Manage My Vessel - Security Assessment
All of the data for Manage My Vessel is stored in a highly secured servers in data centers located in Aurora, CO and Las Vegas, NV, USA. The following are some of the highlights of how these data centers are physically secured:
· SSAE16 SOC I Type II Audited Controls
· Fenced Campus, Secure Entrances
· Fences equipped with vibration detection alarms
· Card reader access control system, fully logged and audited
· Cards automatically deactivated after 30 days of non-usage.
· Biometric validation or security escort required to access raised floor area
· Man trap required to access raised floor areas
· 24×7 Onsite Security, 2 officers per shift
· 8×5 Security Supervisor
· Hourly Manned Patrols
· Recorded, monitored video surveillance of all entrances, building exterior, and interior corridors with over 120 CCTV units and monition activation.
· DVR recording of all cameras with 30-90 day retention
· Servers are locked inside metal cages behind multiple
Account and Data Security Control
· The development and production resources can only be accessed remotely by authorized personnel via VPN connection using strong encryption protocols
· Strong password policy and secure password recovery procedure
· Role-based access control policy is enforced with least permissions rules given
· Access to hypervisors and virtual machines are properly secured with strong authentication protocols and encrypted channels
· Data at rest is encrypted or physically secured
· Have proper policy in place for destruction of materials that contain sensitive information, including disposal of electronic devices.
Manage My Vessel is a cloud solution that can be accessed only by authorized users and crew as follows:
· Secured transmission via HTTPS connection
· The management company may enforce strong password and update password policies on users who can manage user and crew profiles.
· Comprehensive logging on any modification to application data
· The test, staging and production environments are hosted in separate virtual machines. All of these virtual machines are hosted in the same secured data center outlined in the Physical Security section.
· The password for users and crew are encrypted using one-way encryption. If the user or crew forgets their password, the password must be reset since the plain text version of the password cannot be obtained by any one
· The user and crew personal information are encrypted in the database for GDPR compliance
· User files and documents that are stored in the file system are encrypted
· Credit card transaction is performed using Authorize.Net payment gateway. Credit card information and transaction history are stored in Authorize.Net. No card payment information is retained by Manage My Vessel.
Redundancy, Backups and Disaster Recovery
· Proper business continuity and disaster recovery plan is in place. Individuals for each aspect of the plan has been properly defined and trained. The plans are tested and reviewed periodically.
· A proper ITIL Change Management is in place based on the relevant impact to the business operations.
· There are several layers of backup and redundancy systems to ensure resiliencies in case of hardware or data center failure:
o Each production virtual machine has another stand-by failover live virtual machine that is online
o Each production virtual machine is also replicated in real time to a secondary server as a secondary recovery option
o Each production virtual machine has a daily incremental backup that is retained up to 1 year.
o Has multiple slave databases with real time data replication
o Full database back up on a nightly basis and multiple differential backups during the day. The database can be restored using point in time recovery at any time
o A duplicate environment with the same setup is placed in the secondary data center that is geographically distanced
Network Availability and Security
· Multiple 10Gbps uplinks to multiple carriers with automatic failover with carriers such as AT&T, CenturyLink, Comcast, Verizon, XO, Zayo, twtelecom, Cogent, etc.
· All system is placed behind multiple redundant firewalls
· There is no wireless access point that has direct access to the production network
· Intrusion detection
· Vulnerability assessment
· Log management
· Appropriate network security policies and rules
· Inventory management
· Using strong AES encryption for VPNs and TLS 1.2 for https communication channels
· All network devices are updated and patched regularly