Commitment to Security
Food safety, quality and compliance information is an important asset to Safefood 360° (SF360) and along with its employees, it is committed to protecting the integrity, privacy and security of confidential customer data as required by law, professional ethics, and accreditation requirements. The purpose of the Commitment to Security Statement is to provide SF360 clients, employees and contract developers with an objective description of the system’s boundaries and security commitments.
PURPOSE & DESIGN
SF360 is a food safety management software platform that allows food businesses to set up, plan, schedule, record and report on all elements of their food safety system. This includes HACCP planning, management processes, prerequisite programs, CCP and operational monitoring, and reporting. It is a pure software as a service application hosted within the Microsoft Azure network of data centres. The software is accessed using any web browser and from desktop, tablet and mobile devices. It can be deployed across multiple sites within the same organization, across multiple geographies and supports all common world languages.
There are more than 30 modules covering the recording and reporting requirements of the Global Food Safety Initiative (GFSI) as well as national regulations such as the Food Safety Modernization Act (FSMA). It is also aligned towards the intricate requirements of the Retailer Technical Standards. The software is used by food processing, food service and food packaging operations globally. Its users include CEOs, Production Managers, Quality Managers, Food Safety Managers, Food Technologists, Line Operators, Hygiene Staff and most other positions within a food business.
SF360, its employees and contract developers have implemented appropriate security policies and procedures for three key areas outlined below:
Security Management Process
- Safefood 360 has implemented policies and procedures including an annual Risk Analysis to identify potential risk and vulnerabilities to the confidentiality, integrity and availability of client data and remediate those risks as needed.
- Safefood 360 has a comprehensive Risk Management Policy including routine internal and external security audits, use of third-party security experts and annual review of all security policies and procedures.
Information System Activity Review
- Safefood 360 has implemented automated and continuous system monitoring that provides alerts and notification to services staff. This includes procedures to follow when a system alert occurs.
Assigned Security Responsibility
- Safefood 360 has identified a Chief Security Officer who is responsible for the overall privacy and security at Safefood 360.
- Employment at Safefood 360 is subject to completion of a successful background check. Safefood 360 has an offboarding policy and procedure in place to ensure that access to client data is terminated when a workforce members employment ends with the company.
Information and Access Management
- Access to all resources is controlled by Access Control Lists (ACL). The level of access is based on the workforce member’s job description within the organization.
Security Awareness and Training
- All Safefood 360 workforce members are required to have security & awareness training upon hire and at least annually thereafter.
- Safefood 360 utilizes the current version of Symantec Endpoint Security and Anti-Virus Enterprise Edition on all user workstations. This includes real time scanning and periodic scans of all files and folders contained on each computer. Anti-malware databases are configured to be updated every hour for new signatures that are being made available from Symantec.
- Safefood 360 requires the use of complex passwords and two-factor authentication where available.
- Safefood 360 monitors all log-on attempts to production systems.
Security Incident Protection and Response
- Safefood 360 maintains an Incident Reporting Mechanism in order to facilitate the reporting of potential security incidents and/or breaches.
- Safefood 360 takes all suspected incidents seriously and will investigate all suspected incidents as quickly as possible.
- Safefood 360 maintains a data backup and recovery plan which creates and maintains retrievable copies of client data within snapshots on storage devices and storage device replication. Daily backups are maintained for 35 days and weekly backups are maintained for five years.
- Safefood 360 maintains a disaster recovery plan for recovery in the event of failure or disaster including all critical elements of the applications, snapshot technology in the event of major data corruption, backup databases for production data and an alternate site in the event the primary site goes down.
- Safefood 360 periodically tests contingency plans to verify procedural steps are valid and to provide updates to the procedures.
- All Safefood 360 applications, including its elements such as the network, servers, storage and databases are equipped and operated at high-availability.
Safefood 360 hosts all its SaaS applications, including client data in within the Microsoft Azure network of data centres. All physical security policies are set by the hosting facility. Safefood 360 has reviewed these policies and verified acceptability. The data centres are SOC 2 compliant. They maintain 24/7 manned security. All doors have alarm contacts, the building has ballistic entrances/bulletproof glass and no signage. Only authorized employees have badges that will get them in any door. The physical security requires both a proximity badge and a palm print biometric authentication be performed before anyone can gain access to the facility via man traps. The data centres have recording cameras spread throughout and outside the facility and several motion sensor lights. Aside from the aforementioned facility security implementations, Safefood 360 also has procedures and practices related to the following:
- Safefood 360 has implemented policies and procedures that govern the use and security of workforce member workstations, including laptops and portable devices. This includes the encryption of all workstations and laptops.
Device and Media Controls
- Safefood 360 has implemented policies and procedures that govern the movement of all devices and media. This includes disposal, re-use, data back-up, and data storage.
Safefood 360 has implement policies and procedures to technical safeguard client data according wherever possible. These policies and procedures include:
- Unique user IDs and secure passwords for access to systems
- Automatic Logoff procedures
- Emergency Access procedures
- Data that is moving is encrypted using Secure Socket Layer and Transport Layer Security (SSL/TLS). Data at rest is either encrypted or de-identified.
Vulnerability Management / Scanning
- Bi-annual application security scans.
- Annual penetration tests by third party firm.
- All web accesses to the applications from users are logged in a platform and/or application specific database.
- User authentication is handled within the application. It is equipped with configurable options to comply with commonly enforced password policies in the market.
- Safefood 360’ applications are equipped with transmission security and data integrity mechanisms to protect the exchanges of client data according to the Encryption Policy utilising SSL Encryption.
Monitoring and Alerting
Safefood 360 uses several systems and tools that complement each other to provide the best protection and coverage for its hosted application environments. These include monitoring and alerting for the following:
- System and Services Health and Availability
- Resource Capacity and Utilization Monitors
- Application Performance Monitors
- Safefood 360 uses several systems and tools that complement each other to provide the best protection and coverage for its hosted application environments. These include monitoring and alerting for the following:
Safefood 360 provides is clients with the functionality necessary to create user roles, grant access to users, configure the parameters of the application and export data to common formats. Customers are therefore primarily responsible for:
- Configuring and managing employee & third-party supplier user access and authentication to the system
- Adding and removing Safefood 360 employee and authorised contracted users for the purpose of providing customer support and professional services.
- Manging the security of client and end-point devices used to access the Safefood 360 platform
MICROSOFT AZURE RESPONSIBILITIES
As the host of the Safefood 360 SaaS application, Microsoft Azure provides critical support services that includes:
- Continued compliance with the following data security standards: E.U. Data Protection Directive (95/46/EC); ISO/IEC 27001:2005; SOC 2; HIPAA/HITECH; PCI Data Security Standard; and FDA 21 CFR Part 11 and EU Annex 11.
- Host infrastructure including the configuration, management, and securing of the compute (virtual hosts, containers, service fabric, auto scaling), storage (object, CDN, file storage), and platform services. Azure will operate and secure the host services, such as the operating systems of the service.
- Network control including the configuration, management, and securing of network elements such as virtual networking, load balancing, DNS, and gateways.
- Internal vulnerability management of the host infrastructure
- Enterprise level backup and redundancy
The System Boundary illustrates data flow to and from SF360 applications and where responsibilities lie within the SF360 system.