Aug 28

CUBE CLOUD SECURITY

0 comments

 

Application Security

Data Integrity

Each client has their own separate database instance and runs a unique instance of the application framework.

SSL Security: SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.

Every CUBE application is accessed using https:// and clients can easily notice their browser's security indicator. This indicates that the site is properly secured, usually with a green lock icon. If you test your CUBE access URL using the SSL Labs Server Test, it will get an A grade suggesting the highest level of SSL security available.

Application Security and User Access Management CUBE implements “secure log-on procedures” by choosing, implementing and using suitable authentication techniques, not disclosing sensitive information at log-on time, data entry validation, protection against brute-force attacks, logging, not transmitting passwords in clear over the network and session inactivity timeouts.

CUBE has taken measures to protect against common web application security vulnerabilities by implementing the following measures:

· CSRF protection

· Brute-Force Attack mitigation

· Form tampering protection

· SQL injection protection

· Enforcing SSL Security to protect against MITM attacks

 

Furthermore, clients are encouraged to lay out the roles and responsibilities for information security, and allocate them to individuals using CUBE’s very granular RBAC (Role-Based Access Control system). Where relevant, duties should be segregated across roles to avoid conflicts of interest and prevent inappropriate activities. The allocation of access rights to users is controlled from initial user creation through to removal of access rights when no longer required, including special restrictions for privileged access rights.

 

System and Application Access Control Information access is restricted in accordance with the access control policy e.g. through secure log-on (SSH keys only), password management, control over privileged utilities and highly restricted access to application source code and repositories.

 

FULL SERVER BACKUP Appropriate backups are taken and retained in accordance with a backup policy.

Our hosting provider offers easy-to-use backups built into the server interface. This service provides automatic, weekly system-level backups, allowing you to easily revert or spin up new instances off of the created images. Each weekly backup is retained for 4 weeks before being recycled.

The hosting provider uses a snapshot-based backup system that will create a point-in-time image based on the current state of the server. This process happens automatically within a pre-determined scheduling window, and is completed in the background while the server is running. This provides system-level backups of our server without powering down.

The following process occurs on our server when a backup occurs:

1. A snapshot of the live system is taken, creating a crash-consistent, point-in-time image.

2. The snapshot is backed up off-disk.

 

DATABASE BACKUP Databases store some of the most valuable information in your infrastructure. Because of this, it is important to have reliable backups to guard against data loss in the event of an accident or hardware failure.

The hosting provider utilizes the Percona XtraBackup backup tool to provide a method of performing "hot" backups of MySQL data while the system is running. They do this by copying the data files at the filesystem level and then performing a crash recovery to achieve consistency within the dataset.

This system automates backups of MySQL data on our server. It uses cron (task scheduler) and the Percona tools to create daily secure backups that we can use for recovery in case of problems.

 

LOGGING AND MONITORING System user and administrator/operator activities, exceptions, faults and information security events are logged and protected. All failed user login attempts are logged and this is coupled with our brute force attack mitigation mechanism which locks out the offending user’s IP address for a pre-determined period (5 mins to 2 hours) after 3 consecutive failed attempts.

 

REDUNDANCIES Our hosting provider has sufficient redundancy to satisfy high availability requirements.

Communications All communications with CUBE are transmitted over TLS (HTTPS). Connectivity to our servers is done via SSH we only use SSH keys to securely set up our access. As an additional security measure, password authentication has been strictly disabled and SSH port obfuscation has been implemented.

