Top priority given to cyber security
- Security Council made up of international experts
Verifdiploma's cybersecurity guarantees in a brief summary
Employees, CISOs
Guarantee safety, availability and integrity of your IS and data.
Cyber security monitoring of all our teams
- Review of all internal and external collaborators
- Continuous training and upgrading programme
- Screening of information systems security
Securing all accesses
- Time-limited complex password strategy
- Validation at two levels for each session
- Access to encrypted documents (diploma, identity document...)
- Network compartmentalization
- Regular access and log audits
Permanent protection of all data
- Secure dedicated servers based in France (OVH)
- SSL certificates for data exchanges
- Transmission via https protocol
- Segmentation passwords
- Daily and audited backups
- Duplicate backups on multiple servers
- Programming of breach simulation exercises
Security control of all operations
- Implementation of a business continuity plan
- Planning a reversibility plan
- Quality monitoring by the Quality Assurance team
Management of any information security incident
- Definition of responsibilities and assignment of roles
- Establishment of an incident management committee
- Definition of reporting and alert procedures
- Planning a regularly tested continuity plan
A verifdiplomagroup philosophy for a steady improvement
- Planning regular internal and external audits
Verifdiploma's cybersecurity commitments in detail
In general terms
- To implement the skills and technical and organisational measures necessary and at least in accordance with the state-of-the-art, to ensure the security of the clients’ Data and client's information system in all its components (availability, integrity - by protecting them from any infringement, in particular modification or destruction -, confidentiality with regard to unauthorised third parties, traceability of all the processing performed and authentication of all the persons having performed)
- Maintain a level of expertise in information systems security that is fully compliant with the state-of-the-art, and at least sufficient for the execution of the services
- Provide proof of this level of skills and organisational and technological mastery on first request by producing any recognised qualification, authorisation, or certification.
- Inform the client of the evolution of this level of skills and organisational and technological mastery
- Designate a security officer to ensure the level of security
Security of infrastructure and services
- Guarantee a level of infrastructure and service security that is fully compliant with the state-of-the-art, particularly the ISO 27001 standards, and that is at least sufficient for the execution of the services; the level of security provided must therefore comply with its information systems security policy ("ISSP") and its application documents
- Provide the client with all necessary information concerning the security of the processing it implements and/or the infrastructure it provides so that the client can assess the robustness of the architecture and operational procedures regarding its security objectives, the known weaknesses, and residual risks, and identify the additional devices to be put in place
- Inform the Client of any change in its security context (e.g., change of storage location for servers and backup servers, change of technology, change of ownership, etc.).
- Install security software (anti-virus, etc.) on all systems enabling the provision of services and keep them up to date by applying the latest signatures published by the publishers to protect the client against any introduction of malicious software into the client's information system or data. If, despite these precautions, a malicious program is introduced into the client's information systems or data, the costs of diagnosis and restoration shall be charged to the service provider, unless he demonstrates his total absence of responsibility for this introduction. Despite these precautions, if such a malicious program is introduced into the customer's information system or data, the customer and verifdiploma shall cooperate to determine the origin, consequences, and remediation options. Should it become apparent that the introduction of the malware is solely the responsibility of the customer, the customer shall bear the costs of diagnosis and remediation. If the Provider is responsible for the introduction of the malware, the Provider shall bear the costs of diagnosis and remediation
- To regularly perform all appropriate tests and to check in advance the IT elements made available to the client or used by verifdiploma
- Implementing all technical and organisational physical security measures for prevention, detection and reaction to any security risk (e.g. hacking) that may affect the buildings, server rooms, technical premises and storage areas used by the service used by the client
- Provide a regular report on the risks covered and the remedial actions taken.
- Organise a periodic safety committee in the presence of a client representative, during which the service provider's safety manager will review the safety risks identified and the associated safety measures taken.
Logical access control
- Take all state-of-the-art, security measures regarding logical access control.
- Keep a time-stamped record of the actions performed in its information system (particularly flows sent and received, new application versions, tests, errors, de-duplications, and purges, etc.) for control, audit, and evidence purposes
- To keep available to the client a secure event log containing the traces of connection to the data and of the operations carried out by the authorised users and verifdiploma and, if necessary, by any other person, for a period of one year from the recording of each of these traces
Human resources
- Vouch for its staff and any subcontractors.
Data backups
- Use a data backup and service continuity system. In any case, verifdiploma ensures the backup of the information it processes in its information system and allows the restoration of the service and the data at any time. The policies, procedures and measures taken by verifdiploma concerning back-up detail in particular the responsibilities, frequency, storage conditions, access, and restoration processes as well as the control processes. These are specified and communicated to the client prior to the implementation of the services.
Prevention and management of vulnerabilities
- All services provided or made accessible to the client are, upon signature of the service agreement, free of any vulnerabilities that could affect the security of the client's data or information system and of which the client has not been specifically informed in advance by means of a risk assessment
- As soon as a new vulnerability has been identified by verifdiploma, the client, their subcontractors, any third party addressing one of them, or via public information, shall close this vulnerability or implement any other solution to this end that does not impact the price, performance, operation of the services, or security of the client's data and information system.
Prevention and management of security events and incidents
- Establish and enforce a strict policy for security event management, security event qualification and security incident management as defined in the latest version of ISO 27001 and any current or future security standards that may be specific to the client's business
- Alert the client immediately when a security incident that may affect the client's data, its information system, its infrastructure, its network or any other system that may even indirectly impact the services provided to the client (partitioning, access, hacking, loss of integrity, loss of data, etc.) has been detected or brought to its attention, or upon receipt of any complaint addressed to it by any individual concerned by the processing of the said data
- Assist the client, free of charge, in the implementation of any action to deal with the security incident, including notification to the competent authorities and to the persons concerned by the breaches.
In this context :
- Assisting the client during any legal, judicial or regulatory formalities
- Providing all the information useful to the client in assessing the extent of the security incident and enabling it to communicate with its own clients
- Specifying without delay the backup and remediation procedures used in the management of these incidents, as well as their impact on the protection of the information system and the security of the data
Security audit
- To authorise the client, or any other service provider chosen by the client, if it is not a direct competitor of the service provider, to perform, monthly, infrastructure audits, application vulnerability audits or intrusion tests on the information systems enabling the provision of services, such as particularly the companies hosting all or part of the service provider's system
- To hold the necessary and sufficient rights and authorisations to perform the said tests and audits on the information systems which are the subject of this obligation. If the results of these audits and intrusion tests demonstrate any breach in the security of the infrastructure and of any element necessary for the provision of the services, verifdiploma undertakes to take any useful corrective measures as soon as possible.
Business Continuity Plan (BCP)
- Have a BCP which verifdiploma is committed to maintaining for the duration of the service to ensure continuity of service.
- Keep this BCP up to date and test it regularly at its own expense.
- Provide a copy of its most up to date BCP and latest tests to the customer upon request