Proactively protecting information: ISO 27001
We’ve implemented an information security management system (ISMS) and we’re certified against ISO 27001. The ISO 27001 certification demonstrates aNewSpring’s commitment to proactively managing and protecting information assets.
We have carefully designed our processes and continue to improve them. But without certification, it’s hard to prove this to the outside world. Since anyone who’s looking for a learning platform or a Learning Management System (LMS) will want to ensure their data is safe, we have gone through the ISO 27001 certification process. Now, it’s not just us saying that your data is safe with us; we can actually prove it.
A standard like ISO 27001 is a good start to provide insight into the level of security within aNewSpring. Not as a goal in itself, but as a means of getting information security in order, of keeping it that way and of taking it to a higher level.
Marlijn van de Kerkhof
Process & Quality Assurance Manager
On a daily basis, we make backups of the servers. These backups are then stored in a separate data centre. The process of restoring the production environment from the backups is tested on a regular basis
Data centre security
All of our servers are stored in top-tier data centres in Europe. They are all measured against industry standards and meet certifications such as ISO 27001 (information security management), ISO 9001 (quality management), AMS-IX (operational and tech design requirements for the centre) and Open-IX (technical standards for interconnecting networks reliably).
Using OWASP to produce secure code
To ensure that we identify the most critical risk applicable to our platform, we test it (and its ongoing development) against the standards and benchmarks provided by the OWASP Top 10. The OWASP Top 10 is a comprehensive and powerful list put together by a variety of security experts around the world. Benchmarking against the OWASP Top 10 is a very effective step towards producing secure code.
Safe connection to other systems & apps
You can connect various systems and applications to the aNewSpring platform using APIs. To ensure a safe connection, we:
- Use HTTPS for all domains.
- Send the API key by using an HTTP header or a POST parameter (as opposed to a URL parameter).
- Ensure that the API key only works from specific IP addresses.
Private database per learning environment
Our platform is multi-tenant. This means that all clients make use of the same software but each environment has its own private database. This allows the data from different environments to maintain a strict separation of information, thus ensuring that clients cannot see the data of other clients.
All environments with a subdomain under anewspring.nl or anewspring.com can have an HTTPS connection. Because of this, it’s not possible for third parties to extract or intercept the information sent using this connection.
Many customers ask specific questions about the security of our platform. I’m glad they do. It shows that they take responsibility for the data of their customers. Many times, ‘security’ doesn’t get the attention it deserves.
Chief Technology Officer
Encrypted password storage
The passwords of all users of the platform are stored in encrypted state. The hashing algorithm ensures that nobody (including the platform and aNewSpring employees) can retrieve account credentials, ensuring that sessions in our platform are secure.
Payment information is never stored in aNewSpring When you use our catalogue feature to sell your courses, the payment is always routed through a payment provider. Payment information is never stored in aNewSpring.
SYSTEM & NETWORK SECURITY
Our environment is protected by a firewall cluster which ensures that Internet traffic only passes through the HTTP and HTTPs ports. Outgoing traffic can only pass through ports which are used by external systems or applications that have a connection.
24/7 monitoring and alerting
All servers are monitored for availability and proper functioning, 24 hours a day, 7 days a week. In case of any technical problems, the support engineer receives a notification and he/she will resolve the problem as soon as possible.
Have any security questions?
We understand the importance of keeping your valuable data safe. That’s why Stefan, our Chief Customer Officer, is available to answer all your questions.
+31 (0)10 2447460