Information security exhibit - Wolters Kluwer Scandinavia Online Services
The following sets forth Wolters Kluwer Scandinavia AB’s (“WKSC”) applicable information security policies and procedures for the Wolters Kluwer Online Services.
The Wolters Kluwer Online Services, as listed in appendix, are hosted by Microsoft (Azure) in Europe unless otherwise stated.
1 INFORMATION SECURITY POLICY
1.1 Policies and guidelines – Wolters Kluwer has implemented a Global IT Security Policy that encompasses a variety of policies for managing information and technology assets intended to protect underlying applications and data. Wolters Kluwer has also implemented an Application Security Policy which defines Wolters Kluwer requirements for the secure development, testing, deployment and monitoring of software applications. Associated with the policies Wolters Kluwer has implemented a set of detailed internal guidelines and procedures.
1.2 Information Security Risk Assessment – On an annual basis, WKSC conducts an audit and information security risk assessment of our security strategy, technical capabilities and performance with respect to the Online Services.
1.3 Human Resources –WKSC reviews, and updates as needed, its personnel policies relevant to information security.
2 IT SECURITY
The following areas are covered in the Wolters Kluwer Global IT Security Policy:
• Information Technology Security Management and Organization
• Risk Assessment
• Asset Management
• Human Resources Security
• Physical and Environmental Security
• Operations Security
• Communication Security
• Third-Party Service Providers
• Access Control
• Information System Life Cycle Management
• Information Technology Security Incident Management
• Business Continuity Management
The policy is being further detailed in a number of guidelines and procedures.
3 APPLICATION SOFTWARE SECURITY
The following areas are covered in the Wolters Kluwer Application Security Policy:
• Application Security Standard
• Secure Usage of 3rd Party Software
• Secure Usage of Open Source Software
• Secure Usage of External Software Services
• Application Security Training
• Application Security Scanning
• Vulnerability Remediation
• Exception Requests
• Reviews of Security Policy
The policy is being further detailed in a number of guidelines and procedures.
4 HUMAN RESOURCES
4.1 Background Checks – WKSC executes background checks during the hiring process for all full time employees.
4.2 Acceptable Use Policy – WKSC has an Acceptable Use Policy (AUP) for its employees, temporary staff and contractors defining acceptable use and access to WKSC and its affiliates’ information systems.
4.3 Security Awareness Training – Wolters Kluwer has an information security awareness training program for its employees including at least annual security training for all employees.
5 INFRASTRUCTURE FROM MICROSOFT AZURE
5.1 The Online Services are run on infrastructure provided by Microsoft Azure. The Azure datacenters comply with industry standards such as ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2014, ISO/IEC 20000-1:2011, ISO/IEC 22301:2012, ISO/IEC 9001:2015 and NIST SP 800-53 for security and reliability and are managed, monitored and administered by Microsoft Operations staff.
5.2 A detailed documentation of security measures in Azure can be found in the Microsoft Azure documentation on https://docs.microsoft.com/en-us/azure/security/fundamentals/protection-customer-data.
5.3 If, in the future, different cloud providers are used in lieu of, or in parallel to, Microsoft Azure, such providers will be required to meet the same level of industry and security standards.
6 ONLINE SERVICES INFRASTRUCTURE CREDENTIALS
6.1 Provisioning – All credentials used in conjunction with the infrastructure, operating systems, or databases supporting the Online Services are supported by an identity management request-based system that requires applicable management approval for access and privilege changes.
6.2 Termination – All Online Service credentials are to be disabled within 24 hours of an employee’s termination date.
6.3 Passwords – WKSC has a minimum standard password policy for access to Online Service systems and databases. Password complexity and the changing of password at regular intervals is enforced and all passwords must meet the criterias enforced at each time.
6.4 Lockout – Accounts will be locked after repeated consecutive invalid login attempts. Thereafter, accounts can only be unlocked by the applicable data center Service Desk, or once the lockout timer has expired.
6.5 All administrative access to hosting environments are protected using multifactor authentication (MFA).
7 ROLE SEPARATION
7.1 WKSC define and document the roles and responsibilities for the employees of WKSC and its Service Providers who support infrastructure and services for the Online Services. Each such person/function will be given the amount of privilege necessary in order for such person/function to fulfill the duties of the role he or she is currently assigned.
7.2 Application Credentials for Online Services Customers - Application credentials are managed by the Customer. The Customer’s administrator account can create, delete and modify application User IDs (UID), and can delegate account control to one or more UID account(s) associated with that Customer’s application account. The application UIDs are only valid when used with the Online Services.
7.3 The system leverages the provided cloud support to maintain strict access to information based on user role.
8 INCIDENT RESPONSE AND MANAGEMENT
8.1 The Incident policy ensures there is a written incident response plan as well as defined phases of incident handling/management.
8.2 Job titles and duties for handling computer and network incidents are limited to specific individuals and tracking and documentation is ensured throughout the incident through to resolution.
8.3 Management personnel are designated, as well as backups, who will support the incident handling process by acting in key decision-making roles.
8.4 Organization-wide processes are implemented for the time required for system administrators and other workforce members to report anomalous events to the incident handling team, including the mechanisms for such reporting, and definition of necessary information in such incident notification.
8.5 Contact information for relevant third-partes in the event of a security incident, such as Law Enforcement, relevant government departments, vendors, and Information Sharing and Analysis Center (ISAC) partners are documented and kept up to date.
8.6 All employees are informed of the process for reporting computer anomalies and incidents to the incident handling team.
