Security and IT Documentation
CosmosID-HUB remains committed to maintaining the highest standards in security, compliance, and IT operations. Our platform ensures your microbiome data is secure, reliable, and readily accessible, empowering your research with confidence and precision.
This document outlines the IT security policies for the CosmosID-Hub Portal hosted on AWS. The goal is to ensure the confidentiality, integrity, and availability of user data, especially sensitive Next-Generation Sequencing (NGS) data, and to comply with relevant legal and regulatory standards.
Infrastructure and Data Protection
- Cloud Provider: CosmosID-HUB uses Amazon Web Services (AWS) for cloud infrastructure, benefiting from AWS’s industry-leading security and scalability.
- Data Encryption: All user data, including Next-Generation Sequencing (NGS) data, is encrypted both in transit and at rest.
- Data in Transit: Secure Socket Layer (SSL) or Transport Layer Security (TLS) encryption is required for all data transmissions between users and the platform.
- Data at Rest: All stored data must be encrypted using AES-256 encryption within AWS’s storage services (e.g., Amazon S3, RDS).
- Data Storage: Data is stored in Amazon S3 buckets with 99.999999999% durability across multiple availability zones.
- Database Security: User data is managed through Amazon RDS (PostgreSQL), which includes encryption, daily backups, and cross-region replication for added resilience.
- Data Retention: NGS data will be retained at the CosmosID Amazon S3 cloud storage according to the platform’s data retention policy. Users can request data deletion via a written notice. Logs and metadata will be retained for a minimum of 90 days for auditing purposes, unless otherwise specified by law.
Access Control and Authentication
- Role-Based Access Control (RBAC): Access to sensitive data is managed through RBAC policies, ensuring only authorized personnel can access critical systems.
- Multi-Factor Authentication (MFA): MFA is required for system administrators and encouraged for all users to prevent unauthorized access.
- Network Security: All public-facing endpoints are beind a virtual firewall with intrusion detection systems (e.g., AWS GuardDuty) and network segmentation to protect the platform against unauthorized access.
Software Development and Maintenance
- System Patching and Updates: All system components, including the operating system, libraries, and platform software, must be regularly patched. Critical security updates should be applied within 24 hours of release, while general patches should be applied monthly.
- Agile Development: CosmosID employs Agile methodologies, allowing rapid iterations, continuous improvement, and sprint-based development cycles.
- Version Control: Azure DevOps Git is used for code versioning and change management.
- CI/CD Pipelines: Automated Jenkins pipelines facilitate continuous integration, testing, and deployment of software updates.
- Quality Assurance: Rigorous testing processes, including unit tests, end-to-end tests, and user acceptance testing (UAT), are conducted before any release. All release summaries and validation checklists are documented in MediaLab for quality and document management.
Incident Response Plan
- Incident Identification: Incidents may be detected through automated monitoring systems (e.g., AWS CloudWatch, GuardDuty), user reports, or third-party security audits.
- Incident Response Process
- Initial Assessment: Within 12 hour of identifying an incident, the security team must assess the situation and determine the severity of the breach.
- Containment: Immediate steps must be taken to contain the incident, such as blocking affected IP addresses or disabling compromised user accounts.
- Eradication: Once the incident is contained, any malicious elements or vulnerabilities must be removed from the system.
- Recovery: Data restoration and system recovery efforts must follow a predefined recovery plan.
- Post-Incident Review: A review must be conducted to document the incident and update the security policies to prevent future occurrences.
Disaster Recovery and Business Continuity
- Backup Strategy: Daily backups of critical data and system configurations are performed, with backup data replicated across multiple AWS regions. Disaster recovery testing should occur biannually to ensure all backup and restoration processes function as expected.
- Disaster Recovery Plan: In the event of a major incident (e.g., system failure, natural disaster), the following steps must be followed:
- Recovery Time Objective (RTO): Critical services are restored within 4 hours during an outage or disaster scenario.
- Recovery Point Objective (RPO): Data loss is minimized to 8 hours at most during a disaster.
User Responsibilities
- Password Security: Users must create strong passwords and update them regularly. Sharing passwords or account details is strictly prohibited.
- Phishing and Social Engineering Awareness: Users should be aware of phishing emails and other forms of social engineering attacks. Do not click on links or download attachments from untrusted sources. Report suspicious emails to [email protected].
Compliance and Auditing
- Regular Audits: Internal audits are conducted quarterly, with annual external audits to ensure compliance with security standards.
- Penetration Testing: Annual penetration tests evaluate the security posture of the platform. Recent testing revealed no major vulnerabilities, affirming the system's resilience.
- Monitoring Tools: AWS CloudWatch and GuardDuty are used for real-time monitoring of system performance and potential security incidents.
Ongoing Monitoring and Maintenance
- System Monitoring: Datadog monitors real-time system performance, while AWS CloudWatch tracks security incidents and operational metrics.
- Regular Maintenance: Monthly maintenance includes deploying software updates, restarting services, and conducting performance checks to ensure stability.
FAQ
What is your inactivity timer configured to? Can this be configured as needed?
- 12 hours. Yes, it can be configured as needed.
Is your AWS hosting in multiple regions and what regions are they hosted in?
- No. The CosmosID-Hub is hosted at us-east-1 with multiple AZs
What tools are you using for remote connections and remote support?
- We set up an AWS vpn connection and use ssh for remote access if needed.
Can you provide me with a list of the services you are using in your AWS environment?
- EC2, S3, RDS, ECR, ECS, MQ, VPC, WAF, Key Management, IAM, Route 53, Directory Service, Secrets Manager, Elastic Load Balancing
What endpoint protection are you using?
- WAF, Symantec Endpoint Protection.
What is your patching cadence?
- Our DevOps engineer applies critical patches immediately and monthly for non-critical updates.
What are your remediation timelines for critical and high vulnerabilities?
- 72 hours for critical and 7 days for high vulnerabilities.
What is your vulnerability scanning cadence?
- Monthly
Updated about 2 months ago