Every employee at VCC is affected by IT security, as they are obliged to adhere to security regulations during the course of their employment (e.g.: password policy, clear desk-clear screen policy).
The development / operations manager and the systems administrators are responsible for protecting sensitive data. Employees knowledge is particularly important in this respect, and thus VCC pays special attention to integrating the latest IT security knowledge and innovations into their system.
As such, colleagues working in this field receive continual training and assignments to help widen their knowledge.
The company has no external associates. External partners participating in website development have no access to the software or related infrastructure, either in the office or in a live environment.
VCC’s firewall is set in accordance with strict regulation systems on all servers and devices within the infrastructure, in terms of what address the given device can be accessed from, what connection the server can initiate, and with whom it can communicate. These implement low-level protocols (TCP/IP). Devices are protected against DoS attacks (denial-of-service attacks).
The structure in the hosting location is also set up in a separate office environment. Uniformity extends from operation systems to program versions. Any changes made in the live environment at the hosting location are created and checked in this testing infrastructure. VCC works exclusively with test data generated by themselves in the testing environment, and client data is not present in any form in these systems.
Release process and testing
VCC pays special attention to the pre-testing of completed developments and improvements, and to the regulation of the release process.
The company uses a continuous integration (CI) system, which ensures that tests related to the software continuously run, and that every error detected in the completed tests is marked and corrected prior to release. This is immediately displayed on a real-time system and is thus registered by colleagues.
Each release process connected with the client-related live system is documented. The process consists of an initial approval by a manager, and the report of the employee who oversees the release about when and where the actual development, improvement, adjustment, or update went live. The documentation guarantees that no adjustments may be made in the client environment without approval, and ensures that all adjustments can be traced back. The documentation can only be edited by authorised persons, so that again any changes can be traced back.
Package updates are made regularly on all servers, with priority given to critical vulnerabilities. Changes in versions of external software are monitored by systems administrators and, following successful testing, updates to the latest version, as far as possible, are made. Scripts are created specifically for this purpose. In each case, updates are documented, and thus the exact time and type of update can subsequently be traced back.
Virtual Private Network (VPN)
The restricted group of employees who need to have access to the servers to be able to perform their work have an individual VPN key, with which they can use to connect to the VPN network. They can only access the servers with this key, along with an individual username and password supplied by the LDAP (Lightweight Directory Access Protocol). It is not possible to access the servers from the public Internet.
VCC continuously monitors the status of their systems. Thanks to our monitoring system, clients are informed about events that affect the systems even before they occur, so that they have the chance to handle them in advance.
Authorised persons are informed by the system about alerts in real-time, and via e-mail and instant messages, while every key part of the system can be observed in real-time on a status board placed in the operation section, thus making it possible to monitor the current and previous status.
VCC system engineers and managers are responsible for dealing with incident management. Any event that endangers or may endanger business continuity or security is considered to be an incident. The primary aim of incident management is to restore normal service conditions as quickly as possible, and to minimise its harmful effect on business continuity, thus ensuring the highest possible level of service quality.
The tasks involved are as follows:
- Preparation, Identification
- incident detection, logging and reporting to the development / operations manager,
- establishment of a crisis team and classification of the incident,
- Notification, Evaluation, Prioritization
- troubleshooting and diagnosis,
- recording incident event in Incident Information Table
- Containment, eradication, recovery
- resolution and restoration, putting systems-related security measures into effect,
- activation of BCP, DRP plans
- Lesson learned, post-incident
- taking the necessary steps to avoid recurrence in the future,
- closure of the incident.
- Change Management Policy
- Risk Assessment Policy
- Testing Process and Procedures Policy
- Software Development Policy
- Incident Management Policy and Response Plan
- Business Continuity Management
- IT Security Policy