...
ConnectMyApps conduct annual penetration testing for the OWASP Top 10 security threats on our critical infrastructure via an accredited third party. We are currently undergoing ISO 27001 certification, which is expected to be complete by late 2022, and ISAE 3000 third party attestation that is expected to be complete during 2022.
This document is divided into the following sections:
...
Broadly follow NIST Cybersecurity Framework.
Undertaking ISO 27001 certification process.
Undertaking ISAE 3000 third-party attestation.
ISMS in place within Amesto Group including ConnectMyApps.
System Owners are required to review access and documentation every 6 months.
ConnectMyApps is compliant with GDPR rules and regulations
DPAs with all software vendors used by ConnectMyApps that are ultimately owned by US companies include Standard Contractual Clauses, and in most cases have Binding Corporate Rules in place.
Follow Privacy by Design principles when developing integrations e.g. minimize the fields and data transferred to only those absolutely required; only store data absolutely required for technical support purposes; automatically delete all records after 30 days; meta data used for platform maintenance is anonymized etc.
...
Security audit and penetration testing for OWASP Top 10 security threats is performed by an accredited external third party at least annually. Most recent test August 20212022.
The ConnectMyApps platform is hosted in Amazon Web Services (AWS) with multiple AZ’s (Availability Zones) located in Ireland and Germany. ConnectMyApps has second highest AWS support SLA
available.Access to administration of the AWS platform is controlled by multi-factor authentication and IP restriction.
Database backups are performed multiple times per day as ‘’hot snapshots’’.
Communication to server instances is conducted via an elastic load balancer (ELB), reducing the risk of '’single point of failure.’’
Automatic health checks performed on the servers every minute. Faulted server instances are removed, and new servers are automatically provisioned if required.
Inter-process communication within the platform is conducted via durable message queues.
AWS WAF (Web Application Firewall) used as an external firewall on key public facing APIs and application endpoints.
AWS Shield used to mitigate and prevent DDoS attacks.
Servers within the platform are updated automatically via Microsoft security updates. Databases in AWS are auto-patched and updated and part of AWS RDS service.
SSL certificates used by ConnectMyApps are managed in AWS Certificate Manager and renewed automatically.
ConnectMyApps uses the latest development software, such as Microsoft Visual Studio 2019, and latest Windows operating systems. We closely monitor the technology landscape for changes and updates, including new security updates. ConnectMyApps has a Change Management Team that has a
formal procedure for emergency changes.Malware and antivirus software provided by industry leading vendor.
Amesto services run in Azure and AWS have IDS and IPS systems such as Azure Firewall and Security Center.
...
Access rights to applications and systems is granted and controlled by the CTO with a policy of “minimum required access rights”.
Critical production systems have two-factor authentication enabled, meaning those with access need a login and one-time time code generated by authenticator app. Access is restricted to the IP address of the VPN, so it is not possible to connect unless on VPN.
Internal production logins are stored encrypted in AWS Secrets Manager.
VPN access is controlled by ConnectMyApps DevOps Manager and CTO. ConnectMyApps logs all access to the VPN.
Credential usage is logged and can be disabled if compromised. Rotate keys on schedule, check for IP address ranges and block if needed. Amazon Key Management Service used to manage and rotate cryptographic keys.
AWS Cloudwatch used for event and access logging across the entire ConnectMyApps platform, as well as for automatic alerting in the event of resource usage spikes, access attempts and as a platformwide platform-wide audit log.
AWS SNS (Simple Notification Service) employed for alerting of incidents. Major incidents automatically routed to appropriate personnel.
Access to customer information is limited for the individual customer i.e. they can only see their own data. Authentication is confirmed via username / password, two-factor authentication, or a unique API key set for programmatic access.
Customer API access is controlled by default with IP address whitelisting.
Customer user passwords are “salted” and encrypted via one-way hash algorithm.Customer application passwords are encrypted using unique “per customer” encryption key.
Employee devices are protected by multi-factor authentication.
Proactive vulnerability checks, and reactive machine learning based Endpoint Detection and Response measures for end user devicesin place.
Staff training
ConnectMyApps conducts annual GDPR and Privacy training and refresher courses to all employees.
All employees have confidentiality clauses in their employment contracts.
New employees are given GDPR training as part of their onboarding procedures.
All employees have access to and are required to read the Data Privacy handbook accessible in our shared Data Privacy folder.
Amesto Group conduct regular, compulsory Data Privacy training for staff.
Internal 24/7 hotline for Amesto Group personnel to report security incidents.
...
Access to premises is restricted by key card access with photo ID.
All visitors must be registered and accompanied by staff at all times.
...
Managed by defined IT security team in ConnectMyApps
Escalation procedures to Amesto Group IT Ops for security incidents in place.
Regular daily automated snapshots of production databases. Backups stored 30 days back in time.
Application server volumes backed up automatically using AWS DLM (Data Lifecycle Manager).
Application servers and backend servers separated into public and private VPC subnets. Application servers fronted by Elastic Load Balance.
Disaster recovery plan in place to replace compromised or failing servers.
Disaster recovery plan tested by DevOps team once per quarter, most recently May 2021.