Tenzing Security Services and Best Practices

2 Dallas | Kelowna | London | Toronto | Vancouver www.tenzing.com

OVERVIEWSecurity is about managing risks and threats to your environment. The most basic security protection is achieved by pro-actively monitoring and intercepting various forms of attacks using antivirus software and network security measures. However in order to completely assure yourself and your customers that your business, data and transactions are fully secured, a comprehensive approach to security is needed. This approach must cover process and human factors as well as direct technology threats. This is the only way that you can assure the Confidentiality, Integrity, and Availability (CIA) (Fig 1) of your online business and customer information, and be truly compliant with best practices and regulatory requirements.

Tenzing is committed to improving the confidentiality, integrity, and availability of client information. As part of this commitment continuous improvements are made to Tenzing’s information security posture by adopting and incorporating best practices into critical aspects of processes and technologies. Tenzing believes in a multi-layered “defense in depth” approach to security and has a comprehensive suite of fully managed security services available to customers, including managed firewalls, VPNs, and network and host level intrusion detection and prevention services. When combined, these services provide a high level of confidence in the protection of systems and data, and assurances in addressing industry standards and compliance requirements, such as PCI-DSS Level 1, AT101 SOC 2 Type 2 (previously known as SAS70 or SSAE16), and ISO27001. Tenzing’s security services and policies are designed, maintained, and enforced by Tenzing’s expert security and compliance team.

The purpose of this document is to provide an inclusive summary of Tenzing’s security processes and services. The full range of security processes are an integral part of Tenzing’s core service and are designed to protect your operations and ensure that you fulfill your compliance commitments.

Information

Availability Ensuring only those who ought to have access can do so

Confidentiality Ensuring that information cannot be modified without detection

Integrity Ensuring information can be accessed when needed

Figure 1: Information Classes

Tenzing believes in a multi-layered “defense in depth”

approach to security and has a

comprehensive suite of fully managed

services that provide a high level of

confidence in the protection of systems

and data.

3 Dallas | Kelowna | London | Toronto | Vancouver www.tenzing.com

The challenging nature of regulatory and compliance requirements makes security compliance an exhaustive effort that requires full cooperation across the value chain of your online channel. As part of this value chain, Tenzing is compliant to a number of internationally recognized compliance regulations (see Fig. 2) as explained below:

PCI-DSSTenzing is a Visa Level 1 PCI-DSS Complaint services provider and is listed as a third party services provider for MasterCard Worldwide and Visa Canada. Tenzing has completed the registration and validation processes for both the Mastercard and Visa program and has been certified for the highest level of transaction levels (Level 1). What this really means is that Tenzing can host large volume, high value transaction sites and clients have less to worry about for PCI compliance. Tenzing’s processes and policies fulfill a number of the operation related PCI control objectives for security.

Tenzing uses a third party Qualified Security Assessor (QSA) to validate processes and security practices to ensure compliance with the relevant industry certifications. Tenzing successfully achieved the renewal of Attestation of Compliance (AOC) for PCI-DSS (Payment Card Industry-Data Security Standard, Service Providers) as well as a Report on Compliance (ROC) from its QSA. Furthermore, Tenzing is now recognized in its AOC as a PCI-compliant enterprise that provides Hosting Services for Hardware and Managed Services. PCI Compliance is an integral component of online retailing and the security team at Tenzing has gone to great lengths to help clients achieve their PCI compliance objectives.

Tenzing Security Compliance

Figure 2: Tenzing Security System

PCI DSS

AT101 SOC Type 2 ISO 27000

Netw

ork Security Data Security

Server Security AccessFirewall

IDS

VPN

Antivirus

Critical SystemsProtection

LogicalAccess

SSL and Encryption

Physical Access

4Tenzing Security Services and Best Practices

ISO 27001 Certification ISO/IEC27001:2005 is a standard that brings information security under explicit management controls organized under an Information Security Management System (ISMS). An organization’s ISMS outlines the restrictions and controls that need to be in place across eleven domains in order to ensure the confidentiality, integrity and available of data (Fig 3). Tenzing is one of the few service providers in North America that validates its ISMS by performing an annual ISO 27001 audit. This audit further certifies that all of Tenzing’s information security processes and procedures are to the standard of industry best practices.

Information Security Policy

Defines essential requirements for security. The policy is intended to support management decisions and explain the organization’s security and IP position.

Security Organization

Ensures management support, security coordination, and security services are in alignment with business requirements and operations.

Asset Classification and Control

Ensures that assets are accounted for and categorized by risk. Then the relevance of each business process can be evaluated and individual security requirements determined.

Human Resources Security

Provides security communication, training and awareness for employees, contractors and other personnel. Includes background checks and other controls to assess human risks.

Physical and Environmental

Defines the controls required to protect assets from physical risks such as theft and damage.

Communications and Operations

Defines the security of operations and information exchange between organizations and staff as well as communication with external organizations.

Access control Access to assets is modeled using appropriate access and business roles concepts. The appropriate technologies are then implemented to enforce the model.

