English (United States) 
English (UK) 
English (Australia) Our Approach To Security & Hosting
Introduction
At Camms our top priority is keeping our customers’ data secure. We employ rigorous security measures at organisational, architectural, and operational levels to continually ensure that your data, application, and infrastructure remain safe.
At Camms our top priority is keeping our customers’ data secure. We employ rigorous security measures at organisational, architectural, and operational levels to continually ensure that your data, application, and infrastructure remain safe.
Camms Information Security Management System
An Information Security Management System (ISMS) is built to establish a holistic and structured approach to managing information. This system provides the framework for the policies, procedures, and guidelines that we at Camms have adopted to implement an ISMS. This implementation is based on the generally accepted ISO/IEC 27001:2013 management system and standard.
Resources have been specifically committed to effectively manage the ISMS, including the appointment of a Head of Information Security and Compliance, who takes on the roles of Chief Information Security Officer (CISO) and the Data Protection Officer (DPO), and is responsible for the overall security and data privacy programs. The Information Security Steering Committee (ISSC) provides ongoing support and advisory to the ISMS. The Leadership of Camms is committed to a range of security activities conducted throughout the year, including regular risk assessments, security assessments, and any subsequent steps to maintain the highest security credentials across our organisation.
Information Security Audit Cycle
Product and Architectural Security
Data Processing Relationship
Our customers serve as the data controllers and administrators, while Camms acts as the data processor. This means that you have full control of the data entered into the application, as well as all setups and configurations. As you control your data and Camms acts as the processor, you will not have to rely on us to perform day-to-day tasks such as:
- Assigning security authorisation and manipulating roles
- Creating new reports and dashboards
- Configuring business process flows, alerts, rules etc.
- Changing or creating new organisational structures
- Monitoring all business transactions
- Looking at all historical data and configuration changes
Infrastructure Security
Camms solution infrastructure is hosted and managed on Microsoft Azure and runs in Datacentres managed and operated by Microsoft. These Datacentres comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. Backups are stored in a secondary Datacentre by Microsoft at a separate site to avoid the risk of a single infrastructure site failure.
Data Encryption
Camms encrypts all end-to-end communication. This is a fundamental design characteristic of the Camms technology.
The transport layer of the TCP IP stack is protected with Transport Layer Security protocol (TLS 1.2) to provide end-to-end security in communication between processes. This further helps secure network traffic from passive eavesdropping, active tampering, or message forgery. Web server authenticity is verified using a SHA2 256 hash function and encrypted using RSA 2048 bits, with certificates issued by RapidSSL, ensuring all web data packets from the server to the client are received to and from authorised parties. All Camms solutions enforce web access via a secure HTTPS protocol. Encryption using AES 256 at rest is enabled by default for both Azure VM instances and backup services.
For more details on Azure at rest encryption by Microsoft Azure for managed disks and backup services, please visit: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest.
File-based integrations are secured using a Secure File Transfer Protocol (SFTP).
Environment (Logical) Security
Camms solutions are deployed in both multi-tenant environments and single-tenant environments based on client requirements.
Multi-tenant environments are referred to as public cloud environments for solution deployments, and single tenant environments are referred to as private cloud or self-hosted environments for solution deployment.
The key difference between private and public cloud environments with solution deployment is that private cloud clients will be the only tenants within the hosting environment. In contrast, multiple clients will exist in a single hosting environment in public cloud environments.
In a multi-tenancy environment, customer data is logically separated through strict coding standards and segregated access to organisations’ data is stored in a separate database for each client. Each record of data in the solution includes a unique customer identifier. Users are authenticated to their respective databases.
Camms solutions has the ability to segregate access to data through the application by using role-based permissions.
We support LDAP delegated authentication and SAML for single sign-on authentication for both user and web services integrations.
Single Sign-on:Security Assertion Markup Language (SAML) allows for a seamless, single sign-on experience between the customer’s internal web portal and Camms. A customer log into their company’s internal web portal using their enterprise username and password and are then presented with a link to Camms, which automatically gives customers access without having to log in once again.
Camms Native Login:For customers who wish to use our native/standalone login, Camms will only store the passwords in the form of a secure hash as opposed to the password itself. Unsuccessful login attempts are logged as well as successful login/logout activity for audit purposes. Inactive user sessions are automatically timed out after a specified time period, which is configurable by Camms.
