Data Privacy and Security Manifesto
What is the role of Mobilexpense in the context of data privacy?
In the context of Mobilexpense’s services, Mobilexpense acts as the data processor and in this role, supports its customer (the data controller) in compliance with the EU and country specific data protection legislation.
What personal data is processes and stored in the Mobilexpense application?
The data processed by the application are limited to the data necessary to serve the purpose of the application. In this context, the following categories of personal may be processed:
Personal identification data: first name, last name, title, language, ...
Contact data: email address, phone number, ...
Financial identification data: credit card number, bank account number, ...
Employment data: company name, role, ...
Financial transactions: expense data, receipts, credit card transactions, settlements, ...
Travel data: travel requests, ...
The above list contains the different categories of personal data with examples of personal data, however these can be tailored to the customer’s preference during the implementation as some fields are optional while others are mandatory. In addition the customer may opt to use certain functionality which requires the processing of certain personal data.
The customers (data controllers) are responsible for managing their users on the Mobilexpense application. User data can be uploaded through synchro files or integrated with the customer’s HR system.
Mobilexpense does not process any special categories of personal data, i.e. revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union memberships, genetic data, biometric data, data concerning health or a person’s sex life or sexual orientation.
How is data protected?
Based on industry best practices and standards, including ISO 27002 and PCI Data Security Standards security controls are in place to protect data including personal data, credit cards, and other sensitive data from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Mobilexpense ISPMS, Policies and procedures
The ISO 27001 certified Mobilexpense Information Security and Privacy Management System (ISPMS) ensures:
Data Confidentiality - ensuring that information is accessible only to those who are authorized to have access;
Data Integrity - safeguarding the accuracy and completeness of information;
Data Availability - ensuring that authorized Users have access to information when they need it;
Compliance - ensuring that relevant legal and regulatory requirements in relation to the protection of information are adhered to.
Mobilexpense security policies cover 17 security areas:
Information Security Governance
Access Control and User Management
Logging and Monitoring
Change and Capacity management
Network and system management
Backup and Business Continuity Management
Data classification, Retention and disposal
Security & Privacy responsibilities
Responsibilities for information security and privacy at Mobilexpense are clearly defined and governed by the information security governance. The main roles responsible for security, privacy, and providing assurance on the internal control environment are the CISO, DPO and Internal auditor. All these roles have been defined and assigned.
In the context of Mobilexpense ISPMS a formal risk management policy, methodology and associated process are in place. The scope encompasses the production, PCI and office environment.
The methodology is based on based on NIST and IT Grundschutz risk assessment methodology and follows the structure of ISO 27002 – 2013 security controls.
The process is performed at least annually and upon significant changes to the environment and covers the results is documented and signed off by the Executive committee.
The risk management encompasses the risk analysis, the treatment plan (Roadmap), the risk monitoring and review.
Access & Authorization
Mobilexpense Application allows allocations of roles/privileges/ access to features and data based on the need-to-know/need-to-use principles.
Data is only displayed based on the need-to-know/see according to the allocated authorizations/roles within the application.
Customer access to the application is controlled through authentication (User ID & Password / Single Sign On) and authorization (based on roles).
Users definition and roles assignments are under the control of Customer-Administrators
User access rights are defined by session profile parameters, loaded for each user once the User is authenticated.
Every page contains a security and access rights control mechanism, based on session profile parameters. The access rights for every page are checked automatically when an application webpage is viewed by a User. If a User attempts to access an unauthorized page, the System redirects the User to a special “access forbidden” page and all unauthorized access attempts are logged.
Mobilexpense staff authorized to access customer environments are authenticated via Single Sign On based on multifactor authentication (MFA).
When accessing Customer environment, Mobilexpense staff is required provide a rational for this access. This rational is logged and reviewed.
The authentication mechanism is protected against brute force attacks.
Users are de-activated after a defined set of unsuccessful login attempts and the relevant Customer Administrator informed by email. The Customer Administrator should then re- activate the User.
Logical access to Mobilexpense servers (including associated operating systems and databases) by Mobilexpense employees is appropriately controlled.
Logical access to data processing resources is controlled by authentication procedures that require individual User IDs and passwords. The restriction of access rights to approved Mobilexpense employees and contractors is assured by the following control mechanisms:
Access rights to the Mobilexpense Application are limited to those rights necessary to carry out the employee’s operational function and server parameters are in place to automatically enforce these access restrictions.
