System Security & Integrity

Maxwell GeoSystems have implemented secure project wide communications in the most demanding and remote environments. The system servers are accessible worldwide through secure (SSL) internet connections providing guarantees of greater than 99.9% availability on a 24/7 basis. Working closely with the Client’s existing infrastructure, Maxwell GeoSystems integrate online maintenance capabilities and providing key data without compromising the integrity of the corporate systems. Maxwell GeoSystems’ own systems are two-tiered. On the site level, MissionOS server will be accessible to a Client’s Local Area Network (LAN) to handle the loading and audit of raw data and the communications with the web. Maxwell GeoSystems’ MissionOS Portal provides secure published data that has been processed, audited, vetted filtered and quarantined where necessary.

Maxwell GeoSystems ensure all MissionOS systems operate as secure platforms conforming to the highest possible industry standards of programme and intruder protection. Each system is designed to be inherently robust and resistant to infiltration attempts.

Data can be hosted either: On virtualised servers within a professionally hosted AWS environment On dedicated servers within a professionally hosted AWS environment On owned serves co-located within a professionally hosted AWS environment On owned dedicated servers within the clients own infrastructure MGS software is built on standard LAMP architecture and requires no special exceptions for hosting.

Maxwell GeoSystems maintain data integrity throughout any project in an easily archived and accessible form. This enables users to easily combine multiple projects for later access and cross project analysis. Maxwell GeoSystems have enhanced security and disaster recovery capability in compliance with highest industry standards. Protection of data is of paramount importance and the Maxwell GeoSystems MissionOS system ensures all aspects of its systems are suitably guarded at all times. All systems operate on a two-tier basis with raw data kept on independent servers not accessible externally. If necessary, published data can be recreated from raw data within minutes. Published data web portals can be mirrored to Maxwell GeoSystems own servers in case there is concern that a Client’s projects web servers are vulnerable. Maxwell GeoSystems have built-in server side activity/-check procedures and web side heartbeat functions allowing administrators constant real-time system monitoring. This is a prerequisite requirement for active construction environments where power and communications can be variable.

The MissionOS system hosts a substantial archive of data which is comprehensively catalogued and readily accessible through its Data Retrieval Service. This substantial library of information constitutes and represents a unique data-vault of project related material which can be accessed by company specialists to form a compelling and powerful reference of data.

MGS software is deployed with three logical levels of security to manage confidentiality and integrity for all components: 1. Systems administration level security management - Where systems administrators can assign access and functional rights to users within the application, such that application users can be restricted to which data or functionality can be accessed, and also what rights they might have when given access to a function. By far the most frequent form of security management applied. 2. Operating system and DB administration level security management - Where technical support staff can access data using SQL routines or programs which are considered to be unrestricted in DB access, and can control systems administration access to the application. Used for complex query resolution, code, release and systems performance management. 3. Physical level security management - Ensuring industry standard security standards are applied at the physical and operating system logical access level. Used for device level systems management, including performance. Maxwell GeoSystems normally offer access to software through System as a Service (SaaS), whereby all system management and maintenance is undertaken by MGS within the price of service offered to the client. In this scenario, MGS would manage areas 1 and 2 with a cloud provider managing physical level security. Standard processes & procedures are applied for those components managed by MGS and the cloud provider will make undertakings of security and governance standards that can be reasonably applied to the areas under their management In this scenario, it is not an unusual occurrence for some local components to be deployed from MGS on client localised infrastructure, especially when looking at high volume and complex data feeds. From time to time, clients request that all three (3) levels of security management will be undertaken by themselves. This will necessitate an implementation onto client managed infrastructure and usually a front line technical support capability being developed within the client’s organisation.

A number of clients perform security roles across these levels in conjunction with MGS and with training it is considered reasonable that all levels could be handled directly by client staff if client IT security or IT policy requires. In this scenario, MGS would adopt required security processes as determined by client IT security policy including access procedures and use of specified tools. Likely areas of client system access would include: Front line technical support - complex query resolution Code upgrade, including emergency bug fixes if required Release management, including data base restructuring if required. It is possible that these areas can be minimised with the right training and client staff, however on the occasions that this type of access is required then MGS will follow security process and standards as laid down by the client.