Data Center Security

Physical Security

Our hosting provider’s datacenters are co-located in some of the most respected datacenter facility providers in the world. They leverage all of the capabilities of these providers including physical security and environmental controls to secure their infrastructure from physical threat or impact. Each site is staffed 24/7/365 with on-site physical security to protect against unauthorized entry. Security controls provided by their datacenter facilities includes but is not limited to:

· 24/7 Physical security guard services

· Physical entry restrictions to the property and the facility

· Physical entry restrictions to our co-located datacenter within the facility

· Full CCTV coverage externally and internally for the facility

· Biometric readers with two-factor authentication

· Facilities are unmarked as to not draw attention from the outside

· Battery and generator backup

· Generator fuel carrier redundancy

· Secure loading zones for delivery of equipment

 

Infrastructure Security

Our hosting provider’s infrastructure is secured through a defense-in-depth layered approach. Access to the management network infrastructure is provided through multi-factor authentication points which restrict network-level access to infrastructure based on job function utilizing the principle of least privilege. All access to the ingress points are closely monitored, and are subject to stringent change control mechanisms.

Systems are protected through key-based authentication and access is limited by Role-Based Access Control (RBAC). RBAC ensures that only the users who require access to a system are able to login. They consider any system which houses customer data that they collect, or systems which house the data customers store with them to be of the highest sensitivity. As such, access to these systems is extremely limited and closely monitored.

Additionally, hard drives and infrastructure are securely erased before being decommissioned or reused to ensure that your data remains secure.

 

Access Logging

Systems controlling the management network log to their centralized logging environment to allow for performance and security monitoring. Their logging includes system actions as well as the logins and commands issued by their system administrators.

 

Security Monitoring

The hosting provider’s Security team utilizes monitoring and analytics capabilities to identify potentially malicious activity within their infrastructure. User and system behaviors are monitored for suspicious activity, and investigations are performed following their incident reporting and response procedures.

Server Security & Employee Access

The security and data integrity of customer servers is of the utmost importance. As a result, their technical support staff do not have access to the backend hypervisors where virtual servers reside nor direct access to the NAS/SAN storage systems where snapshots and backup images reside. Only select engineering teams have direct access to the backend hypervisors based on their role.

 

Snapshot and Backup Security

Snapshots and Backups are stored on an internal non-publicly visible network on NAS/SAN servers. Customers can directly manage the regions where their snapshots and backups exist which allows the customer to control where their data resides within our datacenters for security and compliance purposes.

 

COMPLIANCE:

ISO/IEC 27001:2013 Certification

 

The hosting provider is certified in the international standard ISO/IEC 27001:2013. By achieving compliance with this globally recognized information security controls framework, audited by a third-party, DigitalOcean has demonstrated a commitment to protecting sensitive customer and company information. That commitment doesn’t end with a compliance framework, but is necessary baseline for security. Our ISO/IEC 27001:2013 certificate can be viewed here.

 

EU-U.S. Privacy Shield Framework

 

The hosting provider is an active participant in and comply with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce and the European Commission. The framework provides them a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States.

You can find more information about their commitment to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks in their Privacy Policy. Their active participation and certification in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks can be viewed on their website located here.

Datacenter Colocation Attestations and Certifications

All of their datacenters are independently audited and/or certified by various internationally-recognized attestation and certification compliance standards. Many of the SOC reports and certifications listed below are available if a signed NDA is in place between the hosting provider and their customer.

 

GDPR

Overview

The General Data Protection Regulation (GDPR) is the most significant legislative change in European data protection laws since the EU Data Protection Directive (Directive 95/46/EC), introduced in 1995. The GDPR became enforceable on May 25, 2018, strengthens the security and protection of personal data in the EU and serves as a single piece of legislation for all of the EU. It replaced the EU Data Protection Directive and all the local laws relating to it.

The hosting provider supports the GDPR and all their services comply with its provisions. Not only is the GDPR an important step in protecting the fundamental right of privacy for European citizens, it has raised the bar for data protection, security and compliance in the industry.