Systems Development and

Defines the integration of security into the system development lifecycle. Includes security for change and configuration management.

Business Continuity Management

Business Continuity Planning (BCP) aims at uncovering risks for the business process and defining emergency measures to enable the organization to resume normal operations.

Security Incident Response

The establishment of people, process and technologies to ensure that security incidents are communicated in a manner allowing timely corrective action to be taken.

Security Compliance

Identification and implementation of the appropriate actions necessary to ensure requirements from legal, regulatory, and other requirements are met.

Figure 3: ISMS Doman Details

5 www.tenzing.com

FirewallFirewalls are installed at the perimeter of customer environments to protect and prevent un-authorized access, while at the same time isolating the web tier from the application and database tier. Tenzing uses carrier grade equipment for its firewall service, which are enterprise-class security appliances that provide network and application protection against Internet threats. This service is delivered using the latest Application Specific Integrated Circuit (ASIC) technology that enables wire-speeds for advanced security features such as Stateful Packet Inspection.

Tenzing has implemented a variety of network security technologies to ensure the utmost level of security.

Network security is the first line of defense from the outside world and it is intended to secure the information

exchanged with the external world from malicious attacks and protect the privacy of your computing resources.

Security is integrated into Tenzing’s network services through its architecture as well as in the policies and

procedures that govern its management. Tenzing employs a number of industry leading security measures

including, but not limited to: separate physical network segments for public (“front-end”), private (“back-end”),

and backup networks. Tenzing also uses vLANs with firewalls in customer environments to segregate different

types of customer traffic with encrypted access controls and default deny-all policies.

AT101SOC 2 Type 2 (formerly SSAE 16 or SAS70) AT101 SOC 2 Type 2 is the authoritative guidance that allows service organizations to disclose their control activities and processes to customers and their customers’ auditors in a uniform reporting format. The issuance of a service auditor’s report prepared in accordance with AT101 SOC 2 Type 2 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. The service auditor’s report, which includes the service auditor’s opinion, is issued to the service organization at the conclusion of AT101 SOC 2 Type 2 examination.

AT101 SOC 2 Type 2 is an enhancement to the current standard for Reporting on Controls at a Service Organization. The changes made to the standard bring companies up to date with new international service organization reporting standards, the ISAE 3402. The adjustments made from AT101 SOC 2 Type 2 helps Tenzing’s customers compete on an international level, allowing them to confidently and securely conduct business internationally.

Tenzing’s AT101 SOC 2 Type 2 audit is conducted on critical Trust Service Principals (TSP) including Security, Availability, and System Description (People, Infrastructure, Software, Procedures, and Data). This audit is very important to Tenzing’s clients as it contributes to the company’s position as a trusted ecommerce hosting provider. This audit validates that the security controls and processes that Tenzing has implemented are well designed, in place and under correct management.

Finally, Tenzing’s information security team conducts a number of internal audits that collect, assess and measure ongoing compliance with internal controls, industry best practices and the external audits mentioned earlier.

Network Security

VPNTo provide a secure method of access to both clients and employees, Tenzing deploys redundant IPSEC VPN appliances that integrate seamlessly to provide secure VPN connectivity without the need to reconfigure the network or deploy additional hardware. Tenzing pro-actively manages the configuration and user administration, allowing clients direct, secure, and reliable remote and in-office connectivity to their managed infrastructure.

6Tenzing Security Services and Best Practices

Intrusion Detection Services (IDS) Tenzing’s Intrusion Detection Services are designed to provide a critical layer of network defense against threats that easily bypass perimeter and endpoint defenses – constantly protecting the internal network from worms, and other threats. Ten-zing combines intrusion detection, vulnerability management and compliance reporting technology into a single integrated solution that offers both proactive and reactive protection from the latest threats. Tenzing’s IDS encompasses a global view of security event trends to maintain accurate and relevant network security intelligence. Tenzing’s Security Operations Center to quickly identify, escalate, contain and mitigate security breaches around the clock.

Figure 4: Network Threats

Benefits of Tenzing IDS

• 24x7x365 monitoring for security events by Tenzing’s Security Operations Center – staffed with Certified Information Systems Security Professional (CISSP) and Global Information Assurance Certification (GIAC) certified experts – via Intrusion Detection System (IDS) on Customer’s edge network.

• IDS System configuration, maintenance and incident analysis from Tenzing’s security team.

• Seven factor threat scenario modeling (Fig 4) to increase accuracy and reduce false alarms

DOS Assure Protection ServiceFor many of Tenzing’s clients, their online environment is a critical part of your business. Many depend on their website to generate revenue, reduce cost and gain efficiencies which makes security breaches more serious than ever. For many clients a Distributed Denial of Service (DDoS) attack would bring business to a halt.

Tenzing’s DDOS protection service will immediately protect your site 24 x 7 from any DDoS attacks. The base configuration mitigates a wide number of incursions, including ICMP & UDP floods, Port Scans, SYN attack and Distributed Reflection DOS.

