Board Portal Security: How to keeP one SteP aHead in an

Board Portal Security:
How to keep one step ahead in an
ever-evolving game
The views and opinions expressed in this paper are those of the author and do not
necessarily reflect the official policy or position of Thomson Reuters.
CONTENTS
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
CONFIDENTIALITY. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
INTEGRITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
INFORMATION SECURITY PROGRAMS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
CONCLUSION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Security Checklist – questions you need to ask . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2
Board Portal Security: How to keep one step ahead in an ever-evolving game
JUNE 2014
Today, more than ever, there is heightened
awareness surrounding security. We are living in
a digital, e-commerce society where consumers
not only have to worry about their credit and
debit cards, but also about the security of devices
where this information is stored – commonly
referred to as “the cloud.” It seems that
consumers are inundated daily with information
regarding security measures that they should
follow and safeguards they should have in place.
Uncertainty abounds as websites are not only
hacked, but information is stolen and shared.
How can customers ensure their data maintains
its integrity and is secure at the highest level?
What safeguards really need to be in place?
Make no mistake, information security is a
tough business. Those who would seek to steal
confidential information are highly motivated,
well-resourced and in some cases nation-state
sponsored. Hackers are patient and clever. They
work to identify new vulnerabilities and then craft
new methods of exploiting those vulnerabilities to
achieve their goals. Despite the best preventative
efforts, it is usually only after an event has
occurred and the vulnerability or weakness is
identified that the security industry devises a way
of detecting and mitigating the threat.
Companies are aware of this as they continue to
look for ways to reduce costs, increase efficiencies
and improve communications for their board
members. When companies begin to evaluate
board portals, one of their primary concerns is the
security and privacy of the information stored on
a board portal. In almost all cases, a prospective
customer wants to understand how the provider
protects information from both internal and
external threats. They also want to evaluate the
maturity of the information security program.
Only after understanding any potential risks, can
a prospective client reach an informed decision on
a board portal.
A secure board portal provider should, at the
very least, ensure that users must enter a
username and password to enter the site; encrypt
information and ensure the data center has a
generator. But that is not enough. Information
security, at its core, is about protecting the
confidentiality, integrity and availability of an
application or system, in this context a board
portal. An application or service offering is secure
if it demonstrates mature processes and has
established sound operating controls.
Making sure an application is secure is not a onceoff activity, but requires diligence to address new
and emerging threats through a dedicated and
ongoing process.
When customers had to present a credit card
in person before purchasing something, there
were risks associated with paper copies of
transactions and credit card numbers. Today,
with the increase in online purchasing or simply
swiping a credit card, new ways of protecting
information from theft have been developed.
In short, threats change over time. Hackers
make their money by finding new and unique
ways of stealing information. Minute by minute,
persistent and typically very bright hackers are at
work. If there is a way, they will usually find it.
Let’s take a look at some of the real-world
issues providers deal with within the context
of CONFIDENTIALITY, INTEGRITY and
AVAILABILITY as well as the hallmarks of a
mature information security program.
CONFIDENTIALITY
Confidentiality is about making sure information
is only available to authorized users, but more
than that, it is also about addressing the risk
of accidental disclosure which could occur if,
for example, a laptop is lost or stolen, a system
or application is accessed from an unsecure
network (like an open WiFi network) or even if a
printed document is lost. Checks and balances
need to be in place to ensure data will not
inadvertently be shared with third parties and
organizations must know exactly who has access
to their confidential data.
accelus.thomsonreuters.com
3
Authentication
Authentication verifies who a user is. A
secure system requires a user to enter specific
information in order to authenticate themselves
(in other words to verify their identity). Simply
entering information, however, is no longer
enough. For example, users should be required to
use a strong password and only authorized users
should be able to log into the subsystems that
make up the board portal. For added security, two
factor authentication should be in place.
Authorization
Authorization verifies what a user is authorized
to do and occurs after successful authentication.
It is important the application not only authorizes
the user upon login, but also continuously during
their session. If the same application is used
for multiple roles, then it should ensure users
cannot elevate their privileges beyond those
assigned.
INTEGRITY
Data integrity centers around making sure data
cannot be modified without detection. This
includes data entered into the board portal, data
as it streams across a network and application
source codes. Vulnerability management
is an essential aspect of data integrity and
organizations must know exactly who will have
access to their data. Furthermore, data must be
verified on a regular basis, to ensure it is complete
and intact.
Encryption
Data encryption techniques ensure the
information stored within the board portal
remains confidential and cannot be accessed
even by those who manage the systems
and application. If the data is encrypted in
the system, access to the key that makes
decryption possible must be tightly controlled
and the encryption key must be protected.
