Security Policy

OrgPlan’s entire package of services provides the safest possible service by taking responsibility for protecting your systems and data. The approach we take is recorded in the OrgPlan Information Security Policy. Our information security policy was drawn up in accordance with international standards.

OrgPlan and Data Storage

OrgPlan never stores any employee data when our software is used in a regular way. The customer’s data always stays with the customer. Therefore the customer is responsible for the security of its data.

Exceptions

However, there are cases in which OrgPlan does receive customer’s data. Those cases include testing, completing, or correcting customer data files. OrgPlan guarantees:

  • to deal carefully and discreetly with the customer’s data,
  • to store the customer’s data in a safe place,
  • not to publish or sell the customer’s data,
  • and to remove the customer’s data as soon as the job is done.

Software Development

When developing and managing our software we always use best practices, such as:

  • ISO27001/ ISO27002: the ISO standard for information security systems.
  • COBIT: Control Objectives for Information and Related Technology is a framework for the structured design and assessment of IT control environments.
  • Dutch National Cyber Security Centre: ICT security guidelines for web applications.
  • OWASP top 10: The ten main security risks for web applications compiled by the Open Web Application Security Project (OWASP).
  • Microsoft SDL and the CWE/SANS Top 25: Microsoft’s list of the 25 most dangerous programming errors and vulnerabilities encountered in software development.

OrgPlan Software in the Cloud

The OrgPlan software is stored in the Public or Private Cloud, but it runs fully in memory on the local client (device) of the enduser. In case of a Public Cloud solution: our software is loaded from our software server through a HTTPS-protocol (HyperText Transfer Protocol Secure). In case of a Private Cloud solution: our software is loaded from the customer’s software server through a protocol where the customer is responsible for. In both cases OrgPlan checks if the customer is entitled to use our software.

OrgPlan and Protection

Customer data is stored in (JSON) files that resides on customer’s devices only. OrgPlan gives customers many options of building security measures around these files to comply with their security policies, e.g.:

  • storage within and access from secured and customer controlled portals (like SharePoint),
  • storage within and access from ESS, MSS, and PSS portals,
  • storage within and access from community portals (like Google+).

The files itself can be protected with differentiated passwords that limit access:

  • in functionality,
  • in data usage.

Passwords are always stored encrypted.

Managing security incidents

We ensure strict compliance with our security measures. Any deviations from these measures are detected, studied and classified. We record any infringements of security measures and additional security measures are introduced on the basis of incidents and their records.

Certification and testing

The quality, safety and privacy of our software and services are demonstrated by different audits. We test the OrgPlan infrastructure and software at least once a year for vulnerabilities and whenever any major functional or technical changes have been made. Furthermore, we conduct an internal penetration test for every new release, based on a test approach that is reviewed on a monthly basis.

OrgPlan’s entire package of services provides the safest possible service by taking responsibility for protecting your systems and data.

OrgPlan Ltd., May 2018