FAQData Processing AgreementData Portability

New Posts
  • General Ledger (Setup) The general ledger is an accounting document that provides a general overview of an organization's financial transactions. An account, or general ledger ( GL ) code , is a number used to record business transactions in the general ledger. Prior to setting up your GL report please ensure that all Earnings, Allowances & Deduction Types are setup correctly ( refer to notes on “Payroll Info Setup”) Step 1 - Select ‘Add New GL Entry’ 1. Select a unit by which you wish to track payroll cost. CUBE allows businesses to develop GL reports by Department, Division, Job Title, Location & Team. 2. Select the type of GL you wish to setup. a. Select Allowances, Benefits, Deductions, Earnings, Employee if you wish to display these payroll expenses separately in the GL (is GL Item). E.g. Selecting “Allowances” will enable user to represent expenses like Travel, Housing & all other allowances paid to staff. b. Payroll Item is used when payroll expenses in the GL needs to be grouped, such as Gross Pay, Net Pay, Total Allowances, Total Deductions etc c. Salaries groups all Earnings & Allowances marked as “Is Salaries” ( refer to notes on “Payroll Info Setup”) and display these values in the GL as a single amount under the description “Total Salaries.” Total salaries can include Regular Pay, Overtime, commission, Travel Allowance etc…. d. Salary Control is the sum of (Net Pay + Taxable Deductions – Total Staff Loans +Total Salary Advances) e. c. Salaries & Wages Control allows users to report more extensively on all types of employee deduction. . Step 2 – Enter General Ledger Info In the example above the user has selected “Department” as the Unit and “Earnings” as the General Ledger Type (highlighted in yellow above). Users can also group departments with similar GL Codes. Step 3 – View General Ledger Info You can review/edit all General Ledger reports by selecting the view option in your control panel: These GL reports can be found in their respective “Payroll Summary Reports” and can be downloaded via pdf or .csv for easy upload into your accounting software. API integration also available.
  • PAYEES Setup Payees (Definition) - a person or institution to whom money is paid or is to be paid. Therefore payees could be banks, credit unions, various lending institutions, insurance companies & employees. Step 1: Go to Control Panel Step 2: Select ‘Add New’ Complete the required fields: 1. Enter full name of Payee (E.g. Simpson Finance Limited) 2. Enter Short Code (E.g. SIMPSON). This code aides with sharing this data across various software platforms (uploads/downloads) 3. GL Code – NA 4. Description – Optional 5. Payee Type – helps us to group and report on various payee assignments. 6. Routing # - A 9 digit number used to identify ECACH member banks. These banks include: a. Bank of Saint Lucia - 000000369 b. First National Bank – 10000337 c. FCIB/CIBC – 093860105 d. Republic Bank (Castries) – 604750028 e. Republic Bank (Rd. Bay) – 742450028 f. Republic Bank (Vieux-Fort) – 207350029 g. RBC Royal Bank (Castries) - 094750036 h. RBC Royal Bank (Baywalk) – 099730035 i. RBC Royal Bank (Rd. Bay)- 094650039 j. RBTT (Castries) - 018000034 k. RBTT (Sunny Acres) – 018110034 l. RBTT (Baywalk) - 018130030 m. RBTT (Vieux-Fort) – 018120037 7. Branch/Bank Code – is the last 4 digits of the routing number. 8. Transit Number – is the first 5 digits of the routing number. 9. Currency Code – NA (default set to XCD) 10. Payee Contact Info – useful especially if you intend on emailing employee deductions/payments to Payee. 11. Payee Accounts - shows a list of all employee accounts attached to the PAYEE. When a new Payee is being added you are required to “Remove” the empty Account type fields.