Organizations must understand what type of
encryption technologies are used to ensure data
confidentiality.
4
Man-in-the-Middle Attacks (MITM Attacks)
A MITM attack is when someone captures
information sent over a network and reassembles
it to obtain unauthorized access to a system or
information. A board portal must take steps to
ensure that all information (including credentials)
sent to and from the server remains confidential
by implementing network-level security using
HTTPS. It is important to understand how the
data traverses through the network, whether it
can ever be viewed as cleartext and furthermore,
what protocols are used.
DDoS Protection
As with any product delivered over the internet,
it is crucial a company is able to protect itself
from a Distributed Denial of Service (DDoS)
attack. A DDoS attack restricts the availability
of a website. Hacktivists like Anonymous use
DDoS attacks to take websites offline to punish
those they feel deserve it. Before choosing a
board portal, clients need to understand what,
if any, protection it has against a DDoS attack
and whether the data center that serves the
application is served by one or more internet
service providers.
Offline access
Board portals typically offer both online and
offline access to information. This allows a board
member to download information to their local
computer or tablet and read the information
offline. The application should effectively
provide the same level of protection offline as
it does online. Measures must be in place to
provide offline authentication and there should
be specific controls in place to manage access
via iPads or other tablets. Moreover, the account
should be locked after a definitive number of
failed login attempts.
Multiple Boards
It is quite common for a board member to sit on
more than one board. For board members in
this situation, it is useful if the same board portal
solution is able to be used across all boards.
Board Portal Security: How to keep one step ahead in an ever-evolving game
JUNE 2014
The board portal must therefore address the
potential risk of data leakage from one board to
another.
be identified and rectified and companies must
ensure there are no redundant providers serving
the end points.
Logging
Applications should provide enough granularity
in their logs to accurately determine if, for
example, user A performed action B. The
authentication subsystems should capture both
successful and unsuccessful log-in attempts
and logs must be tamper-proof and periodically
reviewed to detect any unusual activity.
Data Center Power and Cooling
Maintaining a data center in the event of a power
loss is a complex task that requires planning
and regular testing. The data center power
infrastructure where the board portal is located
should be tested for a 100% loss of local power
and checks performed to ascertain for how long
the UPS remains active. Pertinent issues to
consider include whether the power feed from
the local utility is limited to a single entrance,
or whether there are several; whether the data
center is fed by more than one utility; whether
testing activity records have been maintained
and whether the HVAC systems and generators
have been regularly maintained. Organizations
should also check whether there are contracts
in place with fuel suppliers to maintain fuel in
the generators and whether the access control
systems for the data center continue to work in
the event of a loss of power.
Change Management
Software applications are constantly receiving
upgrades, bug fixes and small feature tweaks. A
system that does not change will become less
secure over time. In order to remain secure, an
operational process involving the understanding,
communicating and documenting of changes
must be followed. Change management
processes vary between organizations, but it is
important that each organization has these in
place and that they are followed to the letter.
Companies should ensure the organization
operating their chosen board portal has a strong
change management methodology and controls
in place to prevent unauthorized changes to the
running software.
Peer Reviews or Other Software Testing
Software should be reviewed by an independent
party (not a member of the development team)
to ensure that appropriate care has been taken
to detect software security flaws. Automated
testing tools should be used to identify potential
security flaws and a process must be in place to
report flaws as they are tracked and resolved.
AVAILABILITY
For any board portal to serve its purpose, it
needs to be readily available. The networks,
servers and application must all remain
operational under all circumstances, including
power failures, natural disasters and intentional
attempts to deny service availability. Any single
points of failure within the infrastructure must
Disaster Recovery and Business Continuity
It is important to address the potential loss of the
technical components that make up the board
portal. The people who operate and maintain
the board portal should be able to continue
operations in the event of a local natural
disaster or other occurrence that prevents them
from occupying their normal facilities. Before
choosing a board portal, organizations must
ensure the company has a disaster recovery
plan that is regularly checked. Other things to
consider include the Recovery Time Objective
(RTO) to get the site up and running in the
event of a catastrophic technical failure; the
disaster recovery plans include a Recovery Point
Objective (RPO) addressing potential data
loss during a critical failure; and whether the
company has a business continuity plan for each
location that operates, maintains and supports
the board portal.
accelus.thomsonreuters.com
5
Vulnerability Management
No software is perfect and new vulnerabilities
in operating systems, web server software
and database software are found almost
daily. Companies that provide board portals
should demonstrate a mature vulnerability
management program to evaluate, prioritize
and deploy security patches to operating
systems, servers and databases on a regular
basis. The board portal should conduct regular
testing to ensure the vulnerability program is
continuously operating as intended and should
have a mitigation strategy in place.
