Security & Trust
The ISO first released its family of standards in 2005 and since then has made periodic updates to the various policies. For ISO 27001, the latest major changes were introduced in 2013. Ownership of ISO 27001 is actually shared between the ISO and the International Electrotechnical Commission (IEC), which is a Swiss organization body that focuses primarily on electronic systems. The goal of ISO 27001 is to provide a framework of standards for how a modern organization should manage their information and data. Risk management is a key part of ISO 27001, ensuring that a company or non-profit understands where their strengths and weaknesses lie. ISO maturity is a sign of a secure, reliable organization which can be trusted with data. Companies of all sizes need to recognize the importance of cybersecurity, but simply setting up an IT security group within the organization is not enough to ensure data integrity. An ISMS is a critical tool, especially for groups that are spread across multiple locations or countries, as it covers all end-to-end processes related to security.
SUMMIT complies with all the required security measures as required by § 164.306, § 164.308, § 164.310, § 164.312, § 164.314, and § 164.316 of HIPAA regulations in respect to all electronic protected health information. The details of the implementation can also be referred to associated detailed report dated 20th December 2018. As a cloud service provider with many healthcare customers, Symphony SummitAI deemed it important to develop our own agreement that addresses those parts of HIPAA that are specific to the services we provide. Symphony SummitAI has worked with legal experts to develop its own BAA which is available for review on request. Customers must have purchased a Service plan at the appropriate level and have the required associated add-ons to qualify (please consult your Sales representative where unsure).
- Symphony SummitAI is PinkVERIFY 2011 on 12 processes.
- Symphony SummitAI, a provider of cost-effective and comprehensive cloud-based IT management solutions, has achieved the PinkVERIFY ITIL 2011 certification for 12 processes from Pink Elephant for its unified IT Management platform – “SummitAI”
- Certificate can be found HERE
VAPT Certification is a technical approach to address security loopholes in the IT infrastructure of an organization (application, software system, network etc.). Vulnerability Assessment is a process of identifying with an objective not to miss any loopholes. Based on the observation of Vulnerability Assessment with regards to severity, a Penetration Test will be conducted. Penetration Test is a proof-of-concept approach to truly explore and exploit vulnerabilities. This method confirms whether or not the vulnerability actually exists and additionally proves that exploiting it may end up in injury to the application or network. The PT process is mostly intrusive and can actually cause damage to the systems; evidence of the same are captured as screenshots or logs, which further helps to aid remediation.
Process methodology would be:
- Scanning the network or application
- Searching for security flaws
- Exploiting the security flaws
- Report generation on risk, severity & probability
- Reassessing the system
- Final report (Performed for SummitAI via KPMG)
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA) to give users more control over their personal data.
The SummitAI application complies to GDPR rules. Under GDPR regulations, the users need to provide their consent to allow other users to view their personal data. After the user acceptance, the personal data will be stored in the SummitAI application in an encrypted form. The following fields are considered as personal data, encrypted, and stored: Joining Date, E-mail ID, Login ID, Country, Address, Contact Number, Mobile Number, State, City, Pin, and Role. If any of these fields are blank, data for the blank fields will not be encrypted and stored.
Symphony SummitAI Privacy Statement
Our privacy statement can be found HERE
- Microsoft designs, builds, and operates datacenters in a way that strictly controls physical access to the areas where your data is stored. Microsoft understands the importance of protecting your data, and is committed to helping secure the datacenters that contain your data. We have an entire division at Microsoft devoted to designing, building, and operating the physical facilities supporting Azure. This team is invested in maintaining state-of-the-art physical security.
- Microsoft takes a layered approach to physical security, to reduce the risk of unauthorized users gaining physical access to data and the datacenter resources. Datacenters managed by Microsoft have extensive layers of protection: access approval at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor. Layers of physical security are:
- Access request and approval. You must request access prior to arriving at the datacenter. You’re required to provide a valid business justification for your visit, such as compliance or auditing purposes. All requests are approved on a need-to-access basis by Microsoft employees. A need-to-access basis helps keep the number of individuals needed to complete a task in the datacenters to the bare minimum. After Microsoft grants permission, an individual only has access to the discrete area of the datacenter required, based on the approved business justification. Permissions are limited to a certain period of time, and then expire.