Authentication
Camms caters to various client requirements by having several options for authentication to our solutions, including:
Self-Hosted Environments:- Form authentication
- Windows authentication with SSO
- Windows authentication without SSO
- Form authentication
- SAML authentication with SSO
- SAML authentication without SSO
Camms offers a Single Sign-On (SSO) functionality using SAML 2.0 compliant identity provider support. Some of the identity providers we have worked with include ADFS, Okta, Azure AD, Google, Facebook, and many more.
Role-based Access
Camms solutions are developed to have a groups and permissions system. This allows you to restrict content for selected users with permission to view or edit based on the roles assigned. All user roles and permissions are managed in the staff management section of the application.
Solution Security Testing
Internal:Camms follows secure development guidelines aligned with OWASP top 10 and CWE/SANS top 25 elements taken into consideration. During a development lifecycle, Camms utilises a Static Application Security Testing (SAST) tool, which scans the codebase based on OWASP top 10 and CWE/SANS top 25 standards.
External:Camms uses an industry-leading third party to perform quarterly scheduled vulnerability assessments using Dynamic Application Security Testing (DAST). The Burp Suite and Nessus detect vulnerabilities such as cross-site scripting (XSS), SQL injection, Cross-site request forgery, and all known vulnerabilities related to web applications. Further, another third party is contracted to perform manual penetration tests annually to ensure no malicious code or other vulnerabilities are present in all our solutions. The outputs of these assessments are reviewed by our Architecture Review Board, Quality Assurance, and information security teams to develop any required remediation plans.
Privacy
Camms value the importance of protecting our customers data and does not pass on personal information to third parties. Camms solutions seeks to minimise personal data collection to identify/authenticate users that use our solutions and administer new users to our products. The following personal information that the customer can manage within the staff section of our solution are:
- Name (First Name, Last Name)
- Location
- Phone
Software Development Lifecycle
Software development staff perform source code reviews and security, functional, and performance testing on all significant application changes prior to the deployment to the live environment. Camms quality assurance staff perform these tests independently of the original developer. Development and testing activities are carried out in a logically separate environment from the live environments to ensure any changes made to the testing environment have no impact on the live environment.
Operational Security
Security begins on day one here at Camms. All employees receive security, privacy and compliance training the moment they start work. Though the extent of this may vary according to their role in the organisation, security is everyone’s responsibility at Camms.
Physical Security
Camms applications are hosted in state-of-the-art data centres designed to protect mission-critical systems with fully redundant subsystems and compartmentalized security zones. Our data centres adhere to the strict physical security measures including, but not limited to the following:
- Multiple layers of authentication for server area access
- Two-factor biometric authentication for critical areas
- Camera surveillance systems at key internal and external entry points
- 24/7 monitoring by security personnel
- 100% redundant UPS dual power
- Dedicated high redundant firewall protection
All physical access to the data centres is highly restricted and stringently regulated.
Network Security
Camms has established detailed operating policies, procedures, and processes designed to help manage the overall quality and integrity of the Camms environment. Further we have also implemented proactive security procedures, such as perimeter defense (Azure Firewall and Sophos Antivirus protection) for added protection.
Application Security
Camms has implemented an enterprise Secure Software Development Policy (SSDP) to help ensure the continued security of Camms applications. This program includes an in-depth security risk assessment and review of Camms features. In addition, both static and dynamic source code analysis are performed to help integrate enterprise security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing of the application.
Live Environment Infrastructure Access
In order to gain access to the live environment infrastructure, an administrative user must authenticate the jump server on the respective network via a remote desktop protocol using SSL/TLS, and an authentication request must originate from a known whitelisted IP address. The whitelisted IP address is restricted to an authenticated virtual private network, to which the administrator must connect if working remotely prior to being able to communicate with the jump server. The user accounts used to access the live environment needs to be unique.
Live Environment Application Access
Camms employees do not have application-level access to customer instances unless customers explicitly provide Camms with permission to perform tasks like implementation, support, or services.
Access Reviews
Access reviews to the in-scope systems are performed on a quarterly basis to ensure that administrative access to product systems is limited and based on appropriate roles and responsibilities. The Information Security Analyst completes reviews, and the Head of Information Security approves the results.