Application Security
Because no software is perfect – including
custom-built board portals – all board portals
should have an application security program to
identify potential and known security flaws in
their software. The board portal should undergo
manual penetration tests that mimic internetbased hacking attempts and the running
software should be tested on a regular basis.
Ideally, the company should be willing to share
the results of such testing with clients. Another
consideration is whether the board portal offers
any training resources to the development
organization on how to write secure codes.
Security Training and Awareness
Because threats evolve over time, a regular
program of security awareness is essential to
ensure the board portal’s staff members are kept
up to date regarding new threats. The board
portal should offer employees security awareness
training and materials on a regular basis.
INFORMATION SECURITY PROGRAMS
Mature organizations with effective information
security programs have a few things in common.
Firstly, they use standardized processes that are
documented to more easily allow new staff to
become proficient quickly. They also understand
risks and threats change over time and develop
programs to identify those threats early. They
6
provide training and awareness programs
to spread the knowledge of new threats and
risks to a larger audience and, finally, they
provide assurance to their customers (through
independent third-party confirmation) that their
security controls are continually operating as
designed.
Third-Party Confirmation
Conducting a third party audit such as an SSAE
16 or SysTrust provides clients with the assurance
that an independent party has evaluated the
security controls in place and confirmed they
operate effectively. Organizations should seek
clarification as to the type of audit conducted,
how often it is conducted and whether the audit
reports produced any exceptions.
Dedicated Information Security Professionals
Understanding new threats as they evolve and
designing responses to those threats are skills
that are perfected over time. A systems engineer
or developer who manages security on a parttime basis is not sufficient to ensure a board
portal is secure and evolving alongside new
risks. Organizations should consider whether
their preferred board portal has a dedicated
security organization, whether they have access
to resources that assist in identifying new threats
and if they have security partners to assist in
developing responses to evolving threats.
The Human Factor
One basic, but critical issue when evaluating
security is the human factor. Although often
overlooked, human error can be dangerous
and is responsible for most data leakage. It is
therefore important that board portals do not
encourage the sharing of credentials, other
than with an administrator. Your chosen board
portal should integrate seamlessly with a Mobile
Device Management (MDM) solution in the event
a device is stolen and should incorporate best
practice in the management of user accounts.
Board Portal Security: How to keep one step ahead in an ever-evolving game
JUNE 2014
CONCLUSION
Security challenges continue to evolve daily.
Sophisticated, persistent attacks are changing the
rules of the game and this can be overwhelming,
even paralyzing for organizations when
comparing solutions. Trusting data to reputable
companies with solid security practices is a must.
Before choosing a board portal, organizations
must ensure due diligence in exploring all facets
of an intuitive, robust and secure board portal.
accelus.thomsonreuters.com
7
Security Checklist: Questions You
Need to Ask
Confidentiality
• Who has access to my data?
• H
ow can I be assured that my data will not be
shared with third parties?
Authentication
• Does the application require user
authentication before allowing access?
• If so, are there controls in place, such as
requiring a strong password?
• D
oes the application offer additional security
options like two factor authentication?
•A
re only authorized users able to log in to the
subsystems that make up the board portal?
DDos Protection
• D
oes the board portal have any protection
from a DDoS attack?
• Is the data center that serves the
application served by one or more internet
service providers?
Offline Access
• Does the application provide substantially the
same protections offline as online?
• Does the application provide offline
authentication?
• How do they cater for devices such as iPads
or other tablets?
• Is the account locked after a definitive number
of failed login attempts?
Authorization
• If the application is used for multiple roles,
how does it ensure that users cannot elevate
their privileges beyond those assigned?
Multiple Boards
• Can the same board portal solution be used
for a single user who sits on multiple boards?
• D
oes the application check to see if a user’s
authorization is appropriate only on login or
continuously throughout the session?
• If so, how does the board portal address
the potential risk of data leakage from one
board to another?
Integrity
• Who will have access to your data?
• H
ow is data verified to ensure that it is
complete and intact on a regular basis?
Encryption
• What type of encryption technologies are
used to ensure data confidentiality?
• If the data is encrypted in the system, who
has access to the key that makes decryption
possible?
• How is the encryption key protected?
Man-in-the-Middle Attacks
•H
ow does data traverse through the network?
• Can data ever be viewed in cleartext?
