Service Instruction

Product: FOSS Cloud-Services (including Mosaic)

Subject: Data Handling and Security

1 Introduction
Cloud-Services are defined as Foss-hosted Mosaic Servers, FossAssure services and eShop user
management.
Information security practice in FOSS for our Cloud-Services system partners is guided by the
following fundamental principles (axioms):
• Our information security management system conforms to internationally accepted best
practice as defined in relevant standards such as ISO 27001 and ISO 27002.
• Information security controls are necessary to protect FOSS´s information assets against
unacceptable risks to their confidentiality (e.g. preventing unauthorized disclosure of sensitive
corporate or personal information), integrity (e.g. ensuring that human errors and programming
bugs do not reduce the completeness or accuracy of our data) and availability (e.g. minimizing
unplanned system downtime and consequent interruption of critical business processes).
• The Chief Information Security Officer (security manager) is responsible for the Information
Security Manual comprising supplementary policies, standards, procedures and guidelines for
information security. The function acts as an internal center of excellence providing leadership
and guidance on all matters relating to information security.
• We invest wisely in proven information security controls where justified on the basis of
lifecycle cost/benefit assessment and risk analysis.
• Information security is pervasive throughout the entire organization in order to protect all our
information assets (including those we own and those placed in our care). It is an inherent part
of our IT architecture and a component of our operational and management processes. In short,
we are all responsible for information security.
• Information security is a core element of corporate governance. It is closely related to aspects
such as IT management, physical site security, risk management, legal and regulatory
compliance and business continuity. It supports various obligations to our employees, business
partners and the community at large.
• Information security is a business enabler that allows us to enter more confidently into and
maintain business relationships, markets and situations that would otherwise be too risky. By
minimizing net losses resulting from information security breaches, it supports our financial
bottom line. It also enhances our corporate image as a trustworthy, open, honest and ethical
organization.

FOSS Analytical A/S Phone +45 70 10 33 70 FOSS Analytical Co., Ltd. Phone +86 512 62 92 01 00
Foss Allé 1 Fax +45 70 10 33 71 6 Louyang Road, Building 1 Fax +86 512 62 80 56 30
DK-3400 Hillerød E-mail info@foss.dk 215121, SIP, Suzhou E-mail info@foss.dk
Denmark Web www.fossanalytics.com P.R. China Web www.fossanalytics.com

Service Instruction, 6008 2699 / Rev. 1 1(6)

2 Statement of confidentiality
FOSS shall not reveal or disclose to any third party information (sample data, spectral data, trade or
service mark, methods, processes, know-how, and other proprietary information), which it receives
or accesses through the Mosaic Server or other Cloud-Services, nor will it use that information
otherwise than for the purposes of the provision of support to the customer and performance
monitoring of the Mosaic Server. These obligations will continue until such time as the same
information may become publicly available (other than by a breach of these obligations).

3 FOSS Mosaic Cloud-Services Security

3.1 Infrastructure
3.1.1 General group policy on IT security
The following rules are in place in order to protect our network from abuse from external sources:
• Access to any cloud-hosted server is restricted to FOSS purchased and configured computers.
Access by any 3rd party computers is prohibited.
• All remote access to FOSS Cloud-Services Server must originate from a computer within the
FOSS domain.
• All installed web services must be narrowly configured to specifically support our Cloud-
Services. Unneeded services and functions should be disable to prevent unauthorized access.
• Antivirus is required on all servers and definition files must be automatically updated.
• The operating system must be kept up-to-date through the regular application of Windows
Updates.
• All Cloud-Services servers must be secured by being a member of the domain to ensure
uniform application of all security policies.

3.1.2 Physical Access

All FOSS Cloud-Services are hosted offsite by an industry leader in online hosting solutions. We
do not host any customer data internally at FOSS.
Physical access to any servers containing FOSS customer data is strictly controlled by our hosting
partner in conformance with relevant standards such as ISO 27001 and ISO 27002.

