Decos Trust Center

COMPLIANCY

Decos is no stranger to complying with national and international and sector-specific standards and/or agreements.

For instance, we have long been certified according to the international ISO/IEC 27001:2017 which is a globally recognised standard in the field of information security. Also, we adhere to ISO 16175 (previously NEN 2082) governing archiving standards. In addition, we are familiar with the Dutch Government Information Security Baseline (BIO). The BIO describes the interpretation of the NEN-ISO/IEC 27001:2017 and NEN-ISO/IEC 27002:2017 standards for the government.

Our current ISO27001:2017 certificate and accompanying statement of applicability can be found here.

We are also in the process of implementing the SOC2 category of the Service Organisation Controls (SOC) framework. A SOC2 audit measures the effectiveness of a Cloud Service Provider (CSP) based on the American Institute of Certified Public Accountants (AICPA) Trust Service Principles and Criteria. At the end of the process, this first results in a SOC2 type 1 report (design/existence) and, after a fixed agreed period, (often 3 or 6 months) an SOC2 type 2 report (operation). We expect to have the SOC2 type 1 report in Q3 2021.

For our products for which we offer a DigiD connection, we also meet the standard set by Logius. Decos is here for audited by an approved auditor associated with Norea. An up-to-date assurance report of this audit is available to our customers.

Security

Decos manages data and systems for various local and regional government authorities and businesses. Our principles and practices are based on the need of our customers that they want their data and systems protected using the most up-to-date techniques and standards.

Due to the various requirements in the General Data Protection Regulation (GDPR), Decos has chosen to keep all systems and data within the European Economic Area (EEA). We use the Microsoft and Amazon data centres in Western and Northern Europe for this purpose. The Microsoft data centres are located in the Netherlands and Northern Ireland, respectively. The Amazon data centres are in multiple countries across Europe.

Microsoft itself is certified according to many standards that are required or needed in different industries. You can find them for Microsoft here and for Amazon you can find it here.

Decos' own management objectives and measures are based, among other things, on the aforementioned industry standard ISO27001:2017 and the OWASP Top10.

Application security

Decos uses a security-oriented design based on multiple layers. One of those layers is the application layer. The applications developed by Decos are designed and continuously verified against the OWASP Top 10 Framework. All code is peer-reviewed before being released to the production environment.

We also make use of vulnerability scans, end-to-end tests and unit tests through external certified agencies testing our applications.

Data encryption

Decos encrypts the data “in transit” and “at rest”:

All traffic is encrypted using TLS 1.2 (or higher).
Data “at rest” is encrypted using AES-256 or better.
To store login details, a modern hash function is used that “hashes” the data and applies “salt”.

Responsible disclosure

Decos has been using a “Responsible disclosure” policy for some time now. This ensures that security experts from all over the world can report to us if a problem is found. Over the years Decos has build an active community of ethical hackers that test our applications.

Physical security

Decos applies a “cloud-first” policy. This means that the infrastructure in our offices is minimal. We do, of course, use personal access systems, CCTV and alarm systems. By default, employees only have access to the regular areas such as the work floor.

Organizational security

In order to be able to offer safe and secure products, our own organization needs to be the same. This means that all our employees:

Are made aware of information security from the moment they start at Decos.
Are continuously educated on information security.
Will have to provide a “Verklaring omtrent gedrag” (VOG) besides the regular screening.
Will have to use 2FA to access our systems.
Have an NDA clause in their contract.

We are planning to implement a SIEM platform to aggregate the logs from various sources, apply monitoring rules to those aggregated logs, and then flag any suspicious activity. We are already gathering these logs currently. Our internal processes when SIEM will be implemented will define how these alerts are triaged, investigated further, and escalated appropriately. Key system logs are by then forwarded from each system where logs are read-only. The security team will create alerts on our security analytics platform and monitors for indicators of compromise.

Identity Management

All our employees are enforced to apply Multi-Factor Authentication (MFA/2FA) to access our systems. We are even migrating further towards a Zero-Trust policy for system access. We apply strict role-based-access (RBAC) and grand privileges only on need basis.

Events and logs related to failed or successful authentication are aggregated for monitoring and triage.

Backups and disaster recovery

We take data availability and governance serious as a daily automated process. Our database backup policies run backups every 5 minutes to secure your data. This is combined with daily full and differential backups. All other resources follow a daily full backup and where possible we utilize snap-shot technology.

Backups are stored on at least two different locations across the EU cloud data center locations. This enables us to restore your data and services without data loss and minimum impact. Our default retention period is 30 days for backups.

DECOS TRUST CENTER