Cegeka (hosting Providers) maintains a centralized tracking system to give access rights to the Mobilexpense Environment. Access requests are formally approved by Mobilexpense Management before being forwarded to the Cegeka Security Administration team. A Cegeka Security Administrator implements the access and confirms the access implementation. The tracking system keeps an audit trail of all requests and approvals. Mobilexpense Management carry out a monthly review of access rights to the Mobilexpense Environment to ensure that implemented access rights remain in line with approved access rights. Access rights reviews are also carried out at every infrastructure change.
Two factors authentication is required for remote access to the infrastructure.
Segregation of duties
Administrative functionalities within the application are separated from the usual functionalities and assigned to specific roles.
An introductory briefing is provided for new staff covering information security in general, personal responsibilities, procedures to adhere to, and escalation mechanisms for security incidents.
Security awareness updates are provided to all Staff at least on an annual basis.
The application is designed as a multi-layered architecture protected from the external world by firewalls, WAF, virus protection.
Data at rest: Credit card data are tokenized, and passwords are hashed.
Data is encrypted at database level.
Mobilexpense staff desktop/laptop hard drives are encrypted.
Data in transit: All data in transit are encrypted.
Strong cryptography and security protocols (SSH, PGP, SFTP, TLS) are used to safeguard data in transit over open, public networks.
Access to the application: All data exchanged between the users and the application is protected by TLS. Users can verify the authenticity via the associated TLS certificate. Mobilexpense certificate is issued by an approved public certification authority.
Card data received from transaction suppliers are protected either by SSH or PGP. Card transaction suppliers make the choice. Keys are managed in accordance to the Key management policy.
All non-console administrative access is protected by strong cryptography (VPN).
Cryptographic keys are managed in accordance to the Mobilexpense Key management policy.
Data Retention, archiving and removal
All restricted and private data, regardless of storage location are retained only as long as required for legal, regulatory and business requirements. For application data which must be retained, the retention period is defined by the customer in the data processing agreement.
The standard process at Mobilexpense is to archive the data in the live database after two years. On a daily basis, a process will move data linked to expense items or travel requests which is older than two years to an offline archive. For expense items the two years start counting on the day of settlement, while for travel requests this live retention period starts counting on the start date of the trip. The data and related receipts are moved from the online storage to the archive which is located within the same security environment, where it is retained for the remainder of the customer defined retention period. Customers can submit a change request to retrieve the data if needed. Customer specific changes to the archiving process can be accommodated upon agreement with the customer.
Purging data occurs in two cases:
At the end of the retention period which is contractually agreed with the customer in the data processing agreement.
At contract termination, after the data is returned to the customer (online and archive).
Hardening & secure configuration
The application, database servers and network components are installed and configured according to security best practices that address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
Servers are updated with the latest vendor security patches.
Wherever possible only one function is implemented per server.
Unnecessary protocols, services or functionality are uninstalled, or disabled.
Local administrator and guest accounts are disabled.
New vulnerabilities are assigned with a risk ranking (High, Medium or Low). For this purpose, Mobilexpense relies on the ranking provided by the industry-leading sources or the vendors as well as on the impact on the system component on which the vulnerability has been identified.
All patches and security updates are applied by Cegeka (Hosting party) in a formalized and secure manner, with all critical patches installed within one (1) month of release from a vendor or other approved third party. Other less-risky changes are installed within 2-3 months.
Authenticity of the patch or any other security upgrades are ensured before they are released to day-to-day operations.
A virus scan is run on all patches before installation.
Patch dependency or any other issues that may result in the installation of the patch are identified and dealt with prior to deployment.
Patches that could adversely impact the security of the system are first applied within a test environment.
Patch implementation within production follows the change control policy.
All servers are protected by an anti-virus. Signatures file is updated every 2h and hard drives scanned daily.
Backup procedures are in place to prevent the loss of data
Full backups are taken daily and transferred to the mirror server on remote location.
Backups are encrypted.
The success of these back-up processes is monitored daily by Mobilexpense.
The Mobilexpense application runs on a distributed redundant platform consisting of multiple web application servers and mirrored databases.
The PCI environment is dedicated and fully segregated from production.
A contingency system and procedures are in place to allow for disaster recovery
A mirror server maintained in a remote location allows operating in a downgraded mode for 2 weeks (meaning that the service is available but without guarantee of performance), which is the contractual delay to recover from a major disaster.
Set up of the minimum vital infrastructure ensuring compliance with our RTO (48h) is validated daily.
The global site-to-site recovery procedure is tested once a year.
Mobilexpense developers are trained in secure coding technique prescribed by specific coding standards such as OWASP Guide, SANS CWE Top 25, CERT Secure Coding.
