Security and Backups

iThinQware Security and Compliance Center

iThinQware Web Services (iThinQware) delivers a highly scalable cloud computing platform with high availability and dependability, and the flexibility to enable customers to build a wide range of applications.

In order to provide end-to-end security and end-to-end privacy, iThinQware builds services in accordance with security best practices, provides appropriate security features in those services, and documents how to use those features. In addition, iThinQware customers must use those features and best practices to architect an appropriately secure application environment. Enabling customers to ensure the confidentiality, integrity, and availability of their data is of the utmost importance to iThinQware, as is maintaining trust and confidence.

iThinQware provides a wide range of information regarding its IT control environment to customers through white papers, reports, certifications, and other third-party attestations. This information assists customers in understanding the controls in place relevant to the iThinQware services they use and how those controls have been validated by independent auditors. This information also assists customers in their efforts to account for and to validate that controls are operating effectively in their extended IT environment.

Overview

At a high level, we’ve taken the following approach to secure the iThinQware infrastructure:

• Certifications and Accreditations. iThinQware storage solutions have achieved ISO 27001 certification, have been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS), and have completed the control implementation and independent security testing required to operate at the FISMA-Moderate level. We will continue to obtain the appropriate security certifications and conduct audits to demonstrate the security of our infrastructure and services.
• Physical Security. iThinQware has many years of experience in designing, constructing, and operating large-scale data centers. iThinQware infrastructure is housed in iThinQware-controlled data centers throughout the world. Only those within iThinQware who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access.
• Secure Services. Each of the services within the iThinQware cloud is architected to be secure and contains a number of capabilities that restrict unauthorized access or usage without sacrificing the flexibility that customers demand.
• Data Privacy. iThinQware enables users to encrypt their personal or business data within the iThinQware cloud and publishes backup and redundancy procedures for services so that customers can gain greater understanding of how their data flows throughout iThinQware.

The iThinQware Security Center provides links to technical information, tools, and prescriptive guidance designed to help you build and manage secure applications in the iThinQware cloud. Our goal is to use this forum to proactively notify developers about security bulletins. Such transparency is the backbone of trust between iThinQware and our customers.

↑ Top

Certifications and Accreditations

SOC 1/SSAE 16/ISAE 3402

iThinQware Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2 report. The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can meet a broad range of auditing requirements for U.S. and international auditing bodies. The SOC 1 report audit attests that iThinQware’ control objectives are appropriately designed and that the individual controls defined to safeguard customer data are operating effectively. Our commitment to the SOC 1 report is on-going and we plan to continue our process of periodic audits. This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report.

FISMA Moderate

iThinQware enables U.S. government agency customers to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). FISMA requires federal agencies to develop, document, and implement an information security system for its data and infrastructure based on the National Institute of Standards and Technology Special Publication 800-53, Revision 3 standard. FISMA Moderate Authorization and Accreditation requires iThinQware to implement and operate an extensive set of security configurations and controls. This includes documenting the management, operational, and technical processes used to secure the physical and virtual infrastructure and the third-party audit of the established processes and controls. iThinQware has completed the control implementation and successfully passed the independent security testing and evaluation required to operate at the FISMA-Moderate level. iThinQware storage solutions provide this control and audit documentation to government agencies that can use it to certify their systems at the FISMA-moderate level.

iThinQware storage solutions have also been certified and accredited to operate at the FISMA-Low level.

PCI DSS Level 1

iThinQware has achieved Level 1 PCI compliance. We have been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). Merchants and other service providers can now run their applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. Other enterprises can also benefit by running their applications on other PCI-compliant technology infrastructure.

ISO 27001

iThinQware storage solutions have achieved ISO 27001 certification for Information Security Management System (ISMS) covering infrastructure, data centers, and services including iThinQware Public Safety IT (iThinQware PSIT). ISO 27001/27002 is a widely-adopted global security standard that sets out requirements and best practices for a systematic approach to managing company and customer information that’s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. This certification reinforces iThinQware’s commitment to providing transparency into our security controls and practices. iThinQware’s ISO 27001 certification includes all iThinQware data centers in all in-scope regions worldwide and iThinQware has established a formal program to maintain the certification.

International Traffic In Arms Compliance

The iThinQware Public Safety IT (PSIT) region supports US International Traffic in Arms Regulations (ITAR) compliance. As a part of managing a comprehensive ITAR compliance program, companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US Persons and restricting physical location of that data to US land. iThinQware Public Safety IT (PSIT) provides an environment physically located in the US and where access by iThinQware Personnel is limited to US Persons, thereby allowing qualified companies to transmit, process, and store protected articles and data under ITAR. The iThinQware Public Safety IT (PSIT) environment has been audited by an independent third party to validate the proper controls are in place to support customer export compliance programs for this requirement.

FIPS 140-2

The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. To support customers with FIPS 140-2 requirements, the iThinQware Virtual Private Cloud VPN endpoints and SSL-terminating load balancers in iThinQware Public Safety IT (PSIT) operate using FIPS 140-2 validated hardware. iThinQware works with iThinQware Public Safety IT (PSIT) customers to provide the information they need to help manage compliance when using the iThinQware Public Safety IT (PSIT) environment.

HIPAA

The flexibility and customer control that the iThinQware platform provides permits the deployment of solutions that meet industry-specific certification requirements. For instance, customers have built healthcare applications compliant with HIPPA’s Security and Privacy Rules on iThinQware.