Data is archived using rolling daily weekly and monthly archives which can be restored in less than 2 hours. Mirroring can be provided with a variety of latency levels depending on requirement. Local data source security: Sometimes data sources will require loggers or logging computers to collect data at site and push this data to the web. These may sit in remote site offices directly connected to the internet or they may be behind corporate firewalls. MGS may require access to these computes to manage the collection and upload process and this is commonly by secure VPN often using token authentication e.g. Citrix. Access to other parts of the network is restricted by normal network security protocols.

Access to the web pages can be plain or encrypted but encrypted connections will suffer some slowing of performance although this is minimal. Data traffic can be set to normal or secure FTP.

The core functions of the system must achieve a target availability level which takes account of both systematic and random failures. The core function must be considered as the core suite of equipment (hardware and software) to enable capture, processing and alarming to support the core operational needs of the system. Asia and Australia Our hosting environment has been online since 2002 and The average up time across all servers has been 99.998% over this period. Also, the client portals are deployed in AWS secured environment. The system must be designed to be fault-tolerant to enable it to continue operating properly in the event of failure. The basic characteristics required for the system availability are: 1. No single point of failure The system is scripted and designed in such a way that faults in particular system calls do not stop other parts of the program. 2. No single point of repair 3. This enables program components to be upgraded without taking the whole service offline. 4. Fault containment to prevent propagation of the failure; and in all cases of live update or repair system testing is undertaken on a backup of the domain for example: if https://mysite.maxwellgeosystems.com is the system domain then; https://mysitesandpit.maxwellgeosystems.com contains a fully representative sample of the data to test changes before migrating to the main domain. 5. Availability of reversion modes The systems are archived daily and can be reinstated within one (1) hour. System availability including planned Service outages and unplanned Service outages must be statistically provided at 99% availability in areas where there is no construction activity occurring, or where monitoring indicates stable conditions, and 99.9% availability elsewhere. The system must be capable of automatically recapturing all monitoring data upon recovery. It is important that dedicated servers are hosted as part of a server farm with dedicated staff to maintain service levels. Full current statistics of our AWS operational servers can be seen at: AWS.Amazon.Availability

System maintenance operations which may necessitate loss of core functions must be carried out on a planned and routine basis. Downtime must be kept to a minimum. The system must be capable of automatically recapturing all monitoring data upon maintenance completion. Yes, any monitoring data will accumulate either on the staging server of on the FTP. In the meantime the staging server LINUX partition will display data for the site users during any web server downtime.

The system must provide a high level of the following key security parameters: (I) Confidentiality: prevention of unauthorised disclosure of information All sites are password protected and all downloads will be subject to limits set by the PTA and client. (II) Integrity: prevention of unauthorised amendment or deletion of information; and All editing is recorded in a log so that a full audit trail is available. (III) Availability: prevention of unauthorised withholding of information or resources. Maxwell GeoSystems are the administrator of the system and will perform all requirements according to our contract All system functionalities, such as system access, data access, user locations and user levels, must ensure that there is no unauthorised access to the system and must protect the integrity of the system from accidental or malicious damage. The system must ensure data integrity at all times. Access to development areas are protected by 2FA or two factor authentication Access to user accounts setup is by admin only. User passwords are encrypted on setup/change by the user and cannot be viewed as plain text even by admin. All user accounts automatically logout after 15 minutes. See also: AWS.Amazon.Security

The system must re-establish after loss of core functions, a data link failure or a data loss due to failure of a remote system. The system must automatically undertake system performance checks and be able to recover itself and reimport any data lost between the last save point and the point of failure, including system configuration, instrumentation data, and any data calculations and trending including exceedance of monitoring review levels. In the event of web outage through either connection or server failure the LINUX partition of the local intranet real time server will become the target server to ensure continued operation. All data update function are tracked by last successful upload on re-initialisation or reconnection data accumulated since then will be automatically loaded and processed. Loss of peripheral functionality will only be tolerated on the basis that it will not risk the integrity or availability of the core functions. Scripted LAMP system functionality is isolated from core functionality producing a very robust platform Other than loss of data, the core function must not be affected by loss of a remote system or communication link to it. Following the recovery of the lost remote system communication link, the system must be able to receive and process buffered or stored data. Core systems are completely isolated from data systems or remote systems. Administrators are warned if any remote systems are offline using our heartbeat functions.

