The system was designed to reduce the risk of storing sensitive information about our Members Employees or Customers. To accomplish this the following decisions and policies were created.
System maintains basic contact details (Name, Email, Phone)
Customer data removed after 30 days
Only endpoint meta-data is stored in the system
TSANet maintains industry security standards (ISO27001, 27701)
The system does not store attachments. Secure files sent directly to Member's system
The system Supports Single Sign-on
ISO27001 / ISO27701 Certification
ISO27701 and ISO27701 are globally recognized standards mandating processes and controls for the establishment, maintenance, and certification of information security management systems (ISMS) and privacy information management systems (PIMS).
We strive to make our website as accessible and usable as possible. We follow Section 508 and the Web Content Accessibility Guidelines (WCAG 2.0) produced by the World Wide Web Consortium (W3C, the web’s governing body).
Section 508 is a legal requirement and WCAG is a set of checkpoints and guidelines that help ensure that websites are designed and written correctly. For example:
Images have alternative text (so if you can’t see the image you can still read the text).
The color contrast between the foreground and background is sufficiently strong.
Text resizes according to user preference.
Headings are correctly used (they’re not just ordinary text made to look big and bold).
Links make sense by themselves (e.g. no links that say “Click here” or “More…”).
Tables are used for laying out tabular information and have proper headings and summaries.
Feedback
If you have a problem using our site, please contact us and provide the URL (web address) of the material you tried to access and the problem you experienced. We’ll attempt to provide the information you’re seeking.
Data Privacy FAQs
What document defines the TSANet Data Protection and Privacy?
What Employee information do you store in the system?
The user profile requires Name, Email and Phone number. Members can also use Single Sign-on from their own identity management systems including support for just in time user provisioning and can control what information is sent to the TSANet Connect system.
What Customer information do you store in the system?
Members can define what common customer information they require when receiving a request. All customer data is removed from the system after acknowledgement and the
system will remove all customer data after 30 days leaving only the request metadata below:
Submitted By, Case Number, Priority, Summary, Date Requested, Date responded
Do you encrypt data in transit and at rest?
Data in transit is encrypted with SSL and data is encrypted at rest with AES-256.
How was your system developed?
The system was developed using best practices defined in the OWASP Secure coding practices guide. The Open Web Application Security project OWASP defines best practices for coding secure web applications. For more information on OWASP see https://owasp.org/
Some specifics of this best practice include:
Best practices for administration of the system including 2-factor authentication to all
development and system administration environments
Encryption on the transmission of all data
Best practices for API development and access
What is your Network and Host Security?
The system is hosted at Akamai using the Linode Cloud Service. Starting in the June 2024 release, TSANet Connect will also use Cloudflare for network security.
Akamai provides a complete solution, including physical and environmental security, that includes both networking and host operating environments up to and including the hypervisor.
What is your system uptime and support process?
The system is designed to provide 99.99% uptime. The following document provides information on the support process: TSANet Connect Member Support Process
What organizational measures have you implemented to protect Sensitive Data or Personal Data in relation to its product/service?
Is all media containing Sensitive Data or Personal Data disposed of securely?
100% cloud service. No physical media
Is antivirus/anti-malware deployed on all devices that will hold Sensitive Data or Personal Data?
100% cloud service. No physical media
Does the company have intrusion detection and/or intrusion prevention systems?
Part of hosted Cloud Service
Do you keep applications (web, app servers, database layer, bus logic) up-to-date by applying security updates and other patches?
Part of the release process. ISO27001 Certified
Do you conduct Static Application Security Testing (SAST) or Dynamic Application Security Testing (DAST) of the application periodically, or during a major release/update?
DAST is outsourced to Security Metrics - Quarterly automated and yearly manual
Do you perform penetration testing and/or vulnerability scans of applications that will be utilized to provide services ?
Cloudflare zero trust protected. Quarterly scans and yearly manual
Are vulnerability scans conducted against the perimeter of all networks that will hold Sensitive Data or Personal Data?
Cloudflare Zero Trust
Are Development, Test/QA/UAT, and Staging environment/s separate from the production environment?
Physically separated: Separate VMs in different Geo.
Do you provide access to the application on a least privilege basis?
Default is Standard user. Business manager defines admins
What is included in API security testing?
Data scoping, SQL injection, Replay attack, Data leakage, Cross Site Scripting (XSS), Session abuse, Denial of service (DoS), OWASP top 10/ CWE top 25 security issues
Can a client manage access to the APIs?
API user is set in the admin Portal
Is there an incident response plan?
Yes, Part of ISO 27001 audit
Is there an established Business Continuity and Disaster Recovery Plan that has been approved by management, communicated to appropriate constituents, and an owner to maintain and review the program?
Yes, part of the ISO 27001 audit
Does your service/organization permit Members to maintain redundant copy(ies) of their data?
With System connectors (Salesforce, Microsoft Dynamics, Service Now)
Are network security technologies used to establish and enforce security requirements and block unauthorized traffic between segregated systems and other systems?
