Security Policies

Data security measures

ITRS Capacity Planner has implemented a systematic approach to keep your data safe.

The following security measures are in place:

  • ITRS is ISO27001 accredited. We are externally audited every six months to verify we do what we say we do with respect to our Information Security processes and procedures.
  • We have followed good industry practice when it comes to designing and implementing Capacity Planner to restrict access to your data.
  • We actively monitor and manage threats and we employ an independent third party consultancy to run regular penetration tests on our systems.

Network

We separate our Internet-facing systems from our other servers, and we use IPSec security technology to link our servers together in the private network. IPSec ensures each data packet is authenticated and encrypted when servers communicate with each other.

Browser security

When you access Capacity Planner, your browser displays a secure padlock indicating that Capacity Planner is a secure site. This means that all data transmitted between your browser and our servers is encrypted.

Capacity Planner uses the strongest browser encryption products available to protect your data. We use 128 bit SSL Comodo High Assurance Secure Server Certificate Authority including RSA as the key exchange mechanism.

User authentication

When you sign up to Capacity Planner, we verify your email address to uniquely identify you. If you forget your password, we will send you an email to reset it.

We ask you to use a password that is likely to be longer and more complex than your corporate standard because it makes it harder to crack.

It is worth remembering that a minimum length of 10 characters increases the number of attempts needed for a successful brute force attack from 958 (for an 8 character password) to 9510, making our password system nearly ten-thousand times stronger.

Your password is only ever stored in one place on our system and it is hashed and salted. We do not know it nor will we ever ask you to give it to us.

Application security

Your data is only ever stored in our production environment and, for a limited time, in the backup files we take of those systems.

Our server’s file systems and databases are encrypted using 256 bit Windows EFS.

All the encryption keys are stored in a restricted and secure area external to the Capacity Planner systems.

We have processes in place to restrict our access to your data including strict audit trails. We only ever look at your data if you give us permission to do so through a support request.

Managing threats and vulnerabilities

Following good industry best practice, we do the following:

  • Employ multiple different types of firewalls across our infrastructure to protect against unauthorized network connections.
  • Run continuously-updating, anti-malware software on each of our servers.
  • Only open necessary network ports.
  • Use, retain and review audit logs that show all the transactions that have been executed on our servers and on our S3 storage.
  • Operate intrusion detection and intrusion prevention systems to help identity malicious activity.
  • Patch our servers against vulnerabilities as soon as they are identified and updates are released.
  • Test the patches on our test and development environments before they go live on production.
  • Monitor our servers around the clock and our monitoring systems alert our team of critical failures.
  • Backup data every day.
  • Automate our server build process to make recovery faster.

Information we store about you

The only data about you that we can access and store is your registration data (typically just a user name). This is necessary so that we can support you if you have any requirements to contact us.

Furthermore, we store and we can access any correspondence between us and you. This includes support tickets raised, and purchases including invoices. But please note we do not store payment data (for example, credit card numbers) in any of our systems.

What is not secure

Once data is in your browser it is not encrypted (data is only encrypted during transportation). We also cannot protect information that you may store locally on your systems (for example, reports). This is your responsibility.

Data sensitivity

In forming a judgement as to whether you regard our security as sufficient for your business, you should consider how sensitive the data is that you intend to send to us.

The data we process for you is related to your infrastructure and infrastructure performance. It is unlikely that this reduced data will contain commercial or personal data, and as such will, in most businesses, be regarded as very low risk.

However, as a policy, we treat all your data as confidential and we have put in place security measures to protect it. Even if you classify your data as sensitive we hope you will agree our security measures are strong enough to use our services.

Contact

We feel we have done everything we should to protect your data and to give you the information you need to make an informed decision about Capacity Planner security.

If you require further detail to satisfy your security concerns, please contact your account representative. We have a number of security papers available which will allow you to make a fully informed assessment of our security measures.