The security of the infrastructure and data
It is important for us to distinguish between the security of the data hosted by the customer and the security of the infrastructures that host this same data.
Customer Hosted Data Security: You are responsible for the security of your assets and application systems. We constantly support you to protect all your data.
Infrastructure security: we guarantee maximum protection, thanks to an information systems security policy. All GDPR compliant to prevent your data from being violated or damaged.
Regulation and management of safety aspects
1. Safety management system
As a commitment, Shellrent has implemented a systems security policy that describes the set of provisions on the subject, which is abruptly updated in the event of changes. The Shellrent Services are in turn governed by information security management systems.
2. Compliance and certification
To evaluate the performance of its systems and infrastructure, Shellrent is committed to regular security audits.
There are various types of audits: - Technical audits: intrusion tests, vulnerability scans, code reviews, carried out by internal auditors - Audit of activities carried out by third parties - Datacenter audits: carried out by external auditors, the nature and frequency of which depend on the service provider.
When a security flaw is identified, the most correct way to resolve it is identified and the recovery plan is subsequently planned. All of these are subject to periodic verification to review their effectiveness.
3. customer audit
The customer can perform verifications (intrusion tests) on its Services hosted by Shellrent, as well as on the related management components. The conditions for carrying out the checks are managed on request.
As a data processor, Shellrent recommends that the customer perform these checks periodically.
4. Risk management
The customer must ensure that the security measures implemented by Shellrent are adequate for any risks related to the use of the infrastructure.
Shellrent applies a risk management method that is assessed in the event of major changes, also relating to the processing of personal data and sensitive information.
At the end that each verification is done correctly, an identified risk treatment plan is put in place. Each measure is subject to repeated periodic checks to review its effectiveness.
5. Change management
The customer is invited to make sure that the information entered is correct, so that Shellrent can communicate any changes to the active Services to it. Where required, it is up to the customer to implement the necessary actions relating to the configuration of its services, in order to adapt to these evolutions.
Shellrent applies a formal change management procedure:
- Roles and responsibilities are clearly defined - There are certain classification criteria to identify the steps to follow when making changes - Priorities are managed; an analysis of the risks related to the changes is carried out - Before each release, software updates are regularly subject to a code review; any intrusion tests can be performed (if applicable); the change is planned and scheduled with the customers (if applicable) - In the event of risk, a rollback operation is envisaged - A retrospective review of the various resources affected by the change is carried out
6. System and application development policy
Processes intended for Shellrent developers follow principles for a secure development process, "privacy by design" measures, as well as a code review policy (vulnerability detection, error handling, access and revenue management, storage protection and communications).
- Code reviews are performed regularly - Systematic and independent code review before release; - Verification of new features before release by running tests in the validation environment (if applicable) - Separation of roles and responsibilities
7. Monitoring of services and infrastructures
All the services offered by Shellrent are monitored by a specific infrastructure, with the following objectives:
- Identify production and safety incidents - Monitor critical functions by sending alerts to the supervisory system - Notify managers and initiate the necessary procedures - Ensure continuity of service in carrying out automated operations - Guarantee the integrity of monitored resources
8. Incident management
The customer is encouraged to ensure that the information entered is correct, so that Shellrent can notify him in the event of accidents; in addition, it is required to implement management processes of the same, relating to its information system, including Shellrent as a potential source of alarm.
Shellrent has an incident management process designed to allow for the prediction, detection and resolution of this type of event, in the management infrastructures of the Service and in the same.
This process includes: - Treatment of security events - Communication with the customer
9. Vulnerability Management
The customer must necessarily ensure that the information entered is correct, so that Shellrent can warn him in case of vulnerabilities detected in its information system.
Shellrent, as a hosting provider, undertakes, through its technical team, to guarantee technological control on new vulnerabilities, identified through:
- Public information sites
- Alerts from manufacturers and editors of the solutions implemented
- Observations reported by operations teams, third parties or customers
- Internal and external vulnerability scans performed regularly
- Technical audits, as well as code and configuration reviews
Upon detection of a vulnerability, dedicated teams perform an analysis to determine the impact on the systems and potential operational scenarios. Actions are immediately implemented to resolve this vulnerability and, if necessary, a corrective plan is defined.
All measures are subject to periodic review to review their effectiveness.
10. Business continuity management
The customer is responsible for the continuity of his information system and must ensure that the services made available by Shellrent, the options selected and the additional systems implemented by it, enable him to achieve his objectives.