Organisational Security
Following organizational security checks are conducted:
- Confidentiality Agreements
- Employee Background Checks
- Employee Workstation Automatically Locked
- Employee Workstation Encrypted
- Limited Employee Access (Principle of Least Privilege)
- Personnel Screening
- Physical Access Control
- Training and Awareness
All employees at Camms receive information security and data privacy awareness training as part of their onboarding process and ongoing training (as a refresher). As a global organisation, we have opted for our own solution, Camms.College, to deliver the training required for all our employees. Our training includes questionnaires to help reinforce understanding and the practical applications of the topics that are covered as part of the training, including:
Information Security:- General Information Security Overview
- Acceptable Usage Policy
- Email, Internet, Mobile and computer, BYOD, Remote access, Password usage and management, Social media usage
- Information Security Threats
- Security Incident Management
- Confidentiality Requirements
- Data classification, Clear desk and clear screen policy, Client data confidentiality
- Camms Defenses
Data Privacy:
- Essentials of Cyber Security and Data Protection
- What is GDPR?
- Data Subject Rights and Data Protection Principles
- Data Protection Model for GDPR
- Preparing for GDPR
Change Management Procedures
Camms has a formal Change Management Policy and Procedures that mitigates unauthorised changes occurring in production systems. These policies and procedures address the production infrastructure and software development lifecycle, including change requests, approvals, and standard change implementation procedures to guide employees through implementing commonly applied changes.
Acceptable Usage Policy
Camms employees are required to sign an acknowledgement form on joining the company stating that they have been given access to and have reviewed our Acceptable Usage Policy document, which includes an agreement with Camms to abide by the policy when using various Camms owned information assets.
Information Security Incident Management
Monitoring:
A Host-based Intrusion Detection System (HIDS) is in place to monitor and analyse the in-scope systems for any possible or actual security breaches and send real-time notifications to support personnel upon detection of a potential threat to the network. If a severe incident affects customer data, we will notify customers immediately. Information Security related incidents can be reported to our support line, where responsible officers will be assigned to investigate and confirm the incident.
Corrective and Preventive Action:
As part of the incident response plan of action, the incident will be reported through an appropriate channel where the incident would be logged for investigation, and corrective and preventive action would be taken. Corrective action is the immediate fix to mitigate the threat, while preventive action will involve a long-term solution to fix the identified issue and prevent its recurrence.
Threat Management
Camms contracts several third-party expert firms to conduct independent internal and external network, system, and application vulnerability assessments.
Application / Solution Security Testing
Camms has a vulnerability management plan, which mandates the completion of vulnerability assessments and annual penetration testing. Camms runs regular vulnerability assessment and penetration testing (VAPT) on Camms web application that audits web applications by checking for vulnerabilities like SQL Injection, Cross-site scripting, XSS, XXE, SSRF, Host Header Injection, and other exploitable vulnerabilities. The scanning approach is a combination of black box and white box.
Vulnerability Scanning:
Camms follows secure development guidelines aligned with OWASP top 10 and CWE/SANS top 25 elements taken into consideration. During a development lifecycle, Camms utilises a Static Application Security Testing (SAST) tool, which scans the codebase based on OWASP top 10 and CWE/SANS top 25 standards.
Penetration Testing:
Camms uses an industry-leading third party to perform quarterly scheduled vulnerability assessments using Dynamic Application Security Testing (DAST). The Burp Suite and Nessus detect vulnerabilities such as cross-site scripting (XSS), SQL injection, Cross-site request forgery, and all known vulnerabilities related to web applications. Further, another third party is contracted to perform manual penetration tests annually to ensure no malicious code or other vulnerabilities are present in all our solutions. The outputs of these assessments are reviewed by our Architecture Review Board, Quality Assurance, and information security teams to develop any required remediation plans.
Network
External vulnerability assessments scan all internet-facing assets, including firewalls, routers, and web servers for potential weaknesses that could allow unauthorised access to the network. In addition, an authenticated internal vulnerability network and system assessment is performed to identify potential weaknesses and inconsistencies with general system security policies.