- Facility’s perimeter. When you arrive at a datacenter, you’re required to go through a well-defined access point. Typically, tall fences made of steel and concrete encompass every inch of the perimeter. There are cameras around the datacenters, with a security team monitoring their videos at all times.
Building entrance. The datacenter entrance is staffed with professional security officers who have undergone rigorous training and background checks. These security officers also routinely patrol the datacenter, and monitor the videos of cameras inside the datacenter at all times.
- Inside the building. After you enter the building, you must pass two-factor authentication with biometrics to continue moving through the datacenter. If your identity is validated, you can enter only the portion of the datacenter that you have approved access to. You can stay there only for the duration of the time approved.
- Datacenter floor. You are only allowed onto the floor that you’re approved to enter. You are required to pass a full body metal detection screening. To reduce the risk of unauthorized data entering or leaving the datacenter without our knowledge, only approved devices can make their way into the datacenter floor. Additionally, video cameras monitor the front and back of every server rack. When you exit the datacenter floor, you again must pass through full body metal detection screening. To leave the datacenter, you’re required to pass through an additional security scan.
- Microsoft requires visitors to surrender badges upon departure from any Microsoft facility.
Physical Security Reviews
- Periodically, we conduct physical security reviews of the facilities, to ensure the datacenters properly address Azure security requirements. The datacenter hosting provider personnel do not provide Azure service management. Personnel can’t sign in to Azure systems and don’t have physical access to the Azure collocation room and cages.
- Azure is composed of a globally distributed datacenter infrastructure, supporting thousands of online services and spanning more than 100 highly secure facilities worldwide.
- The infrastructure is designed to bring applications closer to users around the world, preserving data residency, and offering comprehensive compliance and resiliency options for customers. Azure has 58 regions worldwide, and is available in 140 countries/regions.
- A region is a set of datacenters that is interconnected via a massive and resilient network. The network includes content distribution, load balancing, redundancy, and data-link layer encryption by default for all Azure traffic within a region or travelling between regions. With more global regions than any other cloud provider, Azure gives you the flexibility to deploy applications where you need them.
- Azure regions are organized into geographies. An Azure geography ensures that data residency, sovereignty, compliance, and resiliency requirements are honored within geographical boundaries.
Geographies allow customers with specific data-residency and compliance needs to keep their data and applications close. Geographies are fault-tolerant to withstand complete region failure, through their connection to the dedicated, high-capacity networking infrastructure.
- Availability zones are physically separate locations within an Azure region. Each availability zone is made up of one or more datacenters equipped with independent power, cooling, and networking. Availability zones allow you to run mission-critical applications with high availability and low-latency replication.
- The following figure shows how the Azure global infrastructure pairs region and availability zones within the same data residency boundary for high availability, disaster recovery, and backup.
- Geographically distributed datacenters enables Microsoft to be close to customers, to reduce network latency and allow for geo-redundant backup and failover.
Data bearing devices
- Microsoft uses best practice procedures and a wiping solution that is NIST 800-88 compliant. For hard drives that can’t be wiped, we use a destruction process that destroys it and renders the recovery of information impossible. This destruction process can be to disintegrate, shred, pulverize, or incinerate. We determine the means of disposal according to the asset type. We retain records of the destruction.
- Upon a system’s end-of-life, Microsoft operational personnel follow rigorous data handling and hardware disposal procedures to assure that hardware containing your data is not made available to untrusted parties. We use a secure erase approach for hard drives that support it. For hard drives that can’t be wiped, we use a destruction process that destroys the drive and renders the recovery of information impossible. This destruction process can be to disintegrate, shred, pulverize, or incinerate. We determine the means of disposal according to the asset type. We retain records of the destruction. All Azure services use approved media storage and disposal management services.
- We design and manage the Azure infrastructure to meet a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2. We also meet country- or region-specific standards, including Australia IRAP, UK G-Cloud, and Singapore MTCS. Rigorous third-party audits, such as those done by the British Standards Institute, verify adherence to the strict security controls these standards mandate.
For a full list of compliance standards that Azure adheres to, see the Compliance offerings.