We care about your data
As if it were our own...

IT Auditing

Keeping our clients data safe is of paramount importance at InsuBiz. And just as important to us is to reassure our clients that we at all times are on top of things. Therefore InsuBiz is audited in accordance with International Standard on Assurance Engagements (ISAE) 3402 Type II.

The scope of the 3402 standard is to ensure that all relevant processes are thoroughly documented, efficient controls are effectuated and that these controls are well documented and have been carried out in a certain period of time.

Control Actions

The InsuBiz ISAE 3402 accreditation has been designed with a focus on securing sensitive personal data and is based on  the legal requirements on Processing of Personal Data in combination with relevant part of ISO 27001. The following main areas are covered:

  • User training
  • Telecommuting
  • Access control
  • User administration
  • Data handling
  • Data communication
  • Logging
  • Change management
  • Incident management
  • Contingency plans

Outsourcing

InsuBiz uses only certified partners for server hosting and through our ISAE 3402 accreditation any outsourcing agency must comply with strict controls in areas like:

  • Security backups
  • Access control
  • Physical security
  • Operation & capacity monitoring

Security Policies

InsuBiz has a security policy in place that describes all issues concerning information security to ensure that the company always complies with the current legislation in this area. 

“The independent third-party ISAE 3402 certification guarantees clients a high level of security and quality thanks to predefined operational controls.”

We have well-structured procedures and controls in all our processes. With an ISAE 3402 accreditation from BDO we can prove it.
Allan Bredahl Director of Technology & Operations

IT Security

Cyber attacks are becoming increasingly sophisticated. This can potentially lead to system crashes and loss of confidential data.  The most effective way to prevent such attacks is by identifying vulnerabilities before they can be maliciously exploited.

In co-operation with one of the leading players in the field of Internet security Digicure Deloitte, InsuBiz uses a combination of two methods to keep the solution and infrastructure safe: Scheduled Security Vulnerability Analysis and Comprehensive Custom Penetration Testing.

Security Vulnerability Analysis

4 times a year an external vulnerability analysis is performed against the InsuBiz infrastructure. The analysis leads to a rating of the IT security, and a detailed and unbiased vulnerability report that provides directions on how we can effectively remediate potential vulnerabilities.

The workflow of the analysis is:

1 - DiscoveryIdentifying all active TCP & UDP ports on tested IP range.3 - Vulnerability scanningThe obtained information is used in combination with a range of cutting edge tools to implement extensive vulnerability analyses. Findings are compared against a database containing several thousand known vulnerabilities.5 - Manual researchThe analyses results are validated through the use of a variety of manual procedures and know-how. This is done in order to identify and validate other potential vulnerabilities. 2 - Enumeration of servicesEnumeration of services on open ports through use of tools.4 - Sanity checkTo avoid false positives, Digicure's experienced security technicians perform a detailed research and verification test. The purpose is to verify results through all available sources, and last but not least, validate all vulnerabilities manually.6 - ReportingDigicure's experienced security technicians craft a detailed, unbiased report, with recommendations for remediating potential vulnerabilities.

Custom Penetration Testing

InsuBiz uses only certified partners for server hosting and through our ISAE 3402 accreditation any outsourcing agency must comply with strict controls regarding:

  • Servers and services cannot be compromised
  • Authorization processes cannot be compromised
  • Applications and websites cannot be compromised
  • Roles and security rights cannot be compromised
  • Without authorization it is impossible to get to protected data

Deloitte’s methodology for penetration testing is based upon central areas from the OWASP Testing Guide and the OWASP Development Guide. The methodology consists of a combination of automated and manual penetration testing techniques to ensure thorough coverage of the systems in scope.

“Digicure finds the potential vulnerabilities and helps secure the InsuBiz infrastructure”


Want more information about security and auditing?
Feel free to contact us
Allan Bredahl Director of Technology
and Operations

Contact us