3.1.3 Remote Access

Remote access to any cloud-service server and any data contained on those servers is limited to the
FOSS Global Software Support team and individual access on a time-limited basis to specific
members of the FOSS Software Development team. Access is for the purpose of software support
and maintenance of the servers to ensure availability/uptime of the Cloud-Services.
All remote access must originate from a computer within the FOSS domain.
All remote access users must conform with the password policy.

3.1.4 Remote Access Encryption

Remote access connections are encrypted using 128bit keys. Approved solutions are: Remote
Desktop with strong security configuration. Connection via IPSec/IKE tunnelling. Only service
operations personnel have the rights to invoke connection

Service Instruction, 6008 2699 / Rev. 1 2(6)

3.1.5 Monitoring
FOSS monitors all Cloud-Services infrastructure and critical software and services. Monitoring is
conducted 24-hours a day and alerts the Global Software Support team if a system or service is
performing outside of acceptable parameters.

3.1.6 Backup and Disaster Recovery

Backup of Cloud-Services data, including Mosaic data, is extremely important so we are able to
minimize the risk to all customer data stored on a FOSS Server.
All Cloud Servers are backed up twice a day and data is retained for 28 days.
All backups systems are tested regularly to ensure data recoverability.

3.1.7 Business Continuity

• Loss of network connectivity at Instrument
Loss of network connectivity between client (NIR Instrument Control App) and server (FOSS
Server Application)
This will not affect the local operation of the NIR Instrument and measurement can continue
unaffected with the current configuration data.
Potentially new configuration data that have been prepared on the server, will wait for
download when network connectivity is re-established.
New data to be uploaded to the server, will be cached locally and will be uploaded when
network connectivity is re-established.
• Cloud-Services Server Breakdown
Breakdown of FOSS Server Application will not affect the local operation of the NIR
Instrument and measurement can continue unaffected with the current configuration data.
Server will be restored according to disaster recovery plan.
New data to be uploaded to the server will be cached locally and will be uploaded when
network connectivity is re-established.
• Client Breakdown
If e.g. the PC controlling the NIR Instrument is damaged and can’t be recovered (e.g. using
locally stored backups) the procedure will: Install a new PC with the NIR Instrument Control
App (Nova), connect it to the server and get most recent configuration data downloaded. Then
measurement will be able to continue.

3.1.8 Anti-virus
All FOSS Cloud-Services Servers use industry standard antivirus programs with up-to-date
subscriptions to ensure we have access to the latest definition files. The definition files are updated
as soon as they become available by our provider.

3.1.9 Intrusion Prevention

To help ensure that our customer's data remains secure, FOSS tests our Cloud Servers quarterly for
security vulnerabilities.

Service Instruction, 6008 2699 / Rev. 1 3(6)

3.2 Security Policies
3.2.1 Password policy
The access to all local resources on our cloud-hosted systems and servers in FOSS is protected by
userid and password. Passwords are required to be rotated frequently and must meet standard
complexity rules.

3.2.2 Security updates.

Windows Update is a critical part of Microsoft’s security initiative aimed at keeping pc’s and
servers updated with security patches. All servers must have Windows Update configured to
download new updates as soon as they become available. The Updates must be applied regularly
and during time periods with the lowest impact on customer site usage. Windows Updates are
downloaded applied immediately during periods of high risk as determined by Microsoft.

3.3 Encryption
3.3.1 Client and Instrument Communication
All connections and communication between FOSS instruments and/or manager clients to FOSS
Cloud-Services Servers is encrypted. Keys and certificates are embedded into the application.
Public key certificate for / NIR Instrument Manager App (Mosaic Manager) is installed on the
client PC.
Connections from instrument and manager clients to the online service are protected via SSL
certificates and AES128/256 encryption; the protocol is applied to the message by message security
when used in HTTP mode. Communication between NIR Instrument Control App (Nova) / NIR
Instrument Manager App (Mosaic Manager) and the FOSS Server application (Mosaic) is based on
Windows Communication Foundation (WCF) encrypted with AES-256 and signed using a SSL
Certificate. For TCP connections it is transport level security and for HTTP it is message level
security.