Introduction
Today’s technology leaders are charged with securing and protecting the customer, employee, and intellectual property data of their companies in an environment of increasingly complex security threats. Additionally, companies are responsible for complying with all applicable laws, including those related to data privacy and transmission of personal data, even when a service provider holds and processes a company’s data on its behalf.
Camms maintains a formal and comprehensive security program designed to ensure the security and integrity of customer data, protect against security threats or data breaches, and prevent unauthorised access to our customers’ data. To help your compliance and legal teams understand and validate the compliance requirements for your organisation, we have gathered the following compliance resources.
ISO 27001
Camms has established an ISO/IEC 27001:2013 accreditation plan to support achieving and maintaining robust compliance standing with the global standard. Camms offices globally are all certified under the ISO/IEC 27001:2013 accreditation, including all the operations conducted by each site.
ISO 27001 is an international standard giving requirements related to Information Security Management System to enable an organisation to assess its risk and implement appropriate controls to preserve confidentiality, integrity, and availability of information assets.
A rigorous ISO/IEC 27001:2013 audit is conducted to provide our customers with an independent third-party assurance that our security controls are designed and operate effectively. This audit is part of maintaining the certification with a combination of internal and external audits.
Benefits include:
- Due to dependability of information and information systems, confidentiality, integrity, and availability of information is essential to a maintain competitive edge, cash-flow, profitability, and commercial image
- Compliance with legal, statutory, regulatory, and contractual requirements
- Improved corporate governance and assurance to stakeholders such as shareholders, clients, consumers, and suppliers
- Through a proper risk assessment, threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated, and potential impact is estimated, so your investment is allocated where it is necessary
Sri Lanka Office – GSDC
Camms Global Service Delivery Centre (GSDC) in Sri Lanka has been certified after the audit and certification process was completed by Bureau Veritas. The certified scope is “Management of information security pertaining to IT infrastructure and software development provided by the Global Service Delivery Centre of Camms in accordance with the Statement of Applicability”.
Functions include:
- IT Operations and Infrastructure
- Software Development and Deployment
- Pre-sales and Sales
- Implementation and Consulting
- Client Support
- Product Management
Australia Office – Adelaide, Melbourne, Sydney
Camms Australia offices have been certified after the audit and certification process was completed by Bureau Veritas. The Certified Scope is “Management of information security pertaining to all functions provided by Camms offices in Australia; Adelaide, Melbourne, and Sydney in accordance with the Statement of Applicability”.
Functions include:
- Pre-sales and Sales
- Implementation and Consulting
- Client Support
- Product Management
United Kingdom Office
The scope and boundary of the Information Security Management System (ISMS) is covered to secure information and IT infrastructure, and it is limited to “Management of information security pertaining to all functions provided by the Camms office in Manchester, in accordance with the Statement of Applicability”.
Functions include:
- Pre-sales and Sales
- Implementation and Consulting
- Client Support
- Product Management
United States of America Office
The scope and boundary of the Information Security Management System (ISMS) shall be covered to secure information and IT infrastructure, and it is limited to “Management of information security pertaining to all functions provided by Camms office in New York in accordance with the Statement of Applicability”.
Functions include:
- Pre-sales and Sales
- Implementation and Consulting
- Client Support
- Product Management
Cyber Essentials and Cyber Essentials Plus
The UK Government’s Cyber Essentials Scheme focuses on the five most important technical security controls. Certification on this assessment indicates a good level of all-round information security. Camms UK has been awarded the Certificate of Assurance in Compliance with the requirements of the Cyber Essentials Scheme. Camms is currently Certified for both Cyber Essential and Cyber Essential Plus.
The Cyber Essentials certificate testifies to the self assessment and independly verified by the assessor that assures that Camms meets the requirements of the Cyber Essentials scheme. Cyber Essentials Plus is similar to Cyber Essentials with an additional component of having an independent technical audit.
SOC 2 Type 1 and SOC 2 Type 2
Camms provides Business Software solutions globally; the SOC 2 Type 1 and SOC 2 Type 2 attestations encompass operations related to this SaaS solution and its services offered globally.
SOC 2 is among the highest standards for ensuring our customers’ data and services are managed securely based on the established Trust Services Principles defined by the AICPA. For more information on AICPA, please visit https://www.linkedin.com/company/aicpa
HIPAA Compliance
Camms has successfully completed HIPAA attestation. This demonstrates our commitment to protecting patient health information (PHI) and adhering to the regulations set forth by the Health Insurance Portability and Accountability Act (HIPAA). We are dedicated to maintaining this compliance and continuing to ensure the privacy and security of PHI.