Tenzing provides the following deployment options for DOS Assure: • A proactive, Always-On service, where all traffic is filtered through the DDoS Assure Service.• A hybrid service, where customers are pre-configured for DDoS Assure but require their DNS settings altered during the

time of the attack to have the attack mitigated.• An On-Demand “emergency” service, that can be deployed quickly to mitigate an attack

Figure 5: DOS Assure

7 www.tenzing.com

Data Availability

Data Security is the protection of data from destructive forces and the unwanted actions of unauthorized users. Tenzing’s data security service uses a dedicated backup infrastructure, with comprehensive policies and procedures that are capable of backing up and restoring the most complex applications and system configurations. Tenzing can service all major file systems, databases and applications.

Backup services from Tenzing include:• Off-site Backups: Customers can have backups replicated to a data store at a geographical remote location for additional

disaster recovery capabilities. Recovery Periods are equivalent to the policy maintained for local backups.• Data Encryption: Customers can have their data encrypted both in transit and on the data store for maximum security.

SSL certificate options are also available. • Secure Access: Seamless VPN integration, without the need to reconfigure your network or deploy additional hardware.

Tenzing manages the configuration and user administration, allowing authorized users direct, secure, and reliable connectivity to your managed infrastructure, wherever they are.

Access Control

Physical Access Tenzing’s datacenters are protected by multi-layered physical security measures including 24x7x365 security personnel, dual-factor electronic and bio-metric authentication systems, surveillance cameras, and man-traps. Access to the datacenter floor is strictly limited to Tenzing’s datacenter technicians and bonded facility maintenance engineers.

Logical Access Tenzing utilizes a number of tools to monitor logical access controls for identification, authentication, authorization, and accountability to secure environments, including system logins that enforce access control measures to systems, programs, processes, and information. In order to authenticate, authorize, and maintain accountability a variety of methodologies are used such as password protocols, devices coupled with protocols and software, encryption, and firewalls. These measures and others allow Tenzing to detect intruders, maintain security, reduce vulnerabilities and protect client data and systems from threats.

End Point Protection Tenzing uses industry protection technology for the endpoint level layer of protection. Tenzing’s Managed Anti-Virus service is PCI-DSS ready and satisfies the PCI-DSS requirement number 5. It protects servers against a wide range of viruses and ma-licious codes, including Zero-Day threats. The service desk is automatically alerted of any potential threats which are quickly resolved by Tenzing’s Information Security team and vendor. With centralized management, Tenzing automatically updates Virus Signatures, thus ensuring servers are up to date with the latest malware protection.

Critical System & File Integrity Protection Tenzing also implements a second layer of protection known as “Critical System Protection” allowing proactive safeguard heterogeneous server environments and the information they contain. This technology allows Tenzing to monitor and protect logical and virtual solutions using granular, policy-based controls, with a combination of host-based intrusion detection (HIDS), intrusion prevention (HIPS), and least privilege access control. Tenzing leverages granular policy-based controls to provide high security for virtual solutions, protecting against zero-day, targeted attacks, real-time control and visibility into compliance.

Host Level - Endpoint Protection

8Tenzing Security Services and Best Practices

Tenzing believes that a great IT managed services company should do more than just keep infrastructure up and running. It should also help your business succeed and grow. That’s why Tenzing partners with its clients to deliver meaningful insights and impactful technologies that help them grow their online revenues. The success of Tenzing’s clients has fueled it’s own success. Since Tenzing first launched back in 1998, the company has been recognized 7 times by Profit Magazine as one of Canada’s fastest growing companies. It has also been recognized by The Branham Group as a top information and communications technology company for five years running. The secret to Tenzing’s success is a set of core values and industry-leading best practices designed to ensure the best outcomes for its clients. Tenzing’s security services are integral to its core value.

CONCLUSION

For more information, please reach out to Tenzing at 877-767-5577 or email us at sales@tenzing.com.

Payment Security

PCI Assure With PCI Assure, Tenzing utilizes the latest in transaction processing technology to get merchants PCI compliant quickly and pain-lessly and to keep them there. PCI Assure offers a complete, flexible, online checkout solution that integrates seamlessly into your environment keeping the customer check-out process seamless. Tenzing has partnered with Hosted PCI to deliver this service to customers.

This service provides retailers with a Level 1 PCI-DSS compliant solution, and enables retailers to maintain complete control over the checkout process.

PCI Assure provides the following benefits:• Complete Indemnification against credit card breach.• Simplified PCI-DSS Certification process..• Significant cost savings compared with in-house PCI-DSS

Compliance. • Predictable, timely implementation with several pre-built

integrations.• Flexible deployment allowing for seamless integration anywhere on

the merchant website.• Simple, All-In Cost/Transaction model that scales to millions of

transactions.• Payment processor independent tokens - No need to be locked

into one payment processor or tokenization solution. PCI Assure Tokens are transferable between supported payment gateways and processors.

• Customization options for merchants who are required to pass credit card data to other Level 1 PCI Compliant entities, such as fulfillment providers.

• Fewer abandoned carts with the PCI Assure advantage. Keep customers on your site and keep abandonment rates low with PCI Assure IFRAME.