data security whitepaper
Post on 12-Apr-2017
121 Views
Preview:
TRANSCRIPT
Mobile RDD Sample
Pulsed Mobile RDD
Consumer Sample
Global coverage with more than 250 key variables
RDD onDemand
RDD onDemand provides direct access
to our global RDD data base
Geocoding Services
Enrich Data with NUTS regions or other socio-demgraphic data
Data Security Whitepaper Wh
Sample SolutionsP R E M I E R . S A M P L E . P R O V I D E R
PREMIER.SAMPLE.PROVIDER
SAMPLE SOLUTIONS
Landline RDD Sample
Pulsed landline RDD for more than 140 countries
NAME OF THE CHAPTER
3Brochurename or the title
Introduction
Data security is a critical component for all businesses. Business data protection helps to secure customer details, financial information, survey data and other key business data which are key company assets. Many companies, including Sample Solutions, rely on the fact that data they have and work with is secure, encrypted and can not be breached. Losing the data in a natural catastrophe is one thing but losing it to a breach can lead to severe consequences. Not only do data breaches damage a company’s reputation and destroy consumer trust, breaching may also lead to lost business opportunities and financial consequences, along with disrupt safety and natural workflow.
NAME OF THE CHAPTER
4 Brochurename or the title
Content
More rigorous requirements for obtaining consent for collecting personal data
3
68
Data security is a critical component for all businesses
Background
General Approach to Data Protection
Introduction
NAME OF THE CHAPTER
5Brochurename or the title
1011
12
Products of Sample Solutions
Future Steps towards 2018
Works Referenced
SMS Survey Platform;Sample on Demand.
Breaching may also lead to lost business opportunities
6 Brochurename or the title
NAME OF THE CHAPTER
BackgroundIn the age of digitalization and e-commerce, data protection and security have become
increasingly important. Not only must companies protect their own data from cyber
espionage, but they must also safeguard consumer data and abide by ever-changing
data protection regulations or face severe consequences. Data breaches cost compa-
nies millions each year, just ask Target--a large US retailer--who had to pay out 67
million for a massive data breach in 2013. According to the Ponemon Institute in 2015
alone, data breaches cost companies an average of $3.79 million (≈3.39 million euros).
Thus it is essential for companies to have proper data safeguard mechanisms inte-
grated into their systems along with regulatory compliance for all countries in which
they conduct business. Issues like new Data Protection Regulation as well as what
companies need to do regarding this will be discussed later in this whitepaper.Data protection regulation is intended to strike a balance between the rights
of individuals to privacy and the ability of companies to use data for com-
mercial purposes. The main purpose for the existence of data legislation
is that the personal data is not processed without the knowledge of the individual.
Moreover, In 2018 the General Data Protection Regulation (GDPR) will come into place which requires all companies conducting business within the EU to handle
I
7Brochurename or the title
NAME OF THE CHAPTER
Data protection regulation is intended to strike a balance
“the personal data is not processed
without the knowledge of the
individual.”
It is essential for companies to have proper data safeguard mechanisms
“regulatory compliance for all
countries in which they conduct
business”
Intensive work with data“we will look at how these new practices apply
to our core products: telephone
samples, sms surveys and lastly -
data services.”
data in specific ways. Besides the EU countries, it also addresses the transfer of personal data outside the EU. Key changes to EU data protection introduced by the GDPR are the following: - More rigorous requirements for obtaining consent for collecting personal data- Raising the age of consent for collecting an individual’s data from 13 to 16 years old- Requiring a company to delete data if it is no longer used for the purpose for which it was collected- Requiring a company to delete data if the individual revokes consent for the company to hold the data- Requiring companies to notify the EU government of data breaches within 72 hours of learning about the breach- Establishing a single national office for monitoring and handling complaints brought under the GDPR- Companies handling significant amounts of sensitive data or monitoring the behaviour - of many consumers will be required to appoint a data protection officerFines up to €20m or 4% of a company’s global revenue for its non-compliance.
NAME OF THE CHAPTER
8 Brochurename or the title
General approach to data protection policies
Data security and the challenge of data protection is increasing in scope—and difficulty. While organiza-tions have long needed to safeguard intellectual property and confidential information, changes in informa-tion technology and business models introduce new actors, new threats, and new regulations. As a result, companies, including Sample Solutions, need to think beyond the traditional models of securing the perim-eter and locking down specific segments of IT infrastructure in order to achieve their data protection goals.Even before the new Data Protection Regulation comes into force, Sample Solutions has always complied with the EU’s Data Protection Directive which requires data controllers to ensure data protection requirements are met and safeguards are in place including measures related to security, and we continually strive to further improve and develop these measures beyond what is required. Our systems require identity assurance, visible trust and strong protection, some of Sample Solu-tions general policies include data encryption, safely storing the data, SSL certificates for security and reliable web hosting. All of our data is delivered via our own platform where we host the data on a dedicated server -https://www.surveyplatform.eu There are several advantages of providing the data via platform and not FTP or other third-party applications. Reliable web hosting, SSL and encryption are provided for each and every sub-platform as well as all orders that we deliver to clients. We discuss security security protection pro-vided by third party applications and how they contribute to better data protection in the following sections.