GDPR
Camms is GDPR-compliance through practices like internal and customer privacy impact assessments, secure data transfer methods, and record maintenance. Standard contractual clauses in the Data Processing Addendum support data handling. Annual registration with the UK Information Commissioner’s Office reinforces compliance efforts.
IRAP
Camms Australia-specific IRAP accreditation, which is to provide a level of security assurance to a given environment. We are currently in the process of developing this environment to be accredited to the Protected classification as per the Australian Government Information Security Manual (ISM).
CSA STAR
The CSA STAR Self-Assessment certification serves as a valuable tool for cloud customers, providing insight into the security protocols of cloud service providers. Camms has completed Level 1 of the CSA STAR Self-Assessment documenting our security controls to help customers assess the security.
Hosting Provider Security and Privacy Compliance
Our hosting providers are Microsoft Azure and Macquarie Government Data Centre. Information security responsibilities for Microsoft Azure and Macquarie Government Data Centre are shared between Camms and the hosting providers. Our primary hosting provider Microsoft Azure, complies with various international security and privacy standards including:
- ISO 27001, ISO 27017, ISO 27018
- SOC 1, 2, 3
- CSA STAR
- IRAP ASD Certified
- GDPR
- FedRAMP
- Cyber Essentials Plus
- PCI DSS
For more information about security, privacy, and compliance at Microsoft Azure, please visit: https://azure.microsoft.com/en-gb/explore/trusted-cloud/compliance/
To read related audit reports, please visit: https://servicetrust.microsoft,com/ViewPage/MSComplianceGuide
- ISO 27001
- IRAP ASD Certified
- PCI DSS
To read more about Macquarie Government’s security, please visit: https://macquariegovernment.com/why-us/certifications-and-accreditations-irap/
Camms Hosting Partner Attestations
Cloud Service Panel (Federal Govt, Australia):
- There are currently 108 suppliers that have been appointed to the Panel through an open approach to the market. The Panel is a non-mandatory procurement avenue for entities subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act).
- Camms can be procured directly of the listed panel under contract SON2914302
ISO 27001 (IAAS):
- ISO 27001 is a globally recognised, standards-based approach to security that outlines requirements for an organisation’s Information Security Management System (ISMS).
G-Cloud:
- The G-Cloud framework is an agreement between the UK government and cloud-base service providers.
- G-Cloud enables cloud-based service providers to apply and once accepted, sell their cloud services to UK public sector organisations. The G-Cloud framework is updated annually by the governing body, Crown Commercial Services (CCS). Camms has been an authorised G-Cloud service provider since 2015.
UK public sector organisations can currently purchase Camms service offerings via the CCS Digital Marketplace.
Other steps
Few other steps taken by Camms to secure the environment.
The following steps are taken to secure the Azure Environment for migration:
- Operating System level hardening as per CIS benchmark for the respective operating systems
- Network level hardening and reviews conducted to ensure that internal systems are not exposed to the Internet and inter-server communications are restricted to only server specific functional requirements by port and IP filtering from the Azure Firewall
Application-level vulnerability assessment has been conducted on the application to ensure that all security controls placed are functioning as intended prior to deployment.
Security & Trust
Introduction
At Camms our top priority is keeping our customers’ data secure. We employ rigorous security measures at organisational, architectural, and operational levels to continually ensure that your data, application, and infrastructure remain safe.
At Camms our top priority is keeping our customers’ data secure. We employ rigorous security measures at organisational, architectural, and operational levels to continually ensure that your data, application, and infrastructure remain safe.
Camms Information Security Management System
An Information Security Management System (ISMS) is built to establish a holistic and structured approach to managing information. This system provides the framework for the policies, procedures, and guidelines that we at Camms have adopted to implement an ISMS. This implementation is based on the generally accepted ISO/IEC 27001:2013 management system and standard.