3.3.2 Encryption Key Management

Keys comply with TLS/IKE and public key exchange procedures

3.4 Software Security

3.4.1 FOSS Data Access Policy
FOSS can access data stored on any FOSS Cloud Service Server for the following purposes
• The provision of service(s) subscribed to by the customer or related services.
• Technical and informational support requested by the customer to support the provision of
service(s).

4 Customer Responsibilities for Cloud-Services

4.1 Antivirus
The customer is responsible for maintain the security of their internal network including the
installation and maintenance of up-to-date antivirus programs on all computers and servers joined
to the network.

Service Instruction, 6008 2699 / Rev. 1 4(6)

4.2 Data management
4.2.1 Instrument Data Backups
It is solely the responsibility of the customer to conduct regular instrument data backups using the
instrument software. Data cannot be restored to the instrument without a valid instrument data
backup.

4.2.2 Retention of local instrument data

The customer will determine how long data will be retained on the local instrument and purge data
when it becomes obsolete or if/when the local database reaches the 10 GB capacity limit. The
configuration of data retention and purge options is done using the instrument software.

4.3 Data Access

4.3.1 Local Computer Access
It is the responsibility of the customer to manage which users have access to the local computer and
any data stored therein.

4.3.2 Mosaic User Accounts

It is the responsibility of the customer to manage which users have access to any data stored on a
Mosaic Server. This includes disabling or deleting user accounts in Mosaic or FossAssure to
unauthorized access.

4.4 Firewalls
4.4.1 Local PC Firewall and Instrument Connectivity
It is the customer's responsibility to ensure the client software (e.g ISIscan Nova, FossIntegrator,
ISIscan) is able to communicate with the instrument.
The customer is responsible for activating and maintaining the local Windows Firewall, or
equivalent. The firewall must be properly configured to allow communication between the
instrument and software.

4.4.2 Premise Firewall

The customer will ensure that the premise firewall(s) are properly configured to allow
communication between the instrument software and the Mosaic Server as well as the Mosaic
Client software and the Mosaic Server.

4.5 Remote Access

In the event of an instrument error or a fault, FOSS might access the instrument remotely for
troubleshooting purposes after the customer's permission.

5 Customer Responsibilities for Customer-Hosted

Mosaic Servers
The following customer responsibilities apply to those customers that have chosen to host a Mosaic
Server on-premise. These responsibilities are in addition to those described in

Service Instruction, 6008 2699 / Rev. 1 5(6)

5.1 Data management
5.1.1 SQL Management
The customer is responsible for the complete management of their SQL installation including:
• Obtaining all required SQL software, components and licenses
• Setting adequate memory and memory consumption limits
• Setting adequate paging resources
• Setting appropriate file locations and disk capacity
• Setting appropriate SQL security, access rights and DTC configuration
• Implementing an SQL maintenance plan schedule to at a minimum:
• Check DB Integrity
• Reorg indices
• Rebuild indices
• Update Statistics

5.1.2 Mosaic Database Backup

It is solely the responsibility of the customer to conduct regular SQL data backups of the Mosaic
Server data. The Mosaic Server does not perform database backups of any type.

5.1.3 Retention of Data

The Mosaic Server will collect and store a significant amount of data. The customer will determine
how long Mosaic data will be retained in the Mosaic database and purge data when it becomes
obsolete. The customer is responsible for monitoring disk capacity to ensure there is adequate disk
space to accommodate database growth.

Caution
The configuration of data retention and purge options is done using the
Mosaic software. Improperly purging data/deleting data from the Mosaic
Server database using any other tools, including SQL tools, can render the
Mosaic Server database unusable.

5.2 Data Access

5.2.1 Server Access
It is the responsibility of the customer to manage which users have access to the local server
resources, desktop, operating system and any data stored therein.

5.3 Remote Access

In order to receive installation or operational support for the Mosaic server, the customer will need
to supply some form of remote access, otherwise FOSS will not be able to support the installation.

Service Instruction, 6008 2699 / Rev. 1 6(6)