Category Archives: Resources

Secure trusted service with PKI Technology

Secured Signing web service uses Digital Signatures PKI technology for digitally signing documents.

Public Key Infrastructure (PKI) technology has been proven to be the ONLY technology available today that ensures non-forgeable signatures.

In a PKI system, you will get as a user, two keys: a public key and a private key. These keys are used for encrypting and decrypting information, digitally signing electronic information and verifying the authenticity of their owner. While the public key is distributed widely, the corresponding private key is held and encrypted in Secured Signing hardware (HSM) device and only the private key’s owner able to access and use it.

The EU Directive 1999/93/EC for Digital Signatures recognised and defined a stronger type of electronic signature, the Advanced Electronic Signature. Only Public Key Infrastructure (PKI) digital signatures meet the requirements for such signatures.

Communication

All communications with Secured signing are encrypted with SSL technology. Users authenticate with encrypted login and password.

Data Center

Located in one of the most peaceful places on the planet (New Zealand) with:

• 3 high-speed, high-capacity internet feeds
• Power protection
  • 2MVA mains supply
  • Dual AC mains power supply system serviced by two independent suppliers
  • Binary Uninteruptable Power Supplies with redundant re-routing (500kVA)
  • One of the most advanced and reliable IDC power systems available
  • Diesel generators
• Humidity controlled Heat Ventilation and Air Conditioning (HVAC) cooling units
• High Availability – 99.99% uptime SLA
• 24/7 armguard on-site security
• Biometric access control
• Security Cameras

Payment gateway

The Payment Gateway we are using is fully certified as Visa AIS and MasterCard SDP (PCI-DSS) compliant at processor level; using an approved QSA for quarterly scans on systems and full on-site audits, annually. All sensitive information is encrypted with the 3DES protocol, with Hardware Security Module as Network Security Processors.

Compliance Certifications and Regulations

The privacy and protection of your data is something we take very seriously – which is why our security and privacy program is based on and aligned with industry-standard frameworks, and we maintain a comprehensive suite of certifications and attestations to further demonstrate our commitment to security and privacy.

ISO 27001 Certification

IS 747283

Secured Signing is ISO/IEC 27001 certified and manages information security within a framework based on related standards such as ISO/IEC 27017 (Code of Practice for Information Security Controls Based on ISO/IEC 27001 for Cloud Services) and ISO/IEC 27018 (Protection of Personally Identifiable Information).

“Internationally recognized ISO/IEC 27001 is an excellent framework which helps organizations manage and protect their information assets so that they remain safe and secure. It helps you to continually review and refine the way you do this, not only for today, but also for the future.” – Learn more about ISO 27001 with BSI.

Secured Signing – ISO 27001 Control Structure

Information security policies: A policy framework is in place to provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.

Organisation of information security: Secured Signing have established a management framework to initiate and control the implementation and operation of information security within the organisation. This framework considers and ensures the security of teleworking and use of mobile devices as per the Mobile Device and Teleworking Policy. The framework will also assess risks to projects and review of the types and confidentiality levels of information the project will utilise and manage.

Human Resource Security: Secured Signing have established processes and responsibilities relating to information security during the recruitment process, employment and separation. All employees receive security awareness training upon induction, and at least annually thereafter.

Asset Management: Information assets, including hardware, software and data have been identified and classified and an inventory of assets is maintained. Secured Signing classify and handle all information assets in accordance with the Information Classification Policy. Secured Signing and dispose of information in accordance with the Acceptable Use Policy.

Access Control: Methods and controls have been implemented to manage logical access to sensitive data to protect the confidentiality of information as well as integrity and availability requirements. Access requirements are assessed against Access Control Policy and Information Classification Policy. Access to Secured Signing information and systems must be:

• attributable to a uniquely identifiable individual who is responsible for actions
• performed with their system account
• based on the requirements of the individual’s role
• managed by passwords or other accepted authentication mechanisms and formally authorised by asset owners
• routinely revalidated and removed if no longer required

Cryptography: Methods and controls for ensuring data are secured during transmission or storage through appropriate encryption processes. Includes methods and processes for managing keys, software and other artefacts.

Physical and environmental security: Appropriate physical controls protect information assets against loss, physical abuse, unauthorised access and environmental hazards. These include perimeter security controls, physical access controls, intruder detection controls, fire, and flood and power protection controls.

Operations security: Methods and controls are implemented that balance the need for IT Operations professionals to have privileged access to systems and networks with the requirement to maintain secure access and confidentiality of data. Management and operation of computers and networks shall be, commensurate with the business risk and value of the information assets. Access into networks will be granted on an individual user and application basis using authorised devices and secured pathways.

Communications security: Methods and controls are implemented to manage the secure transmission of information to ensure confidentiality of sensitive data and to minimise the risk of data loss or leakage. Systems and networks are segregated according to their respective information security risks and use appropriate control mechanisms such as firewalls/gateways, physical isolation and encryption.

System acquisition, development and maintenance: Information security controls for system acquisition, development and maintenance are specified in the Secure Development Policy and included as an integral part of the software development and implementation process.

Security requirements are identified prior to the development or procurement of new information systems, documented in business requirements, validated and tested prior to implementation, and regularly throughout the systems lifecycle.

Supplier relationships: Secured Signing have implemented security controls and processes to manage supplier access to information assets. Suppliers and vendors are be given access privileges only at the level required to deliver contracted services and contracts must comply with information security policies.

Information security incident management: Secured Signing apply a consistent and effective approach to the management of information security incidents. Procedures that define the course of action when a security incident is identified are documented and made available to all employees.

Information security aspects of business continuity management: The application of business continuity management minimises disruption to Secured Signing operations, defining the approach to resilience, disaster recovery and general contingency controls. Secured Signing have developed and periodically review and test Business Continuity Plans that support information security continuity.

Compliance: Secured Signing ensure compliance with all applicable legal and contractual obligations related to information security including taking reasonable steps are taken to monitor, review and audit information security effectiveness. This includes the assignment of security roles, maintenance of policies and processes and reporting of non-compliance. Secured Signing maintains formal processes in place to manage a data breach and the mandatory notifications that are required under relevant laws and specific customer contracts.