Security systems at Bisnode Interact
Premises security
The building is divided into three distinct security areas.
- A low-level security area (reception, guests)
- Medium-level security area (access limited to personnel only or accompanied visitors)
- High security areas (data centre – access limited to select IT personnel only)
Access to the different security areas is gained by means of a badge. Access rights are controlled in real- time by an access control system.
All zones are continuously monitored by camera; images are stored on tape and kept for review for 30 days.
The premises are continuously monitored by a fire-detection system, which is connected to a remote dispatching centre (24h/24h – 7d/7d). Premises are also protected by a burglar alarm, which is also connected to a 24/7 remote dispatching centre. Predefined actions are triggered by the dispatching centre in case of alarms or anomalies.
The data centre consists of four computer rooms. Each computer room has fire resistance of two hours. They are protected by an inert-gas fire protection system and uninterruptible power supplies with backup electricity generator with autonomy of 4 to 8 days depending on load. The data centre’s support systems are also monitored remotely by a dispatching centre (24h/24h – 7d/7d).
People working in the data-centre are part of a special fire protection-training program.
Physical data security
Computer media and data are centrally stored in the data centre (limited access: see above).
Specialized personnel handle all physical transfers of media. A secure and monitored staging area is used for sending and receiving physical media.
Backups and disaster-recovery data are stored on an off-site secure area. On a weekly basis, an external security company handles transport of this media. Handover and recall of backup data can only be done by and to selected personnel at predefined places and schedules. Transport is handled by a specialized security company who employs specialized and trained personnel. During transport the vehicle maintains permanent radio contact with the security centre (24/7). An especially fire-protected cabinet exists in another high-level security area to store the daily backups.
Logical data security
Internal access to data is based on appointed functional groups/roles and enforced by simple but effective operating-system security mechanisms. Only production related groups are allowed direct access to the data, all other access is handled by specific applications. More global security settings are centrally enforced within the Local Area Network by using policies.
External access to data: the connection between the Local Area Network (LAN) and the Internet and demilitarised zones (DMZ) is protected by a dual firewall system. The firewalls use leading industry based software (Stateful inspection, Dynamic Packet Filtering and transparent proxies) and are implemented on specialized appliances with hardened operating system kernels. The security policy and firewall rule set are developed and checked on a regular base in cooperation with one of the leading security expert companies.
All externally initiated incoming traffic is always staged into different demilitarised zones based upon functionality and security requirements. Staging is done on untrustworthy hosts, that host is minimally configured and carefully managed to be as secure as possible. A strict security policy is applied to prevent malicious access attempts and is centrally managed. All traffic is logged and monitored.
More secure means of accessing data are used; these access methods are based upon secure point-to- point connections (cryptographic functions that provide an encrypted channel between the client and the staging server).
File transfer uses a combination of basic authentication (username/password), Secure socket Layer (SSH2), staging host. The username/password combination directs the different users to their specific upload/download area; access to the other user areas is prohibited by using the virtual root mechanism. Once the file has been uploaded/downloaded using the SFTP/SSH2 transfer protocol internal monitoring software copies and immediately deletes the files from the SFTP Server. Integrity of the files is checked using MD5 checksums. All application traffic is logged.
A centralised 3-level anti-virus policy is in place. Interception takes place at the Internet entry point, server level, real-time client level. Anti-virus definitions are updated daily for the three levels. Each level protection uses different software from different leading anti-virus vendors.