Security Measures
itslearning has implemented the security measures set out in this appendix, both organisational and technical measures, in accordance with industry standards.
itslearning may update or modify such security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services.
Organisational Measures
The itslearning management team has been actively involved in developing an information security culture within the company via an ongoing awareness program, and has a management structure in place to manage the implementation of information security in its services with clear roles and responsibilities within the organisation.
Operations Management
Multiple industry best-practice processes and policies exist to ensure the best possible confidentiality, availability and integrity of the platform. These policies are built around strict requirements in a number of areas, such as;
- Information security
- Hosting environment security
- Third party access
- Capacity control
- Change management
- Backup and recovery
- Access control
- Documentation
- Logging and monitoring
- Incident response
- Release management
Security team
itslearning have a team of security experts who are responsible for the overall information security of the organisation. Their role include responsibility for;
- Coordinating security related tasks
- Securing corporate environment, network and devices
- Security the application (in-house penetration testing and application audits)
- Monitoring and logging
- Process and policy management (disaster recovery, patch management etc)
- Training and education of employees, in the field of information security
- Coordinating third-party security audits, and follow up on any findings
- Reviewing code for potential security vulnerabilities.
Roles and responsibilities
All employees have clear roles within the company, and are only given access to data required for their specific role. A limited number of employees have administrative access to our production environment and their rights are strongly regulated and reviewed at set intervals. Any major change to the application, environment or hardware of the production environment is always verified by a minimum of two individuals.
Personnel security
All itslearning personnel are required to enter into a strict confidentiality agreement. All staff are required to follow corporate policies regarding confidentiality, business ethics and professional standards. Staff involved in securing, handling and processing customer data are required to complete training appropriate for their role.
Access Control
Strict requirements are in place for any employee, hired consultants or third party requesting access to itslearning information systems. Access control is controlled by an authentication system. The user is required to:
- Have management approval for the requested access
- Have strong passwords that are in accordance with the corporate password policy
- Change their password at regular intervals
- Document that the access requested is required for their specific role/task
- Ensure that the device (PC, tablet, cellphone) used is adequately secured, and locked when the user is absent
itslearning employs automatic temporary lock-out of the user terminal if left idle.
Internal data access processes and policies are designed to prevent unauthorised persons and/or systems from gaining access to systems used to process personal data. Any changes to data are logged to create an audit trail for accountability.
Physical security
- Data Centres
itslearning operates all its customer services from data centres separated from the corporate office work space. Access to data centres is strictly controlled and protected to reduce the likelihood of unauthorised access, fire, flooding or other damage to the physical environment. Physical access to data centres is limited to a small number of employees within itslearning and/or its hosting centre providers. Strict security clearances are required and must be approved by security management prior to entering a data centre.
- Office Work Space
All of the office work space of itslearning is protected by access control. Only invited visitors and employees can access the itslearning work space. Multiple measures are in place to avoid security issues due to theft or loss of computer equipment. This includes security guidelines and acceptable use policies, authentication systems and encryption of storage units when applicable.
Technical Measures – System Availability
itslearning has implemented industry standard measures to ensure that personal data are protected from accidental destruction or loss, including:
- infrastructure redundancy (including full network, power, cooling, database, server and storage redundancy)
- backup is stored at an alternative site and available for restore in case of failure of the primary system.
- appropriate denial-of-service protection
- 365/24/7 personnel on duty to monitor and troubleshoot
Data Protection
itslearning has implemented a series of industry standard measures to prevent the personal data from being read, copied, altered or deleted by unauthorised parties during transport or at rest.
This is accomplished by various industry standard measures including:
- Use of layered firewalls, VPNs and encryption technologies to protect gateways and pipelines
- HTTPS encryption (also referred to as SSL or TLS connection) with secure cryptographic keys
- Remote access to data centres is protected with a number of layers of network security
- Particular sensitive customer data at rest is protected by encryption and/or hashing (pseudonymisation)
- Every decommissioned disk is subject to a disk erasure process according to our “Disk erase policy”, and decommissioning is logged by disk serial number
- Regular third-party security audits (minimum annually), including penetration testing, that are made available to customers
Data Centres
itslearning uses only state-of-the-art data centres, with 365/24/7 on-site security and monitoring operations. The data centres are housed in modern fire-resistant facilities that require electronic keycard access, with alarms that are linked to the on-site security operation. Only authorised employees and contractors are permitted to request electronic keycard access to these facilities.
System Development
The itslearning platform is based on industry standard technologies from well-known vendors, including Microsoft, Linux, Dell, Fujitsu, Amazon, Cloudflare, F5 and Cisco. Systems are periodically patched to the latest version to ensure that the latest security enhancements are applied. The platform is in general updated several times per quarter, and bug fixes are released swiftly based on priority, following rigorous quality checks.
itslearning has measures in place to minimise the risk of introducing code in its platform that can degrade the security or integrity of the customer services and personal data processed.
Measures include:
- Regular training of staff
- Code review by security architects
- QA process for rigorous testing of changes prior to deployment
Sub-processor security
When onboarding sub-processors, itslearning performs an audit of the security and privacy practices of sub-processors to ensure sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. itslearning performs regular security audits of the practices and delivery for existing sub-processors.