Resources have been specifically committed to effectively manage the ISMS, including the appointment of a Head of Information Security and Compliance, who takes on the roles of Chief Information Security Officer (CISO) and the Data Protection Officer (DPO), and is responsible for the overall security and data privacy programs. The Information Security Steering Committee (ISSC) provides ongoing support and advisory to the ISMS. The Leadership of Camms is committed to a range of security activities conducted throughout the year, including regular risk assessments, security assessments, and any subsequent steps to maintain the highest security credentials across our organisation.
Information Security Audit Cycle
Product and Architectural Security
Data Processing Relationship
Our customers serve as the data controllers and administrators, while Camms acts as the data processor. This means that you have full control of the data entered into the application, as well as all setups and configurations. As you control your data and Camms acts as the processor, you will not have to rely on us to perform day-to-day tasks such as:
- Assigning security authorisation and manipulating roles
- Creating new reports and dashboards
- Configuring business process flows, alerts, rules etc.
- Changing or creating new organisational structures
- Monitoring all business transactions
- Looking at all historical data and configuration changes
Infrastructure Security
Camms solution infrastructure is hosted and managed on Microsoft Azure and runs in Datacentres managed and operated by Microsoft. These Datacentres comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. Backups are stored in a secondary Datacentre by Microsoft at a separate site to avoid the risk of a single infrastructure site failure.
Data Encryption
Camms encrypts all end-to-end communication. This is a fundamental design characteristic of the Camms technology.
The transport layer of the TCP IP stack is protected with Transport Layer Security protocol (TLS 1.2) to provide end-to-end security in communication between processes. This further helps secure network traffic from passive eavesdropping, active tampering, or message forgery. Web server authenticity is verified using a SHA2 256 hash function and encrypted using RSA 2048 bits, with certificates issued by RapidSSL, ensuring all web data packets from the server to the client are received to and from authorised parties. All Camms solutions enforce web access via a secure HTTPS protocol. Encryption using AES 256 at rest is enabled by default for both Azure VM instances and backup services.
For more details on Azure at rest encryption by Microsoft Azure for managed disks and backup services, please visit: https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest.
File-based integrations are secured using a Secure File Transfer Protocol (SFTP).
Environment (Logical) Security
Camms solutions are deployed in both multi-tenant environments and single-tenant environments based on client requirements.
Multi-tenant environments are referred to as public cloud environments for solution deployments, and single tenant environments are referred to as private cloud or self-hosted environments for solution deployment.
The key difference between private and public cloud environments with solution deployment is that private cloud clients will be the only tenants within the hosting environment. In contrast, multiple clients will exist in a single hosting environment in public cloud environments.
In a multi-tenancy environment, customer data is logically separated through strict coding standards and segregated access to organisations’ data is stored in a separate database for each client. Each record of data in the solution includes a unique customer identifier. Users are authenticated to their respective databases.
Camms solutions has the ability to segregate access to data through the application by using role-based permissions.
We support LDAP delegated authentication and SAML for single sign-on authentication for both user and web services integrations.
Single Sign-on:Security Assertion Markup Language (SAML) allows for a seamless, single sign-on experience between the customer’s internal web portal and Camms. A customer log into their company’s internal web portal using their enterprise username and password and are then presented with a link to Camms, which automatically gives customers access without having to log in once again.
Camms Native Login:For customers who wish to use our native/standalone login, Camms will only store the passwords in the form of a secure hash as opposed to the password itself. Unsuccessful login attempts are logged as well as successful login/logout activity for audit purposes. Inactive user sessions are automatically timed out after a specified time period, which is configurable by Camms.
Authentication
Camms caters to various client requirements by having several options for authentication to our solutions, including:
Self-Hosted Environments:- Form authentication
- Windows authentication with SSO
- Windows authentication without SSO
- Form authentication
- SAML authentication with SSO
- SAML authentication without SSO
Camms offers a Single Sign-On (SSO) functionality using SAML 2.0 compliant identity provider support. Some of the identity providers we have worked with include ADFS, Okta, Azure AD, Google, Facebook, and many more.
Role-based Access
Camms solutions are developed to have a groups and permissions system. This allows you to restrict content for selected users with permission to view or edit based on the roles assigned. All user roles and permissions are managed in the staff management section of the application.
Solution Security Testing
Internal:Camms follows secure development guidelines aligned with OWASP top 10 and CWE/SANS top 25 elements taken into consideration. During a development lifecycle, Camms utilises a Static Application Security Testing (SAST) tool, which scans the codebase based on OWASP top 10 and CWE/SANS top 25 standards.
