Document details

Path and filename:           Document5

Serial No:                         

Version No.:                      Version

Created:                            by Osborne on 09/26/00 3:54

Last modified:                   by  on 00/00/00 0:00

Template:                          document 0.1.dot

File size:                             45568 bytes

Number of pages:             1

Comments:                        Version

Approval

Version

Project Manager

QA

Management

Controller

 

 

 

 

 

 

Version history

Formal version

PVCS
version

Status

Issued on

Comments

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


 

 


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


BALTIMORE HOSTING FACILITIES - SECURITY STATEMENT


TITLE PAGE

 

 

 

 

 

 

The information contained in this document is intended for Baltimore Technologies personnel, those persons named as recipients or those persons nominated in the circulation list. 

 

It may contain privileged and confidential information and if you are not the intended recipient you must not copy, distribute or take any action in reliance on it.  If you have received this document in error, please notify the author immediately by reverse charge telephone call and return the original to the sender by mail.  You will be reimbursed for postage.

 

 

 

 

Contact:

                                  Director – Business Development

                    Global Hosting Services

                                                77 A Street

                    Needham Heights

                    Massachusetts USA 02494

                    Tel: +1 781 455 3846

Fax: +1 781 455 4082

 

 

 

 

 

 

 

Signature Director Business Development

 

AMENDMENTS

Amendment table

AMENDMENT

EFFECTED

No.

DATE:

NOTES

NAME

00/000

26SEP2000

DOCUMENT CREATED

W.T.OSBORNE

                                                                                                                                                        

Amendment procedure

As new standards emerge, or policy matters are identified for improvement, this policy document will be amended.

The responsibility for amending this document rests with the Director, GHS Business Development.  The naming convention for amendment notices shall be:

YY               indicating the year the amendment was issued;

XXX                        where XXX represents a sequential number that begins with 000.

 

Table of Contents

TITLE PAGE......................................................................................................................................................................................... 3

Director – Business Development........................................................................................................................................... 3

AMENDMENTS................................................................................................................................................................................... 4

Amendment table.................................................................................................................................................................. 4

Amendment procedure....................................................................................................................................................... 4

INTRODUCTION AND OVERVIEW............................................................................................................................................... 5

Purpose of paper...................................................................................................................................................................... 5

Baltimore COE........................................................................................................................................................................... 5

Defence in Depth...................................................................................................................................................................... 5

Needham COE - Overview..................................................................................................................................................... 6

Security controls........................................................................................................................................................................ 6

Documentation........................................................................................................................................................................... 7

Dublin COE.................................................................................................................................................................................... 7

INTRODUCTION AND OVERVIEW

Purpose of paper

The purpose of this document is to provide a statement regarding the security facilities in place in Baltimore’s Hosting facilities. In particular this document highlights the facility standards for the Needham COE and the Dublin COE.

Baltimore COE

Baltimore presently operate four Centres Of Hosting Excellence (COE) in the following locations:

·         Dublin, Republic of Ireland

·         Needham, USA

·         Sydney, Australia

·         Saporro, Japan

Defence in Depth

The overriding principle for securing any Public key infrastructure (PKI) Hosting facility is the conceptualisation and practice of “Defence In Depth”. 

Figure 1     Defence in Depth

The Defence in Depth principle relies upon mutual redundant and supportive layers of protective security measures. 

Figure 1.0 below shows the asset to be protected existing at the centre of the diagram.  Surrounding the asset are layers of protection including:

·         Certification & Accreditation

·         Audit

·         Personnel Vetting

Needham COE - Overview

The Needham COE is located in 77 A Street Needham Heights, Massachusetts USA.  Approximately 4000 square feet of floor space are given over to the hosting of the Public Key Infrastructures (PKI). 

Security controls

Physical protections are implemented through the use of guard service (7 x 24) alarm systems, several layers of physical barriers, combination locks, restricted key sets and the separation of infrastructure elements.

Logical protections include consistent platform construction, use of system hardening for operating systems and databases, active audit of system logs, use of certified technologies, (ITSEC, FIPS), and finally the use of dual firewalls including provisioning of demilitarised Zones (DMZ) within the logical configurations. 

Technical Security Controls include the provision of protections for Private keys, PSE files and the control of both Public keys and Certificates. 

Personnel vetting is a three part process consisting of the high standard recruiting including positive vetting of claims made, and a stringent interview, this is followed by the completion of an independent third party review of the employees background including criminal record checks.  Finally each employee is required to enter into confidentiality agreements that protect the privacy and confidentiality of customer data.

Certified technologies include the use of Baltimore’s own Information Technology Security Evaluation Criteria (ITSEC) E3 Certified PKI technology.  This is complimented with the use of certified technologies such as the Sureware Keeper, one of only three products to have completed an evaluation under the USA Federal information processing Standard (FIPS) level One –4 schema.

Audits include independent review by third parties to thoroughly review the operation of Baltimore COE’s.  In the case of the Needham COE, Baltimore has completed several reviews including:

·         SAS 70 Level 1 and 2 Accreditation

·         SET Accreditation

·         Independent review by American Express, Mastercard and VISA

In addition to these, further evaluation are planned for accreditation’s including:

·         Identrus Delta

·         AICPA?CPA Guidelines for CA Audit

Documentation

Needham COE ahs a well developed set of policy and practice documents that apply to the Baltimore Certificate management system products and services.  As Needham COE move forward with the hosting of Baltimore UniCERT technologies a new set of documentation is being adopted.  On completion of the transition process, it is expected that all Baltimore COE will operate under a single set of operational doctrine. 

Dublin COE

Dublin COE is located in the Baltimore corporate headquarters building in Parkgate street Dublin.  The newest of our four facilities, this COE complies with all of the requirements identified and discussed in the discussion on the Needham facility.  The primary exception is in the use of video or closed circuit camera systems. 

In accordance with standard COE policy and structure, redundancy of systems is a core requirement for operational excellence.  The Dublin COE features redundant power and communications facilities, including minimum configuration supporting T1 telecommunications with differentiation between communications technologies.  Also supported are separate service providers to minimise service disruptions and maintain competitive pricing.

Finally, UPS systems are maintained throughout the facilities, and serve to maintain power supplies in the event of failure and also to ensure that power conditioning is maintained.