ReloTracker Hosting and Backup
Purpose: This document explains the measures taken to ensure the secure and availability of
information that we host.
Author: David Sanders
Revised: 10 October, 2013
Status: Public
Overview
This information only applies to the ReloTracker systems and other information, such as websites and
email accounts that we host. If your ReloTracker system is hosted by another provider, then you need to
understand their policies and practices.
Hosting Security
We lease dedicated servers that are located in the facilities of Nucleus (http://nucleus.be). Since they
are dedicated no one else has access to them, including hosting infrastructure personnel. The server
facility in Antwerp, Belgium is designed to incorporate industry-standard security measures:

Fully class A certified (ISO certification in process).

Equipped with guaranteed and redundant power supply.

Top-quality access control and protection against intrusion.

Water and fire detection.

Climate control throughout.
The facility itself and each server rack have redundant network connections in case one should fail.
For ReloTracker, the databases are kept on a second server, not on the web server, as another physical
and technical security barrier. Our servers are equipped with RAID technology, which means that
anything that is written to one hard disk is immediately copied to another hard disk.
Backup
The backing up of data is completely the responsibility of the hosting provider. For the sites we host, full
backups are made once per week, and interim backups are made nightly.
ReloTracker Hosting and Backup
© 2013 ReloTracker
1
The backup files are automatically stored on servers at a facility in the Brussels area that meets the
same standards as the Antwerp facility. Backup files are encrypted and audited on a regular basis.
In case of a severe disruption of the Antwerp facility, the web applications and databases can be
restored from backup to other servers online, without physical intervention.
ReloTracker Hosting and Backup
© 2013 ReloTracker
2
Appendix A: Frequently Asked Questions
Here are examples of questions that have been asked by employers and RMCs in RFPs/RFQs, and the
appropriate responses.
Infrastructure
Is this application hosted under ISO 27001 certification?
The hosting provider is currently undergoing an ISO 27001 certification process, to be completed by
spring, 2014. We try to stay current with industry standards regarding network and firewall
configuration (setting all ports closed unless specifically needed).
Are the data center facility and services assessed for risk and audited for control weaknesses? If yes,
what is the frequency of assessments? And how are the gaps/weaknesses mitigated in a timely
manner?
Different systems are assessed according to different schedules. Most security systems are assessed
monthly, others quarterly. There is an annual audit that is conducted internally.
Have you defined key performance indicators (KPIs) for the security of the hosting infrastructure at
the operating system, database and the application level?
KPIs have been defined for availability, request/response performance, application security and event
logging, firewall security and event logging, and database security and event logging, such as Remote
Connection Intrusion Attempts.
How do you secure servers hosting the application and the database?
The servers are in a locked part of a server rack in a secure facility. Customers that have dedicated
servers only have access after they requested it and under supervision. The building is guarded 24/7 by a
security officer on site, and there is extensive motion detection and camera security through a CCTVsystem. There is also extensive fire detection and extinguishing system and water detection.
Is intrusion detection or prevention system implemented?
Border routers are used together with Checkpoint firewall. Alerts are sent to the engineer on duty.
Does hosting provider use up-to-date anti-virus, anti-spyware scanning, firewall and intrusion
detection software to protect information?
Yes.
What steps have been taken to protect web application programs?
Unnecessary programs and utilities have been removed from the servers, and scripts do not have read
access.
What is your patch management policy?
ReloTracker Hosting and Backup
© 2013 ReloTracker
3
Patches are sorted by their importance and urgency, and are implemented accordingly. Windows,
MSSQL, and ASP.NET patches, as well as application patches are implemented according to urgency.
Critical patches are implemented immediately, and we use that window to also apply non-critical
patches.
Backup
What tools/methods are available for secure data backup, transfer, and restore?
A proprietary backup system is running on the production and backup servers. The backup data is
encrypted and transmitted to backup servers at another facility managed by the same infrastructure
provider and under the same security restrictions as the main hosting facility.
How do you ensure that backed-up data is not commingled with other customer’s data?
Each system and database is backed up separately on the remote backup server. Each system and
database can be restored at any time.
How often is the information backed up?
Full backups are made weekly and incremental backups are made daily.
How long are back-ups maintained?
Seven days.
Security Measures
Does hosting provider regularly test and monitor key administrative, technical and physical controls,
systems and procedures for protecting the confidentiality and security of personal information?
Yes.
Have operating system and database passwords been changed from the default values provided by
the software vendor?
Yes, all systems use non-default passwords.
Has the hosting provider experienced any security breaches in the past 3 years?
No.
What is the response time for security incidents?
Security incidents are followed up immediately. The hosting provider notifies ReloTracker and we notify
our customers.
Is client data in transit encrypted? If yes, please explain how this is done?
* The system runs under https, with a certificate that encrypts data sent between the server and the
remote device at 2056 key strength.
ReloTracker Hosting and Backup
© 2013 ReloTracker
4
How is encryption managed on multi-tenant storage? Is there a single key for all data owners, one key
per data owner, or multiple keys per data owner? Is there a system to prevent different data owners
from having the same encryption keys?
* There is one key per data owner, tied to a specific web domain.
Have you performed detailed vulnerability assessment and penetration testing (VAPT) of the hosting
infrastructure?
Yes. No high priority issues were found.
Provide details of methodology, frequency, sample reports and mitigation plans.
Tools such as OWASP Zed Attack Proxy are used to test for a wide range of vulnerabilities against attacks
and threat agents.
Is VAPT performed in-house or by an external vendor?
We test in-house on a monthly basis. The hosting infrastructure was tested within the last six months by
an independent security company.
Does hosting provider have a procedure for promptly preventing terminated employees and
contractors from accessing Personal Information?
Yes
What measure you have in place to detect malicious activities by an inside user?
Only our core staff, who have worked at the company for some years, have access to the systems and
databases. Other developers work on test systems and databases. Personnel at the hosting facility do
not have authentication information for the servers.
Do you have Security Operations Center (SOC) that processes data from the identified available data
sources (application logs, firewall logs, IDS logs, etc) and merges these into a common analysis and
alerting platform to detect incidents?
Firewall events are sent as alerts. Application events are flagged for follow-up. Different engineers are
responsible for Application Security, Firewall/Infrastructure, etc., so there is not a centralized view.
* Please not that this only applies if you have a security certificate in place to operate under https.
ReloTracker Hosting and Backup
© 2013 ReloTracker
5