Logging
• Are the logs tamper-secure?
•A
re the logs periodically reviewed to detect
unusual activity?
Change Management
• Does the organization that operates
the board portal have a strong change
management methodology?
• How does the organization prevent
unauthorized changes to the running
software?
Peer Reviews or Other Software Testing
• Are automated testing tools used to identify
potential security flaws?
•H
ow are reported flaws tracked and resolved?
• What protocols are used?
8
Board Portal Security: How to keep one step ahead in an ever-evolving game
JUNE 2014
Availability
• Are there any single points of failure within
the infrastructure?
•A
re there redundant providers serving the end
points?
Data Center Power and Cooling
• Is the power feed from the local utility limited
to a single entrance or are their multiple
entrances?
• Is the data center fed power from more than
one utility?
• D
oes the company keep records of testing
activity?
• D
o their records show regular maintenance
for the HVAC systems and generators?
• D
o they have contracts with fuel suppliers to
maintain fuel in the generators?
• D
o the access control systems for the data
center work in the event of a loss of power?
Disaster Recovery and Business Continuity
• Does the company have a disaster recovery
plan?
• If so, how often is the plan tested?
• W
hat is the Recovery Time Objective (RTO) to
get the site up and running in the event of a
catastrophic technical failure?
• D
o the disaster recovery plans also include a
Recovery Point Objective (RPO) addressing
potential data loss during a disaster or
critical failure?
•D
oes the company have a business continuity
plan for each location that operates,
maintains and supports the board portal?
Vulnerability Management
• Does the board portal conduct regular testing
to ensure that the vulnerability program is
operating as intended?
• W
hat type of mitigation strategy does the
board portal follow?
Application Security
• Does the board portal undergo manual
penetration tests that mimic potential hacker
activity via the internet?
• Is the running software tested on a regular
basis?
•W
hat results of this testing are they willing to
share with you?
• Do they offer any training resources to their
development organization on how to write
secure codes?
Security Training and Awareness
• Does your board portal offer their employees
security awareness training and materials?
• If so, is this training required and how often
does it occur?
Information Security Programs
Third-Party Confirmation
• What type of audit is conducted?
• How often is it conducted?
• Do the audit reports produce any exceptions?
Dedicated Information Security Professionals
• Does your board portal have a dedicated
security organization?
• Do they have access to resources that assist
in identifying new threats?
• Do they have security partners to assist in
developing responses to those threats?
The Human Factor
• Does your board portal encourage sharing
credentials with another user other than an
admin?
• Does your board portal integrate seamlessly
with a Mobile Device Management (MDM)
solution in the event of a stolen device?
• D
oes your board portal make use of best
practice in the management of user accounts?
accelus.thomsonreuters.com
9
THOMSON REUTERS ACCELUS™
The Thomson Reuters Governance, Risk & Compliance (GRC) business delivers a comprehensive set of solutions designed to
empower audit, risk and compliance professionals, business leaders, and the Boards they serve to reliably achieve business
objectives, address uncertainty, and act with integrity.
Thomson Reuters Accelus connects business transactions, strategy and operations to the ever-changing regulatory environment,
enabling firms to manage business risk. A comprehensive platform supported by a range of applications and trusted regulatory
and risk intelligence data, Accelus brings together market-leading solutions for governance, risk and compliance management,
global regulatory intelligence, financial crime, anti-bribery and corruption, enhanced due diligence, training and e-learning, and
board of director and disclosure services.
Thomson Reuters has been named as a category leader in the Chartis RiskTech Quadrant™ For Operational Risk Management
Systems, category leader in the Chartis RiskTech Quadrant™ for Enterprise Governance, Risk and Compliance Systems and has
been positioned by Gartner, Inc. in its Leaders Quadrant of the “Enterprise Governance, Risk and Compliance Platforms Magic
Quadrant.” Thomson Reuters was also named as Operational Risk Software Provider of the Year Award in the Operational Risk
and Regulation Awards 2013.
THOMSON REUTERS ACCELUS BOARDLINK
BoardLink is a secure board portal, accessible online or via an iPad app. It enables board members to communicate and
share documents, create topic-specific workspaces, compile and share board books, and provides a single, secure portal for
corporate secretaries and board members to access critical business intelligence and board committee documents.
BoardLink is designed to enable corporate secretaries and board members to manage the quarterly business activities of
the board, stay up to date on the latest business news and regulatory changes, manage multiple layers of risk, and optimize
governance and disclosure initiatives.
For more information, visit accelus.thomsonreuters.com
© 2014 Thomson Reuters GRC01220/6-14