Professional Documents
Culture Documents
1 Introduction
Cloud-Services are defined as Foss-hosted Mosaic Servers, FossAssure services and eShop user
management.
Information security practice in FOSS for our Cloud-Services system partners is guided by the
following fundamental principles (axioms):
• Our information security management system conforms to internationally accepted best
practice as defined in relevant standards such as ISO 27001 and ISO 27002.
• Information security controls are necessary to protect FOSS´s information assets against
unacceptable risks to their confidentiality (e.g. preventing unauthorized disclosure of sensitive
corporate or personal information), integrity (e.g. ensuring that human errors and programming
bugs do not reduce the completeness or accuracy of our data) and availability (e.g. minimizing
unplanned system downtime and consequent interruption of critical business processes).
• The Chief Information Security Officer (security manager) is responsible for the Information
Security Manual comprising supplementary policies, standards, procedures and guidelines for
information security. The function acts as an internal center of excellence providing leadership
and guidance on all matters relating to information security.
• We invest wisely in proven information security controls where justified on the basis of
lifecycle cost/benefit assessment and risk analysis.
• Information security is pervasive throughout the entire organization in order to protect all our
information assets (including those we own and those placed in our care). It is an inherent part
of our IT architecture and a component of our operational and management processes. In short,
we are all responsible for information security.
• Information security is a core element of corporate governance. It is closely related to aspects
such as IT management, physical site security, risk management, legal and regulatory
compliance and business continuity. It supports various obligations to our employees, business
partners and the community at large.
• Information security is a business enabler that allows us to enter more confidently into and
maintain business relationships, markets and situations that would otherwise be too risky. By
minimizing net losses resulting from information security breaches, it supports our financial
bottom line. It also enhances our corporate image as a trustworthy, open, honest and ethical
organization.
FOSS Analytical A/S Phone +45 70 10 33 70 FOSS Analytical Co., Ltd. Phone +86 512 62 92 01 00
Foss Allé 1 Fax +45 70 10 33 71 6 Louyang Road, Building 1 Fax +86 512 62 80 56 30
DK-3400 Hillerød E-mail info@foss.dk 215121, SIP, Suzhou E-mail info@foss.dk
Denmark Web www.fossanalytics.com P.R. China Web www.fossanalytics.com
3.1.8 Anti-virus
All FOSS Cloud-Services Servers use industry standard antivirus programs with up-to-date
subscriptions to ensure we have access to the latest definition files. The definition files are updated
as soon as they become available by our provider.
3.3 Encryption
3.3.1 Client and Instrument Communication
All connections and communication between FOSS instruments and/or manager clients to FOSS
Cloud-Services Servers is encrypted. Keys and certificates are embedded into the application.
Public key certificate for / NIR Instrument Manager App (Mosaic Manager) is installed on the
client PC.
Connections from instrument and manager clients to the online service are protected via SSL
certificates and AES128/256 encryption; the protocol is applied to the message by message security
when used in HTTP mode. Communication between NIR Instrument Control App (Nova) / NIR
Instrument Manager App (Mosaic Manager) and the FOSS Server application (Mosaic) is based on
Windows Communication Foundation (WCF) encrypted with AES-256 and signed using a SSL
Certificate. For TCP connections it is transport level security and for HTTP it is message level
security.
4.4 Firewalls
4.4.1 Local PC Firewall and Instrument Connectivity
It is the customer's responsibility to ensure the client software (e.g ISIscan Nova, FossIntegrator,
ISIscan) is able to communicate with the instrument.
The customer is responsible for activating and maintaining the local Windows Firewall, or
equivalent. The firewall must be properly configured to allow communication between the
instrument and software.
Caution
The configuration of data retention and purge options is done using the
Mosaic software. Improperly purging data/deleting data from the Mosaic
Server database using any other tools, including SQL tools, can render the
Mosaic Server database unusable.