Controls Summary for Client Data
Purpose
The following document is confidential and has been prepared solely for Inclusion System clients and their auditors to provide further information on enforced processes and controls regarding data handling provided by clients to the Inclusion System. Use of this document, reproduction, and distribution without prior written consent from the Inclusion System is prohibited.
Acknowledgement
The Inclusion System was born out of caring for the challenges of others in their work and the realization that through the work we do, we could help empower people working within the community living/developmental services community. It is these same values of caring for people and taking our work seriously that play key roles in how we have structured processes around our service and operations and in the security and maintenance of our systems.
Controls within Data Access and Information Security
The following is an overview of security measures in place for our systems containing client information. The security of this data – which include our own employee data – is highly important and we continuously review and improve our processes to further reduce risk.
Physical Security
Inclusion System offices are monitored 24/7 by a security company. The office is equipped with cameras at all entrances and any other sensitive areas. Access is restricted by electronic key cards and/or standard keys issued only after approval from management and limited only to areas where duties need to be performed.
Network Security
Select users of the Inclusion System are granted remote Virtual Private Network (VPN) access to the head office and data centres as needed to perform their duties. To gain full access to the network drives and database, Remote Desktop credentials need to be entered. All remote connections are monitored by system administrators.
Data Storage and Security
The Inclusion System platform is entirely web-based with its primary instance hosted in Canada within a Tier 1 high-availability data centre. The data centre is SOC2 Type 2, PDCI-DSS and SSAE16 compliant Its BGP4 multicarrier internet connection eliminates the possibility of a single point of failure for the network.
Our enterprise service has an availability and redundancy rating of 99.99%. The use of hyper-converged infrastructure adds another layer of protection against hardware failure and ransomware attacks. An encrypted offsite disaster recovery server is also hosted in another Canadian location, providing physical separation of environments. Inclusion System internally maintains two separate internet provider networks in our building for the Inclusion System support team. All systems are protected by firewalls and access to the environment is restricted to operations staff locally and our deployment team only. Data is always encrypted when transmitted off the server using 256-bit encryption, with certificates for encryption and identity verification. Inclusion System enforces data security at the database level to prevent any unauthorized information from being returned to the web application; there it is impossible to retrieve information without authorized use. All critical information related to payroll changes is recorded in the event of an audit, including any changes to employee compensation or values collected on the input sheet.
Data Backup Protocol
The Inclusion System databases are essentially cumulative and by their nature, your data is kept for as long as you are a customer. Inclusion System data is kept both at the primary site and the disaster recovery site and data is backed up implicitly every 15 minutes due to the nature of this configuration. Transaction logs are also kept for two weeks so a full point-in-time recovery can be made in the event it is needed.
Additional Data Transfer Security
All data transferred electronically from the Inclusion System to its clients is from a secured network and through encrypted channels by way of a secured ticketing system and/or through thee-Courier services. Data transferred to the Inclusion System from its clients is reviewed by a security system and flagged if it is suspected to be carrying harmful material. Flagged data is reviewed by Inclusion System administrators before release or full quarantine. Internal data transfer in the Inclusion System is restricted to the use of secure transfer drives monitored by system administrators. As needed, data may be transferred via Universal Serial Bus (USB) provided by system administrators. Default access to computer ports and DVD drives is disabled on all Inclusion System hardware and requires administrator consent to be used.
Data Sharing
Inclusion System will not sell or rent personally identifiable information to anyone. Inclusion System will send personally identifiable information about clients or their employees to other companies or people when we respond to subpoenas, court orders, or other legal processes.
Application Changes
All application changes at the Inclusion System must be approved by management. A standard change management application tool is in place where logging of change requests, code changes, testing history, and approvals are kept. Code changes undergo a review by another Inclusion System developer prior to testing. Once tested and approved, users are notified of system downtime and only select personnel are responsible for deploying changes to the live system. A review of deployed changes and integrity of the system occurs both by a member of the development and testing team prior to the system being turned on.
Employee Authorization
Inclusion System employees are subject to criminal record checks and sign confidentiality and intellectual property agreements. Inclusion System employees undergo training which includes confidentiality, security, and expected handling of sensitive information. Access to software used by clients and client information are granted only after completion of training and only if needed to fulfill their duties. Payment services tools, remittances software, systems database, and proprietary code access are granted only to select personnel and departments.
Termination and Changes
System administrators are notified of any Inclusion System employee terminations in order to disable access. Changes in security required for active Inclusion System employees are also communicated in a timely manner and action is taken upon receipt of notification.
Password Policy
A password policy has been approved by management, distributed to all employees, and is enforced by system administrators for all systems, especially those containing client data. This includes automatic expiration prompts, complexity criteria, and repeat use restrictions. Access keys to software directly related to processing payments from the trust are subJect to more frequent password changes to further eliminate risk of exposure.
Controls within the Clients Responsibility
The overall effectiveness of controls performed by the Inclusion System also relies on assumed controls set in place at the client’s organization.
User Access
The client provides the list of authorized users and permissions to be granted to the Inclusion System for initial setup. Once complete, Inclusion System provides the client administrator with the user list. It is then the client’s responsibility to manage, reassign, and disburse user access keys to their staff and associates – including updates to user access upon change in duties or employment status. It is also the client’s responsibility to ensure that user access keys are not shared between multiple staff or are stored in areas open to unauthorized personnel. Inclusion System staff may from time to time perform these actions for the client if prior authorization is received from client.
Contact Changes
Clients are expected to notify the Inclusion System of any termination of or changes to primary contacts in a timely manner.
Data Transfer
Clients are provided with encrypted and monitored communication channels to the Inclusion System for support at the time of setup. All electronic communication containing confidential information, such as, but not limited to, birthdates, Social Insurance Number (SIN), bank accounts, is recommended to be transmitted via e-Courier, an encrypted platform used by the Inclusion System support team. Inclusion System is responsible for creating the client profile, but it is the client\’s responsibility to use this service when transferring sensitive data to the Inclusion System.
Information and Payroll Review
Client account information is managed by the clients. It is the client\’s responsibility to ensure processes are in place to review payroll calculation results and other stored information for accuracy prior to the approval of payroll. While Inclusion System may be authorized to access and report on the client’s CRA account, it is the client\’s responsibility to review and identify any errors or inaccuracies in these balances. The same is true for any other third parties relevant to the payroll account to which access has been granted to the Inclusion System.