On the other hand, Shellrent, as a hosting provider, guarantees the operational continuity of the infrastructures (devices, applications and operational processes), adopting the following mechanisms:
- The continuity of the datacenter - The management of the servers and systems under direct responsibility - The technical support of the service - The redundancy of the devices and servers used for the administration of the systems
At the same time, other mechanisms, such as the backup of network configurations and devices, guarantee recovery in the event of an accident. Under the service, Shellrent will make available to the customer backup and restore functionality that may be included in the base offering as well as paid options.
11. Management of physical access by third parties
Shellrent, as Data Processor, never intervenes at its customers' facilities, as they are themselves responsible for the security of their premises.
Shellrent, regulates the circulation of occasional visitors and suppliers:
- Each visit must be declared in advance - Visitors are the responsibility of an employee and are always accompanied
12. Staff awareness and training
Shellrent staff, as a hosting provider, is aware of the security and compliance rules for the processing of personal data:
- Training sessions are organized on these issues, on the implementation of audits and on technical services for the teams concerned - Awareness is raised on the security of the information system during the integration of new employees - The staff is constantly updated through communications regarding safety
13. Management of logical accesses to the information system of Shellrent S.r.l.
Shellrent enforces a logical access management policy for employees:
- Authorizations are assigned and monitored by managers, according to the principle of minimum privilege and the gradual acquisition of trust - As far as possible, all authorizations are based on roles and not on unitary rights - Management of access rights and '' permissions assigned to a user or system are based on a registration, modification and cancellation procedure - All employees use named user accounts - Access sessions always have an appropriate expiration date for each application - If the user forgets the password, only the Employee Manager and the Security Officer are authorized to reset it - The use of predefined, generic and anonymous accounts is prohibited where possible - A strict password policy has been implemented: the minimum size is 8 alphanumeric characters; saving passwords in unencrypted files, on paper or on web browsers is prohibited
Remote access to the Shellrent information system is via VPN and requires a password known only by the user.
14. Management of administrative access to production platforms
Shellrent, as a hosting provider, applies a policy for the management of the administrative access rights of the platforms:
- The connection to the target system is made with a shared service account or with a personal account; the use of predefined accounts on systems is, where possible, prohibited - Authorizations are assigned and monitored by managers, according to the principle of minimum privilege and the gradual acquisition of trust - A regular review of rights and accesses is carried out in collaboration with the competent services
15. Access control to the Manager panel
The customer is responsible for the management and security of his means of authentication.
The management of Shellrent services by the customer is carried out through the Manager panel, accessible only through a nominative account and protected by username and password:
- The password is chosen by the customer and must comply with the complexity criteria imposed by the interface - The passwords are saved on the Shellrent servers in an encrypted and secure format - All the activities carried out by the customer in the manager panel are recorded
16. Safety of workstations and mobile devices
The customer must ensure the security of the workstations and mobile devices that allow the administration of the Service and systems.
Measures have been identified to ensure the safety of workplaces for Shellrent personnel:
- Automatic update management - Antivirus installation and update, with regular scans - Installation of only applications included in a validated catalog - Hard disk encryption - Procedure for treating a potentially compromised workstation - Standardization of devices - Procedure for deleting sessions and restoration of employees' workstations in the event of a termination of employment.
17. Network security
The customer is solely responsible for encrypting the content to be communicated over the Shellrent network.
Shellrent, protects all devices through the following measures:
- Maintenance of a configuration management inventory - Implementation of a hardening process, with guides describing the parameters to be changed to ensure a secure configuration - Limited access to administration functions - Logs are continuously collected and centralized by dedicated systems - L configuration implementation is automated and based on validated models
18. Business continuity management
A backup policy has been implemented on the servers and devices used by Shellrent to provide its services:
- All the systems and data necessary for business continuity, the reconstruction of the information system, or the analysis following incidents, are stored - The frequencies, storage times and storage methods of backups are defined according to the needs of each resource memorized; the creation of backups is subject to monitoring and management of alerts and errors
19. Journaling
The customer is solely responsible for the logging policy for their systems and applications.
Shellrent maintains centralized backup and archiving of the systems logs used to provide its services. Here is the list of the main registered activities:
- Logs of the backup servers that host customer data - Logs of the servers that manage the customer infrastructure - Logs of the servers that provide service to customers - Activities and events performed by the customer on its infrastructure through the Manager panel - Log of the administrators' machines