Fronter has implemented an information security management system (ISMS), covering all parts of the Fronter service. Our Security policy states that Fronter is actively committed to ensuring the appropriate security, integrity, availability and confidentiality of our own and our customers' information. This is also our responsibility in our role as a data processor for our customers. The customer in turn is the data owner. The data owner is responsible for determining the purpose for which we process the data, as well as suitable security objectives and strategies, and ensuring compliance with relevant legislation (e.g. through a Privacy Impact Assessment).
The ISMS is certified to comply with the ISO/IEC 27001 Standard for Information Security.
It is our policy to ensure that:
- Information is protected against unauthorised access
- Confidentiality of information is assured
- Integrity of information is maintained
- Regulatory and legislative requirements are met
- Appropriate Business Continuity plans are maintained and tested
- All breaches of information security, actual or suspected, are investigated by competent persons and reported to senior management
The Fronter application is regularly scanned against known vulnerabilities, XSS and others, and patched when need arises. We also conduct thorough security testing during early development stages.
Fronter's hosting services have a high focus on technical security. All traffic is logged and can be used to detect intrusions. Access to the systems and data is strictly controlled and granted only to staff that need it for fulfilling their tasks. The servers are also monitored for changes in critical files. All available security patches are installed without delay.
All files in Fronter are scanned for virus. If the scanner finds a file that contains a virus, it tries to remove the virus without destruction of the content of the file. If this is not possible, the file will be deleted. All anti-virus actions are logged.
All customer files and databases are backed up nightly. In the case of any apparent data loss, e.g. users deleting content by mistake, please liaise with your Fronter administrator and support team to request a data restore.
Where is my data hosted?
The main Fronter hosting site is in Norway, hence within the European Economic Area, and as such from a geographical and legal perspective on a par with hosting sites within the EU countries. We also operate multi-purpose hosting sites in the US and Asia, for customers in those regions.
What data exactly is hosted by Fronter depends on the integration we have with your user administrative system, i.e. what data we import into Fronter to support user account provisioning, group enrolling etc.
Who can see and do what in Fronter?
To log on to Fronter, you need a valid username and a valid password. The passwords are encrypted, but many users authenticate through their own services for added simplicity and security. When the user logs on, password and username are sent with SSL encryption.
In the Fronter system, a user is restricted in what he/she can do. The access control is managed in a very flexible administration module and the privileges are given through membership in groups. The following principles apply:
- A user is set up with read, write or delete rights in a room.
- A user cannot create other users with more rights than he/she has him/herself.
- A user cannot change his/her own rights.
- A user is also restricted in what he/she can access in the structure.
The access to objects is verified and control on each operation. It is not possible to get access to content or features of the program by knowing the link to the object or feature. Please liaise with your Fronter administrator in case of any questions on how the system is set up at your institution.
How can I add to improved security in Fronter?
Whilst Fronter is a modern secure system, with minimal possibilities of somebody breaking into the system, human factors tend to comprise the largest threat to computer systems. Examples of such factors include easily guessed passwords, or providing login credentials to somebody pretending to be a legitimate administrator (aka "phishing" attempts).
At Fronter we hear of and see such forms of attacks on a regular basis. Therefore, we would like to take this opportunity to emphasise the importance of never disclosing login credentials and creating passwords of sufficient complexity in addition to regularly changing the password.
When somebody claims to be an administrator for Fronter or another system and requests you to login at a given address to verify your credentials, or plainly asks you for the password, it may be a phishing attempt. Below are some things to keep in mind in such cases.
In general, be wary of requests to validate credentials. For one, there is no reason for any system administrators to request a password from you.
If you receive suspicious emails with links to e.g. login pages, hover your mouse over the link to check the URL in the browser (or e-mail client) status bar. While the email message may say "fronter.com" for example, in reality the link may take you to a completely different site.
When logging in, make sure the URL in the browser address bar appears correct. Further, spelling mistakes in such emails should also serve as warning signs as they are typical for phishing scams, at least for now.
A good password is hard to guess but easy to remember. In reality this is not always so easy. Some complexity in the password is however strongly encouraged. For instance, a good password should contain digits and capital letters in addition to non-capital ones. Similarly, changing the password on a regular basis is recommended. To make this a smaller nuisance, institutions are encouraged to integrate with your own LDAP, to decrease the number of different passwords to remember. The best password however quickly becomes less secret if it is written on a post-it sticky next to the computer.
Also, the password reminder is a functionality intended to support improved security. Another one is limiting login retries on a user account. Please contact your local Fronter team for more details on these possibilities.
If anything bad happens after all…
If you have any reason to believe your Fronter account or any of the information in Fronter is compromised, please contact your Fronter administrator immediately. Fronter administrators can first establish where the possible breach is, and then liaise with Fronter support to take immediate action. Fronter also co-operates with local law enforcement and data privacy agencies whenever needed.
Posted on Tue, May 5, 2015
by Sarah Voit