NAME OF THE CHAPTER
9Brochurename or the title
Web HostingThe server hosting for our platform is provided by Strato ( https://www.strato.nl/ ) . It’s 100% hosted in Germany as they provide excellent IT security which is verified repeatedly each year through independent TÜV certification (ISO 27001). STRATO also offers three-tiered security concept which includes: - Security data centers, complying with Germany’s strict legal requirements where they host more than 60.000 serves and 4 million websites - Backup control and risk management at the highest level - Secure data transmission through encryption
SSL CertificateSSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. The adoption of SSL certification is on the rise. SSL is a transparent protocol which requires little inter-action from the end user when establishing a secure session. As opposed to unsecured HTTP URLs which begin with “http://” and use port 80 by default, secure HTTPS URLs begin with “https://” and use port 443 by default.Most information security professionals would think that SSL is a basic security measure due to the fact that HTTP is insecure and is subject to eavesdropping attacks which can let attackers gain access to online accounts and sensitive information. Data that is sent or posted through the browser using HTTPS is ensured that is encrypted and secure.Sample Solutions has enabled Extended Validation SSL Certificates ( EV SSL ) as the highest class of SSL available. This kind of certificate activate both the padlock and the green address bar in all major browsers. EV SSL Certificates provide the strongest encryption level available and enables us to present our own verified identity to website visitors. EV SSL Certificates offer a stronger guarantee, are globally standardized and have verification process defined within the EV
EncryptionAs a concept , encryption does not prevent inter-
ception, but it denies the message content to the
interceptor. In our system all of the delicate data is
encoded in such a way that only authorized parties
can read it. In our platform we encrypt the files
with an encryption key which specifies how the
messages should be encoded. All the sessions and
session variables are encoded in the backso all the
sub-platforms are secured as well.
Everyone agrees that - usernames and passwords
are the ultimate thing that needs to be protected.
Sample Solutions encryption offers encoding for
these as well , so that in the unlikely case of a data
breach, this information will not be published or
accessible by third parties.
NAME OF THE CHAPTER
10 Brochurename or the title
Sample Solutions wants to make sure all of our security policies are provided for the products we offer to clients. Here we are mention policies for our two most used platforms - the SMS survey platform which enables one and two-way SMS surveys and Sample on Demand which offers internal work with RDD and B2B databases and includes our Client Delivery System where all the processed orders are safely stored and delivered to clients.
1. SMS Survey PlatformThe SMS Survey Platform is currently our only platform in Sample Solutions that handles personal data. So far the company has complied with all internal regulations in every country that we have performed surveys in. Based on the data protection regulations discussed in the preceding sections, the SMS Survey platform is built with a modern and widely popular web framework that provides additional safety measures. The SMS Survey platform utilizes a sophisticated authentication and user- management system. This provides a safe and secure way of logging into the application and managing the users accordingly. The system also provides user roles, so that not all users are allowed to have access to the delicate parts of the application. By using a modern web framework to develop the SMS plat-form – several securi ty measures are already covered, such as: Cross-site request forgeries – targeting some URLs may have some side effects. That is why not all users have the same roles and cannot access all the parts and routes of the application.XSS Cross-site scripting – placing unwanted client-side code that steals informa-tion. This is solved by escaping and making sure that every user-submitted data is safe.SQL Injection – when an application uses unfiltered user input in communication with the database. By default, the framework offers techniques that are SQL injection proof which the SMS platform extensively uses.Forced HTTPS when exchanging sensitive data – if someone tries to communicate with the system without a secure connection, the system forces them to use HTTPS over HTTP for additional security measures.By using a popularly, supported and regularly maintained web framework for developing this platform and also implementing the best programming techniques – we have made sure that this platform is completely data-secure.
2. Sample On DemandSample on Demand is the general tool for delivering the main product of Sample Solu-tions - RDD, B2B, B2C samples - can be found under https://sample.surveyplatform,eu SSL protected and encrypted as well, this platform is highly protected in several ways since the data we are delivering are delicate and of great importance to our clients. Generally devel-oped both for administrators and users it provides encrypted authentication for both parties.During the upload and delivery of an order the following actions are taken:
Products of Sample Solutions
NAME OF THE CHAPTER
11Brochurename or the title
Future stepstowards 2018
Around 18 months are left till 2018 and the implementation of the new EU data protection guidelines. Therefore we have developed a roadmap towards 2018 to further strengthen our data protection policies. Although, only a part of the data that Sample Solutions works with is classified as personal data, we will strive to comply with the new regulations and continually improve our system. As part of our next steps, we will establish a data protection management team to implement the ISO27001 international standard for Information Security Management. Furthermore, we plan on appointing a data protection officer, to ensure that the use personal data only in cases the data protection regime allows using the data in question and obtain specific and explicit consent by individuals for the processing of their data ( Opt - In ).
- Once the order is uploaded, the client will immediately receive two sep-arate emails. One contains the access link to the order and the second email contains the password for the submitted order. The files are kept in our own dedicated server thus they can not be access in any other way.- After the order is processed, the system automatically sends the client an internal and external link to access the files. The internal URL demands authentication by the user itself, and the external URL is equipped with additional protection by including randomly generated unique strings that do not allow any kind of prediction guessing from an outside party.- The platform offers a unique password per order after the client passes the general verification and is equipped with a limited number of downloads per order to prevent outside attacks or abuse of data.- For general protection, the link to the platform automatically expires after 21 days. However, the client can still access the origi-nal files past the expiration date upon request as we store these.
“By using a modern web framework to develop the SMS platform -
several security measures are already covered”
Works Referenced
1. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sec-tor (Directive on privacy and electronic communications)
2. Official Journal L 201 , 31/07/2002 P. 0037 - 0047Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning measures to ensure a high com-mon level of network and information security across the Union /* COM/2013/048 final - 2013/0027 (COD) */.
3. M Law Group, 2012, New Draft European Protection Regime. Available from: http://www.mlawgroup.de/news/publications/detail.php?we_ob-jectID=227
4. Global Sign, What is SSL? Available from: https://www.globalsign.com/en/ssl-information-center/what-is-ssl/
5. Ponemon Institute Research Report, 2015, 2015 Cost of Data Breach Study: Global Analysis. Available from: www.ibm.com/security/data-breach
www.sample.solutons
top related