  • Payroll Info (Setup) This section is commonly used to make important changes to employee payments & deductions. Difference between Allowance & Earning Types: Allowances are typically FIXED amounts paid to an employee over an extended period of time, whereas, Earnings are more periodic, FLUCTUATING payments. All Allowance, Earning & Deduction types are customizable to ensure accurate reporting and adherence to local laws & company policies. Allowance Types Setup Select ‘Add New’ You can setup multiple allowance types. Enter all relevant fields including: 1. Is Taxable - determines whether PAYE deductions will be made to the allowance. 2. Is NIC Deductible - determines whether NIC deductions will be made to the allowance. 3. Is Pensionable – determines whether Pension deductions/contributions will be made on allowance. Only applicable if company has a “Registered” Pension Plan. 4. Is Additional Pay – Includes the allowance amount figures when preparing employee “Job Letters”. 5. Is Salary – Groups the allowance as part of Total Salaries for GL purposes. 6. Is GL Item - Creates a separate GL line item for this allowance. Allowances should always be “ Is Salary ” OR “ Is GL Item ”… not both! 7. Active/Inactive Deduction Types Setup Select ‘Add New’ You can setup multiple payroll deduction types. Enter all relevant fields including: 1. Is Statutory – applies only to Statutory deductions (PAYE & National Insurance) 2. Is Taxable - determines whether PAYE deductions will be made to the allowance. 3. Is NIC Deductible - determines whether NIC deductions will be made to the deduction (N/A). 4. Is Benefit – helps to identify benefit deductions (e.g. Group Medical & Life). 5. Is Staff Loan – helps to identify all staff loan deductions for GL reporting . 6. Is Salary Advance – helps to identify all salary advance deductions for GL reporting . 7. Is Salaries Control – Groups the deduction as part of your Salaries Control amount for GL reporting. 8. Is GL Item - Creates a separate GL line item for the deduction. Deductions should always be “ Is Salaries Control ” OR “ Is GL Item ”… not both! 9. Active/Inactive Earning Types Setup Select ‘Add New’ You can setup multiple Earning types. Enter all relevant fields including: 1. Is Hours – this indicates whether the Earning Type will be paid in ‘hours’ or as an ‘amount/value.’ 2. Rate - applicable when earning type is being paid in ‘hours.’ Rate captures the factor in which the earning will be paid (e.g. Regular is ‘1’ i.e. 1*basic pay rate, Overtime is 1.5, Holiday Pay is 1 etc.). In cases where the Earning type rate will be over-ridden, use a factor of ‘1.’ 3. Is Bonus – used to determine whether Earning Type is Bonus (important for TD5 reporting). 4. Is Productive Hours – Groups Earning Type as either “Productive or Non-Productive” time 5. Is Zero Pay – Used to group Earning types with no payment rate/factor (e.g. Certified 0%, Uncertified 0%, Time off with No Pay etc. (0*Basic Pay). 6. Is Sickness – Groups all Sickness Earning Types together for reporting purposes. 7. Is Certified Sickness – Groups all Certified Sickness together for reporting purposes. 8. Is Taxable - determines whether PAYE deductions will be made to the earning type. 9. Is NIC Deductible - determines whether NIC deductions will be made to the earning type. 8. Is Pensionable - determines whether Pension deductions/contributions will be made on earning. Only applicable if company has a “Registered” Pension Plan. 10. Is Gratuity Deductible – determines whether Gratuity deductions/contributions will be made on earning. 11. Is Vacation – helps to identify and report on all vacation earnings. 12. Is Standard– allows the earnings to be uploaded via CSV import using the earning type ‘short code.’ 13. Is Requestable (Time Off) – This is applicable when setting up various “Time Off” earning types (bereavement, maternity, In Lieu etc.) 14. Is Salary - Groups the earning type as part of ‘Total Salaries’ for GL purposes. 15. Is GL Item - Creates a separate GL line item for the earning. Earnings should always be “ Is Salary ” OR “ Is GL Item ”… not both! 16. Is Service Charge – Only applies to the “Service Charge” earning type. 17. Service Charge Hours – Uses the total hours recorded for all earning types selected in order to calculate service charge payments to be made to employees (only applicable if service charge is paid based on hours worked) 18. Active/Inactive
Demo Access
Online Payment
Follow Us

Sign up for information about

HR Technology and tips on

effective HR process techniques. 

HRM Solutions Inc. 

Cas-En-Bas, Gros-Islet, St.Lucia

Telephone: 1 (758) 722- CUBE (2823)

E-mail: info@cubehrms.com

HRMS logo small
CUBE logo

© 2019 by HRM Solutions Inc.