8.7 Response exercise and test scenarios for incident management is conducted for the workforce involved to maintain awareness and comfort in responding to real-world threats.
9 ENVIRONMENT SEPARATION
9.1 Environments – WKSC has logical environment separation for the Online Services as described below in this section. Depending on the service involved there may also be physical separation.
9.2 Corporate – WKSC has a corporate network supporting general employee and internal business activities. This network is physically and logically separated from networks supporting hosted applications such as in the WKSC Online Services.
9.3 Development and Test – WKSC has development and testing environments that are separate from stage and production environments.
9.4 Production – WKSC has dedicated environments for the Online Services. The production environments are separated from the corporate, development, and test environments.
10 DATA RECOVERY
10.1 Backup – Customer data is being backed up using AES-256 based encryption and can be restored for 30 days. The restoration of data within the backup period is provided as a separate service. Backups of file uploads are handled in an application specific manner.
10.2 Retention – Customer data that is not deleted by the customer will be part of backups for as long as the customer has an active service. Data that has been backed up and is deleted by the customer will be maintained as part of backups for 30 days from the time of deletion. If a customer terminates the service the data willbe kept in backups for a period of maximum 60 days from the termination of the service.
11 AVAILABILITY AND DISASTER RECOVERY
11.1 Redundancy – WKSC deploys all computing components for Online Services such that several instances are running in parallel in the same data centre. In addition, data storage is replicated over two sites meaning that there are multiple copies of all user data.
11.2 High Availability Environments – WKSC maintains, for the Online Services a highly available environment configuration. Using existing and standard public cloud services several instances are running at the same time. Failover between these instances is done in an automated way and outside the direct involvement of WKSC.
11.3 Active-Active Environments – WKSC maintans an active replica of the user data in a separate site.
11.4 Disaster Recovery Environments – In the unlikely event of the primary site being affected the operation can be moved to a secondary site. Since the user data is constantly being replicated to this second site, the recovery process involves using existing scripts and deployments pipelines to spin up this secondary site that then takes over the operation of the service. The secondary site has the same capabilities as the primary one but is running in another site and typically in another country from the primary site. The disaster recovery process is estimated to take between 2-7 days.
11.5 Health Monitoring – WKSC maintains automated health monitoring of all computing systems supporting the Online Services. The monitoring system is intended to automatically generate alerts when monitoring thresholds have been exceeded.
11.6 Performance Monitoring – WKSC maintains automated performance monitoring of all computing systems supporting the Online Services. The monitoring system is intended to automatically generate alerts when monitoring thresholds have been exceeded.
11.7 Performance Testing – WKSC maintains a formal performance and scalability testing process. All major code changes undergo formal performance testing before being deployed to the production environment.
11.8 Capacity Planning – WKSC maintains a capacity planning process to assess whether the appropriate amount of computing assets will be available in the production environment to support all Customers.
12 OPERATIONS MANAGEMENT
12.1 Release Management – WKSC maintains a release management and code promotion process for the Online Services. This process is intended to ensure code is tested in a controlled environment, which mimics the production environment, using realistic test cases. Code will be promoted from the testing environment to the staging environment to allow for IT automation and source image validation before being promoted to production.
12.2 Change Management – WKSC maintains a change management process. All changes to infrastructure hosting Online Services will be detailed in a change request, be scheduled in predetermined change window, and require applicable management approval.
12.3 Incident Management – WKSC, with its applicable Service Providers, maintains an incident management process. The incident management process is intended to facilitate the resolution of, provide for a root cause analysis for, and ensure remediation steps are completed for any service disruption to the Online Services.
12.4 Security Management – WKSC, with its applicable Service Providers, maintains a security incident management process. This process defines steps for minimizing loss of data, preserving evidence, escalation of support to a specialized information technology forensics team, vulnerability identification, vulnerability remediation, and notification guidelines.
12.5 Key Performance Indicators – WKSC tracks application uptime, service disruptions, the root cause of material disruptions, and the implementation of any remediation.
13 ADDITIONAL SECURITY MEASURES
13.1 Antivirus and Malware – WKSC uses antivirus and malware protection software designed to protect computing equipment hosting the Online Services and end users.
13.2 Network Intrusion Detection System (NIDS) – WKSC maintains Network Intrusion Detection Systems designed to provide certain protections for all environments.
13.3 Network Intrusion Prevention System (NIPS) – WKSC maintains Network Intrusion prevention Systems designed to provide certain protections for all environments.
13.4 Security Information and Event Management (SIEM) – WKSC maintains SIEM monitoring technology in any production environment.
13.5 SIEM events will be monitored by the security operations center (SOC) team with set thresholds for event escalation.
13.6 Vulnerability Scans – WKSC regularly conducts internal and external vulnerability scans. The results are not made available to Customers.
13.7 Penetration Testing – WKSC regularly commission a thirdparty external penetration test. An executive summary of results may be made available to Customers upon request and subject to confidentiality requirements.
13.8 Data in transit and at rest is encrypted according to industry best practices.
14 SECURITY LOGS
14.1 Routers, Switches, Firewalls, and Load Balancers – Allow changes to router configuration to be tracked.
14.2 Servers – Allows users login events to be tracked as individual messages.
14.3 Security and Event Log Management – WKSC maintains security and event logs for a minimum of thirty days.
14.4 Routers, Switches, Firewalls, and Load Balancers - Allows configured system events such as memory utilization, CPU utilization, rule utilization, network errors, packet loss, and other messages designed to provide administrators with information regarding the health and performance of the device to be captured.
The following products are included in Wolters Kluwer Online Services:
• Capego (Azure version)