information protection incident was to occur, are you able to provide audit logs for our review?
Yes, for certain logs, such as access logs. There might be some logs which we cannot show you. We will work with you to help determine the nature of the exposure and what you might want to do to remediate.