Cloud Security Policy | TimeTec
Cloud Security Policy
 
Academia
TimeTec pays serious attention to security issues, and investigates all reported vulnerabilities. This page explains TimeTec’s practice for addressing potential vulnerabilities in aspects of our cloud services.
ISO 27001

ISO 27001 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO 27002 best practice guidance. The basis of this certification is the development and implementation of a rigorous security program, which includes the development and implementation of an Information Security Management System (ISMS) which defines how TimeTec perpetually manages security in a holistic, comprehensive manner. This widely-recognized international security standard specifies entities:
Systematically evaluate our information security risks, taking into account the impact of company threats and vulnerabilities.
   
Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks.
   
Adopt an overarching management process to ensure that the information security controls meet our information security needs on an ongoing basis.


The Company has successfully obtained the ISO/IEC Information Security Management System (ISMS) on 8th March 2018.
Penetration Test

TimeTec engages with an external Cyber-security specialist to conduct penetration test (Black Box & White Box for Web and Mobile Application) that focus on real security and compliance problems for TimeTec Cloud System.
A penetration test, or pen test, is an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. These vulnerabilities may exist in operating systems, service and application flaws, improper configurations, or risky end-user behavior. Such assessments are also useful in validating the efficacy of defensive mechanisms, as well as, end-user adherence to security policies. A penetration test can help determine whether a system is vulnerable to attack, if the defences were sufficient, and which defences (if any) the test defeated.

The Company conducts penetration tests on an annual basis towards our solutions for better vulnerabilities management. We are committed to mitigate all identified vulnerabilities to maintain an optimum level of security. The results of these tests are strictly confidential and any requests to obtain the test reports must be submitted to us; accompanied by the signing of an NDA with the release of the reports being strictly at our discretion.

Download NDA
Using 2-Factor Authentication (2FA) in TimeTec

For increased security, we recommend that you configure 2-factor authentication (2FA) to help protect your TimeTec accounts. 2FA adds extra security because it requires users to enter a unique authentication code from an approved authentication device. Striving to provide our users peace of mind, we work with renowned third party provider - Google Authenticator to enhance the security level of your TimeTec account. This 2-factor authentication feature definitely improves security because signing in will require 2 things - a code generated by the Google Authenticator mobile app in addition to your account password.
You have questions regarding the 2FA – go to http://www.timetecta.com/2step
HTTPS:

All communication in and out of our TimeTec cloud platform is done through https. "Hypertext Transfer Protocol Secure (HTTPS) is a communications protocol for secure communication over a computer network, with especially wide deployment on the Internet."
Amazon AWS:

In an effort to ensure all your data is kept secure we are using one of the best names in server and cloud computing, Amazon AWS PaaS, "Platform as a Service". Technically speaking, we secure our data with the following security services.
TimeTec utilizes AWS Services that are ISO 27001 and PCI DSS L1 Certified:

• Amazon Web Services Elastic Compute Cloud (EC2)
• Amazon Web Services Simple Storage Service (S3)
• Amazon Web Services Relational Database Service (RDS)
• Amazon Web Services Elastic Load Balancing (ELB)
• Amazon Web Services Identity and Access Management (IAM)
• Amazon Web Services Elastic Block Storage (EBS)
• Amazon Web Services Simple email service(SES)
• Amazon Web Services CloudFront
• Amazon Web Services Route 53
• Amazon Web Services CloudWatch + Amazon Simple Notification Service(SNS)
• Amazon Web Services VPC
• Amazon Web Services Shield Standard to defend against DDoS attacks
Vulnerability Reporting

Reporting Suspected Vulnerabilities
If you suspect that TimeTec resources are being used for suspicious activity, you can report it to us here. So that we can effectively respond to your report, please provide any supporting material that would be useful in helping us understand the nature and severity of the vulnerability.

All information that you share with TimeTec as in this process is kept confidential within TimeTec team and will not be shared with third parties without obtaining your permission.

TimeTec will review the submitted report, we will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
Evaluation By TimeTec
TimeTec will work to validate the reported vulnerability, once the report is received. If additional information is required to validate or simulate the issue, TimeTec will work with you to obtain it. When the initial investigation is complete, results will be delivered to you along with a plan for resolution and public disclosure.
Things to Note about TimeTec Evaluation Process:
1. Third-Party Products - If the vulnerability is found to affect a third party product, TimeTec will notify the party involved. We will continue to coordinate between you and the third party; your identity will not be disclosed to the third party without your permission.
   
2. Confirmation of Non-Vulnerabilities - If the issue cannot be validated, or is not found to be a flaw in TimeTec product, we will share the information with you.
   
  TimeTec wants to keep you informed of our progress as we investigate and / or mitigate your reported security concern. You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability. You will receive progress updates from us at least every five working days.
Public Notification
If applicable, TimeTec will coordinate public notification of a validated vulnerability with you. We would prefer that our respective public disclosures be posted simultaneously.

In order to protect our customers, TimeTec requests your cooperation to not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed.

We also respectfully ask from you to refrain from posting or sharing any data belonging to our customers. Addressing a valid reported vulnerability is a rather long process and it will vary based on the severity of the vulnerability and the affected systems.
Report a Security Issue

If you're a security researcher and you believe that you have found a security issue in any of TimeTec's services, please e-mail your findings to security@timeteccloud.com
If you're not reporting a security vulnerability, we're unable to respond to your message. The following may help resolve your issues:
 
 1. For Unknown, Suspicious or Fraudulent Purchases, Orders, or Credit Card Transactions, Suspicious Password Changes, Account Changes, or Potential Fraud please contact sales@timeteccloud.com
   
 2. For other TimeTec Issues, contact support@timeteccloud.com