Used in All XHUMA sites technology to encrypt all communications between the infrastructure servers and any person browsing the public and login areas of the service. SSL certificates are applied to all the domains and sub-domains used to access the application. This allows https communication for all data transfers including login credentials, profile details, member data, etc.
(Encryption of Usernames/Passwords) - Database encryption ensures that user login credentials are stored in the system's databases in their encrypted format. Therefore the actual login credentials(usernames, passwords) will never be stored in databases. In the event of unauthorized access to the system's database, login credentials remain unreadable and un-associated with specific profiles on the platform.
All application and data servers run the latest firewall software updates that deter hacker attacks and unauthorised access to the core servers. The current Linux servers employed for hosting Xhuma run the latest versions of IPtables and UFW; configured to monitor and restrict server access ports. In addition to software firewalls a core hardware firewall is applied with monitoring and alerts functionality.
The server clusters currently used to host Xhuma and other websites can automatically backup each server with all its content on a weekly basis. Each backup is typically retained for four weeks. These backups will be used to quickly recover or backdate the system should any serious system failures arise. In the event that a server is compromised by hackers, the last backup can be quickly deployed onto a new server with a new IP address and the domain pointed to the new host.
XHUMA servers come with tools for monitoring resource usage that generate email and other alerts/notifications to administrators when events of interest occur. Alert policies are configured to monitor certain resource thresholds that may indicate potential hack attacks (Denial of Service, DOD, etc.) and other types of attacks. These alerts are early warnings and will mobilize our team to take the necessary actions to keep systems secure.
All system update files being uploaded to the server are scanned for viruses and malware before being accepted on to the system. Any malicious software encountered is quarantined and destroyed. Monitoring software is enabled on the cloud servers to regularly report on the health of the system
As far as ISO compliance of data servers is concerned the infrastructures and facilities we currently use are certified as below:
ISO27001:2005 | SSAE16 Type II certified |
ISO22301:2012 | SSAE16 SOC-1 Type II certified. |
ISO9001 | SSAE16 SOC-2 Type II certified. |
ISO14001 | SSAE16 SOC-3 compliant. |
ISO50001 | SSAE16 / ISAE 3402 certified. |
Only persons/businesses which a membership organisation validates as members are invited to create a unique username and password to access the platform.
The platform allows multiple administrators to log into the system each with customized level of access as defined by the Organisation. Each account can perform specific authorized tasks on behalf of the organisation. As such, the system possesses functionality for assigning and revoking administrator roles and permissions as required
The system’s databases and architecture are designed to log the dates that information transfers occur and the actors that initiate these transfers. The fully deployed platform will employ a robust audit trail system that would be easy to navigate by the client.