All data must be backed up daily. The system must carry out automated backup and recovery operations for all entities, metadata, audit trails and configuration settings held by the system and provide separate physical storage of backup data. Usually backup schedule in AWS is that the daily backups are kept for a month. Further duration of backup is based on agreement. And based on the agreement, data is backed up daily, weekly or monthly etc. to tape and to our own servers. The Monitoring Manager must be able to restore the entire system from backups, maintaining full data integrity to ensure system continuity, from the most recent backup to the point of system failure. Data is backed up daily, weekly and monthly to tape and to our own servers. Archives are also regularly taken for use on the UAT domain. Archives can be restored within one hour. Uninterrupted power supply must be provided to allow sufficient time to downpower the computers without data corruption. Staging servers and web servers all have UPS and are all reconfigured automatically during power up and boot. MissionOS AWS servers are highly resilient to power outage and suffer minimal data corruption as a result of sudden shut down.

Cyber Essentials certification demonstrates that Maxwell GeoSystems business opera-tonal procedures have the essential cyber security measures in place. The accreditation proves that in implementing and certifying the controls it confirms that the business is safe against the majority of cyber threats. GDPR regulation came into effect on May 25th 2018. Cyber Essentials certification proves the business has taken the first step towards compliance. Cyber Essentials certification is mandatory for many central government contracts which involve handling personal information and delivering certain ICT products and services.

APMG is a UK Government appointed Cyber Essentials Accreditation Body – is responsible for accrediting Certification Bodies. These Certification Bodies perform assessments and award companies an online certificates. APMG has been accrediting organizations for over two decades and its exemplary accreditation standards are world-renowned. APMG-accredited Certification Bodies are internationally recognized for their exceptional assessors and service – having undergone rigorous assessment.

ISO27001 is the international standard nomenclature for Information Security Management Systems, or ISMSs. Maxwell GeoSystems has attained ISO/IEC 27001:2013 status & certification, implementing an Information Security Management System for the provision of Geological Data Management & Risk Monitoring for clients along with internal reporting systems. Since its launch in 2005, becoming certified to the ISO27001 standard has become increasingly important, as concerns and publicity about cyber security breaches have increased.

The ISMS is a set of processes that together helps the organization to manage its information security by assessing their risks and taking action to reduce them. The management system represents the essential elements required to maintain a high level of information security. The main components are: Information security policy The rules & guide on keeping MGS information data systems secure. Objectives The ISMS standards & objectives MGS is aiming to achieve. Risk assessment and treatment MGS Disaster Response plan & procedures. Roles and responsibilities MGS personnel responsible for ISMS and their assigned duties. Competence Ensuring MGS staff have appropriate skill-sets. Awareness training Ensuring all MGS personnel are informed of all relevant Information Security matters. Monitoring and measuring On-going monitoring and quantifying systems, procedures and operations. Internal audit Independent checks & reviews ensuring appropriate corrective actions. Data Management & Disposal Ensuring all systems are securely protected & data for disposal is handled according to ISO guidelines. Management review Regular MGS Management group meetings.

Maxwell GeoSystems is committed to: Strengthening internal control and preventing unauthorised and improper access to data, thereby ensuring the appropriate protection of information assets. Appropriately protect the confidentiality of information assets. Ensure that information is not revealed to unauthorised third parties during the process of transmission or as a result of unintentional actions. Ensure that all information security accidents or suspected security flaws have appropriate reporting mechanisms so that superiors are notified and these incidents are appropriately investigated and handled.

To continually strengthen and improve the overall capabilities of the Information Security Management System (ISMSs). Increase professional skills in terms of information security management & technology. To make the management system for information security so complete and reliable that the ISO/IEC27001 certification standard will continue to be effective. Ensure that information-related business operations continue to be carried out in-line with the ISO/IEC27001 standard and to establish a sustainable operation plan for business that is cost-effective. Establish quantified information security goals annually through management and review meetings.

ISO/IEC 27001 is a security standard that formally specifies an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. Certification to ISO/IEC 27001 helps organisations comply with numerous Government, regulatory and legal requirements that relate to the security of information.