A release management process is in place:
All developments are registered in a source control tool to register versions and allow for rollback.
Test scenarios are first performed in the development environment to ensure that developments and bug fixes that are moved to the Production Environment function as intended and do not compromise existing functionality and services. Once the change is internally approved in the development environment, it is migrated to the staging environment, where the same test scenarios are tested again.
For Customer Customization changes and Bespoke Developments, Customers are invited to perform acceptance testing in the Staging and/or Production Environment.
Provided the changes pass all test scenarios in the staging environment, Code review by separated individuals is executed.
Provided that the outcome of the code review is positive, management validates the change and authorizes the move to production.
The change is moved to the Production Environment, where final testing is carried out before the change is finally signed off as completed. Only a limited number of individuals are authorized to move codes to production.
Segregation of Dev/Test environment
The staging (Testing) environment is separated from the development and production environments.
Development and production staff maintain a strict separation of duties.
Identifying data is not used in development.
Change management policies and processes are documented and enforced to guarantee the integrity of the application in production.
Changes to the parameters of the policy rules are undertaken by the Customer Administrator, but can also be carried out by Mobilexpense, upon request from the Customer.
Changes to policy rules or their parameters carried out by Mobilexpense in all cases require a formal request from the Customer.
Changes to operational applications and their supporting systems and Mobilexpense specific network components are planned, developed and implemented in a controlled manner
The code of the application is reviewed internally upon significant changes and prior to deployment in production.
Vulnerability scans are conducted by external parties (PCI approved Scanning vendor) monthly and after any significant change in the network.
Penetration testing is performed by external parties on a yearly basis and after significant change on the application.
Mobilexpense application includes several mechanisms and processes ensuring the integrity of data. To ensure the completeness and integrity of interface files, file footer/hash or other control mechanisms can optionally be inserted by Mobilexpense into Customer Interface Files.
The application performs Input checks to detect at least the following types of errors
invalid characters in data fields;
missing or incomplete data;
exceeding upper and lower limits for data size or length;
unauthorized or inconsistent control information in a data field (e.g.: XML injection or SQL injection).
All access to the Mobilexpense environment is logged. Access logs are reviewed regularly to identify potential unauthorized access.
The following events are logged:
All upload errors are logged and investigated (ISAE B2)
Access to Mobilexpense environment is logged. (ISAE B3)
All changes performed by the Customer’ users are logged (who, what, when).
All changes performed by Mobilexpense operators on behalf of the customers (who, when, what and why)
Access the Mobilexpense VPN and servers as follows:
Each User access is logged;
Failed access attempts are logged;
Changes to security settings are logged
Logs on the production systems are forwarded in nearly real-time to a central repository. Daily, logs are automatically sent to Mobilexpense ticketing system and an audit mailbox for review and archiving.
Formal incident management policy and process are in place.
Incidents are reported the System error handler processes or by Users (Mobilexpense staff or Customer Users), classified and handled according to this classification.
Non-security related incidents: The Service Delivery Manager checks the progress of these incidents towards resolution daily and, monthly, runs a report to a) verify the effectiveness of current procedures in solving incidents within SLA and b) identify opportunities to further improve service response times.
Every incident is logged in an issue tracking system and assigned a priority. Issues are reviewed on daily basis by the Service Delivery Manager. Major issues that require the involvement of Mobilexpense IT are subject to a root cause analysis and may result in change requests that will follow the Change Management Procedure.
Security related incidents follow a strict and separated process including severity determination, investigation of root causes, reporting/alerting to Customers, Third parties and Legal entities.
Physical security is covered by ISAE3402 TYPE 2 and ISO27001 of Cegeka (hosting provider).
The datacenters of Cegeka are located in Belgium and in The Netherlands
The Cegeka buildings have 24h attendance and a building security checkpoint for access by the Cegeka engineers. We have an additional access procedure for customers and third parties, who only have access to the building with supervision from authorized staff members. All doors (also the cages) have card key access with anti-pass back and a logging facility. All Cegeka facilities and the datacenter are equipped with a camera security system that is digitally recorded.
Physical access is covered by a variety of policies and procedures as well as the constantly logging and reviewing of all entries to any of the Cegeka secure rooms, whether it concerns employees, contractors or third parties.
Security audits are performed at scheduled intervals. Cegeka maintains a policy of constant improvement regarding information security.
Activities on systems performed by third parties are always supervised by authorized personnel of Cegeka.
Only authorized staff members are granted access to the secure areas such as the staging room, management room and server room.