Rosslyn Analytics fully understands its responsibilities as a company that deals on a daily basis with your critical and valuable data. Therefore, security is of utmost importance in our approach and strategy. As a result, our spend analysis platform rapidintel.com together with our RA.Pid® applications were designed from the ground up with data security in the forefront of our thinking. We have taken great care to ensure that your data has the highest levels of protection available at all times.

This document outlines the varied and extensive methods that we currently employ to ensure the safety of your data. Please rest assured that our methods are reviewed on a regular basis to ensure that we provide state of the art security on an on-going basis.

Prior to any activity involving your data, Rosslyn Analytics will ensure that there is sufficient signed documentation in place to ensure confidentiality and protect you against the disclosure or misuse of your data. We can provide you with our standard non-disclosure agreements or are generally happy to work within an existing framework that you may already have in place.

Rosslyn Analytics provides you with a suite of data extraction tools and templates, RA.Pid® Extract, to extract data from your Enterprise Resource Planning (ERP) systems such as SAP. All of our tools and techniques are installed on-site and any extraction is executed within your network and firewall set-up. Once ready, data is typically transferred to Rosslyn using Secure File Transfer Protocol (SFTP). Regardless of the transfer method, no data is transported physically, electronically, or via any other file transport protocol without a minimum 128bit password protected encryption and written consent from the client.

Your data will be stored in its own database within Rosslyn Analytic’s state of the art server infrastructure. With 24x7 onsite security personnel, CCTV, steel-plated doors, restricted authorised access control and locking rack space, you can be sure that your data is well protected. Our data centre holds the following accreditations:

• ISO9001 Worldwide Quality accreditation.
• ISO27001 2005 Part 2 Information Security accreditation.
• ISO 14001 – 2004 Environmental Management System accreditation.

Each of the servers on which we store your data is protected by Fortigate 3600 firewalls and is configured with a limited set of open ports. The Fortigate 3600 Firewall delivers best-of-breed and award winning network-based antivirus firewall systems for real-time network protection, intrusion detection/prevention, VPN, and Web and email content filtering. Additionally our software is developed to utilise multiple levels of encryption whilst handling your valuable data. Currently, these currently consist of the following:

• Level 1 - Application Encryption. Application data is encrypted at source prior to sending requests to our secure servers.
• Level 2 - SSL Secure Socket Layer through HTTPS. Applications use 128bit SSL encrypted connections to our secure servers.
• Level 3 - SQL Server SSL Encryption. SQL Server SSL encryption is enabled to further encrypt data transfer between servers and applications.

User access to the data is via authorised user profiles and passwords. Rosslyn Analytics enforces password complexity rules to prevent unauthorized access. Current examples are as follows:

• The password must contain 8 or more characters and must contain at least 2 alphas (1 capital), 1 numeric and 1 symbol character.
• Passwords will expire after 30 days and new passwords cannot be the same as any of the previous 8 passwords.
• The entry of an incorrect password 3 times in a row will result in the user account being locked
• Upon logging in the session is also monitored and controlled via a security token mechanism. Security tokens will expire after a period of inactivity that we will agree with you and will be checked prior to executing any application code and rejected if the token has expired or is invalid.

Users may be restricted from accessing specific data sets that may be sensitive, etc. Restrictions may be applied at the individual user level and/or groups of users. This is a configurable data security feature that we will work with you to put in place during the deployment of the solution.

We ensure that we limit the number of our staff that are authorised to access each of our customer’s data. The categories of our staff that could have access to your data environment is as follows:

• Application Management Analysts – access is required to install, monitor, and maintain your production application and database.
• Help Desk Engineers – access is required to log into your production application and database to resolve any reported issues and problems.
• Data Centre Engineers – access is required to administer and maintain the physical servers used for hosting your application and database.
• Recovery Audit & Strategic Sourcing Consultants – access is required to execute agreed and fully scoped consulting engagements.

You will be assigned a team that will work exclusively on your project and you will be notified of any changes should they be required.

All access to your application and database is tightly controlled by user profile and password for all users, including Rosslyn staff. All activity is logged using the a comprehensive set of event logging and audit trail features available for use with SQL Server 2008. This provides full traceability on all events including the date, time, user, request, etc.

Rosslyn Analytics servers and storage systems are backed-up each working day. These system back-ups are used for immediate recovery purposes. Long term offsite backups of our systems and data are carried out weekly. Rosslyn’s full disaster recovery plan is available upon request.

To ensure continual protection from outside threats, Rosslyn Analytics carries out various penetration tests, both internal and external. The following tests set out below are regularly carried out by Rosslyn Analytics, our clients and independent organisations:

Internal Penetrations Tests

• Internal Network Scanning
• Port Scanning
• System Fingerprinting
• Services Probing
• Exploit Research
• Manual Vulnerability Testing and Verification
• Manual Configuration Weakness Testing and Verification
• Limited Application Layer Testing
• Firewall and ACL Testing
• Administrator Privileges Strength Testing
• Password Aging and Strength Testing
• Network Equipment Security Controls Testing
• Database Security Controls Testing
• Internal Network Scan for Known Trojan/Hacker Ports
• Third-Party/Vendor Security Configuration Testing
• Hardened Server/Device Configuration Testing

External Penetration Tests

• External Network Scanning
• Port Scanning
• System Fingerprinting
• Services Probing
• Exploit Research
• Manual Vulnerability Testing and Verification
• Firewall and ACL Testing
• Intrusion Detection/Prevention System Testing
• Password Strength Testing
• External Network Scan for Known Trojan/Hacker Ports
• Remediation Retest

Rosslyn Analytics has implemented a security incident reporting policy that requires all incidents, regardless of the severity to be logged according to maintained guidelines. This policy is available for review upon request and is reviewed quarterly by the Rosslyn Executive Management Team.