Security Measures

itslearning has implemented the security measures set out in this appendix, both organizational and technical measures, in accordance with industry standards. itslearning may update or modify such security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services.

Organizational Measures

The itslearning management team has been actively involved in developing an information security culture within the company via an ongoing awareness program, and has a management structure in place to manage the implementation of information security in its services with clear roles and responsibilities within the organization.

Operations Management

Multiple industry best-practice processes and policies exist to ensure the best possible confidentiality, availability and integrity of the platform. These policies are built around strict requirements in a number of areas, such as;

  • Information security
  • Hosting environment security
  • Third party access
  • Capacity control
  • Change management
  • Backup and recovery
  • Access control
  • Documentation
  • Logging and monitoring
  • Incident response
  • Release management

Security team

itslearning have a team of security experts who are responsible for the overall information security of the organization. Their role include responsibility for;

  • Coordinating security related tasks
  • Securing corporate environment, network and devices
  • Security the application (in-house penetration testing and application audits)
  • Monitoring and logging
  • Process and policy management (disaster recovery, path management etc)
  • Training and education of employees, in the field of information security
  • Coordinating third-party security audits, and follow up on any findings,
  • Reviewing code for potential security vulnerabilities.

Roles and responsibilities

All employees have clear roles within the company, and are only given access to data required for their specific role. A limited number of employees have administrative access to our production environment and their rights are strongly regulated and reviewed at set intervals. Any major change to the application, environment or hardware of the production environment is always verified by a minimum of two individuals.

Personnel security

All itslearning personnel are required to enter into a strict confidentiality agreement. All staff are required to follow corporate policies regarding confidentiality, business ethics and professional standards. Staff involved in securing, handling and processing customer data are required to complete training appropriate for their role.

Access Control

Strict requirements are in place for any employee, hired consultants or third party requesting access to itslearning information systems. Access control is controlled by an authentication system. The user is required to:

  • Have management approval for the requested access
  • Have strong passwords that are in accordance with the corporate password policy
  • Change their password at regular intervals
  • Document that the access requested is required for their specific role/task
  • Ensure that the device (PC, tablet, cellphone) used is adequately secured, and locked when the user is absent.

itslearning employs automatic temporary lock-out of user terminal if left idle.

Internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Any changes to data is logged to create an audit trail for accountability.

Physical security

  1. Data Centers

itslearning operates all its customer services from data centers separated from the corporate office work space. Access to data centers are strictly controlled and protected to reduce the likelihood of unauthorized access, fire, flooding or other damage to the physical environment. Physical access to data centers are limited to a small number of employees within itslearning and/or its hosting center providers. Strict security clearances are required and must be approved by security management prior to entering a data center.

  1. Office work space

All of the office work space of itslearning is protected by access control. Only invited visitors and employees can access itslearning’s work space. Multiple measures are in place to avoid security issues due to theft or loss of computer equipment. This includes security guidelines and acceptable use policies, authentication systems and encryption of storage units when applicable.

Technical measures

System availability

itslearning has implemented industry standard measures to ensure that personal data are protected from accidental destruction or loss, including:

  • infrastructure redundancy (including full network, power, cooling, database, server and storage redundancy)
  • backup is stored at an alternative site and available for restore in case of failure of the primary system.
  • Appropriate denial-of-service protection
  • 365/24/7 personnel on duty to monitor and troubleshoot

Data protection

itslearning has implemented a series of industry standard measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during transport or at rest. This is accomplished by various industry standard measures including:

  • Use of layered firewalls, VPNs and encryption technologies to protect gateways and pipelines
  • HTTPS encryption (also referred to as SSL or TLS connection) with secure cryptographic keys
  • Remote access to data centers are protected with a number of layers of network security
  • Particular sensitive customer data at rest is protected by encryption and/or hashing (pseudonymisation)
  • Every decommissioned disks are subject to a disk erasure process according to our “Disk erase policy”, and decommissioning is logged by disk serial number
  • Regular third-party security audits (minimum annually), including penetration testing, that are made available to customers

Data centers

itslearning uses only state-of the art data centers, with 365/24/7 on-site security and monitoring operations. The data centers are housed in modern fire-resistant facilities that require electronic card key access, with alarms that are linked to the on-site security operation. Only authorized employees and contractors are permitted to request electronic card key access to these facilities.

System development

itslearning’s platform is based on industry standard technologies from well-known vendors, including Microsoft, Linux, Dell, Fujitsu, Amazon, Cloudflare, F5 and Cisco. Systems are periodically patched to latest version to ensure that the latest security enhancements are applied. The platform is in general updated several times per quarter, and bug-fixes are released swiftly based on priority, following rigorous quality checks.

itslearning has measures in place to minimize the risk of introducing code in its platform that can degrade the security or integrity of the customer services and personal data processed. Measures include:

  • Regular training of staff
  • Code review by security architects
  • QA process for rigorous testing of changes prior to deployment

Sub-processor security

When onboarding sub-processors, itslearning performs an audit of the security and privacy practices of sub-processors to ensure sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. itslearning performs regular security audits of the practices and delivery for existing sub-processors.