This document covers all technical and organisational IT security measures that are currently implemented. This document has been updated last on 8th of March 2018.
Systemsto be protected
These measures apply to the following systems:
- Laptop and desktop computers in the offices
- Mobile phones
- Online services that are used
To provide our services, we use virtual servers hosted in data centres that are adequately protected. Currently we are using the following service providers:
- jiffybox / domainfactory (for Impact Stack)
- Hetzner (for Impact Stack)
- fidoo (ISO 27001 Certified)
- Software selection: The servers use the proven Debian/Linux operating system. Only such software that is necessary for the operation of our services is installed on all servers.
- Security updates: Security updates of the various software products will be carried out automatically. Non-critical updates are carried out regularly
- Firewall: The firewall's configuration blocks everything except for those ports necessary for the relevant services.
- Encrypted communication: We use only encrypted protocols to communicate with the servers.
- Administrator access via VPN: Administrative access from our workstation computers is exclusively via VPN connection (OpenVPN).
- Security advisories: Our administrators have subscribed to the relevant security mailing lists (Debian, Drupal ...).
- Restricted access: Only administrators have full access to the servers. Other users may use unprivileged profiles for access.
- One-time login: To access our campaignion installations we only use one-time logins that were previously requested via SSH.
- Hard disk encryption: The hard disks of the devices we are using are encrypted in order to ensure the confidentiality of our data even if such device is lost.
- Screen lock: Our employees are trained to either turn off their devices or to activate the screen lock when leaving their working places.
- Trainings: Our employees receive regular trainings (at least once a year) on IT security aspects, best practices and possible innovations.
- Continuous improvement: This document and the security concepts included are regularly revised and improved (at least once a year).
- Four-eyes principle: The software we develop undergoes a review process ensuring that at least two persons have read and understood the code.
- Hosting on-site backup: We can access time-stamped snapshots on our virtual servers (last night, one week before, two weeks before) which allow us to restart a clone of the system within 30 minutes.
- Hosting off-site backup: An incremental backup of user data is stored on a computer in our offices every night ensuring our access to old data. Sensitive data will be encrypted before being transferred from the servers.
- Documents: Our documents are managed via a cloud solution that is hosted by ourselves. This ensures that local copies of the clients exist in addition to the on-site backups (see item 1 above).
- Screen lock: Our mobile phones are protected against any unauthorised usage by PIN codes or biometric procedures.
- We maintain a list of services that process our sensitive data. Employees receive regular trainings on using the approved services.
As some of our services are delivered from a shared office environment it is difficult to protect this office space against unauthorised access during the day (only visual control by colleagues). Also, mobile working is norm in our business. We thereforeaccept that the protection against physical access will never be exhaustive and that any security gaps have to be closed by using additional measures.
- Access control: Windows and doors are locked outside office hours (when no authorised person is present). Electronic keys assigned to individual persons have to be used to unlock the doors. All locking/unlocking is recorded.
We are working on a complete implementation of the IT Grundschutz Catalogue provided by the German Federal Office for Information Security based on the current draft.