External:Camms uses an industry-leading third party to perform quarterly scheduled vulnerability assessments using Dynamic Application Security Testing (DAST). The Burp Suite and Nessus detect vulnerabilities such as cross-site scripting (XSS), SQL injection, Cross-site request forgery, and all known vulnerabilities related to web applications. Further, another third party is contracted to perform manual penetration tests annually to ensure no malicious code or other vulnerabilities are present in all our solutions. The outputs of these assessments are reviewed by our Architecture Review Board, Quality Assurance, and information security teams to develop any required remediation plans.
Privacy
Camms value the importance of protecting our customers data and does not pass on personal information to third parties. Camms solutions seeks to minimise personal data collection to identify/authenticate users that use our solutions and administer new users to our products. The following personal information that the customer can manage within the staff section of our solution are:
- Name (First Name, Last Name)
- Location
- Phone
Software Development Lifecycle
Software development staff perform source code reviews and security, functional, and performance testing on all significant application changes prior to the deployment to the live environment. Camms quality assurance staff perform these tests independently of the original developer. Development and testing activities are carried out in a logically separate environment from the live environments to ensure any changes made to the testing environment have no impact on the live environment.
Operational Security
Security begins on day one here at Camms. All employees receive security, privacy and compliance training the moment they start work. Though the extent of this may vary according to their role in the organisation, security is everyone’s responsibility at Camms.
Physical Security
Camms applications are hosted in state-of-the-art data centres designed to protect mission-critical systems with fully redundant subsystems and compartmentalized security zones. Our data centres adhere to the strict physical security measures including, but not limited to the following:
- Multiple layers of authentication for server area access
- Two-factor biometric authentication for critical areas
- Camera surveillance systems at key internal and external entry points
- 24/7 monitoring by security personnel
- 100% redundant UPS dual power
- Dedicated high redundant firewall protection
All physical access to the data centres is highly restricted and stringently regulated.
Network Security
Camms has established detailed operating policies, procedures, and processes designed to help manage the overall quality and integrity of the Camms environment. Further we have also implemented proactive security procedures, such as perimeter defense (Azure Firewall and Sophos Antivirus protection) for added protection.
Application Security
Camms has implemented an enterprise Secure Software Development Policy (SSDP) to help ensure the continued security of Camms applications. This program includes an in-depth security risk assessment and review of Camms features. In addition, both static and dynamic source code analysis are performed to help integrate enterprise security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing of the application.
Live Environment Infrastructure Access
In order to gain access to the live environment infrastructure, an administrative user must authenticate the jump server on the respective network via a remote desktop protocol using SSL/TLS, and an authentication request must originate from a known whitelisted IP address. The whitelisted IP address is restricted to an authenticated virtual private network, to which the administrator must connect if working remotely prior to being able to communicate with the jump server. The user accounts used to access the live environment needs to be unique.
Live Environment Application Access
Camms employees do not have application-level access to customer instances unless customers explicitly provide Camms with permission to perform tasks like implementation, support, or services.
Access Reviews
Access reviews to the in-scope systems are performed on a quarterly basis to ensure that administrative access to product systems is limited and based on appropriate roles and responsibilities. The Information Security Analyst completes reviews, and the Head of Information Security approves the results.
Organisational Security
Following organizational security checks are conducted:
- Confidentiality Agreements
- Employee Background Checks
- Employee Workstation Automatically Locked
- Employee Workstation Encrypted
- Limited Employee Access (Principle of Least Privilege)
- Personnel Screening
- Physical Access Control
- Training and Awareness
All employees at Camms receive information security and data privacy awareness training as part of their onboarding process and ongoing training (as a refresher). As a global organisation, we have opted for our own solution, Camms.College, to deliver the training required for all our employees. Our training includes questionnaires to help reinforce understanding and the practical applications of the topics that are covered as part of the training, including:
Information Security:- General Information Security Overview
- Acceptable Usage Policy
- Email, Internet, Mobile and computer, BYOD, Remote access, Password usage and management, Social media usage
- Information Security Threats
- Security Incident Management
- Confidentiality Requirements
- Data classification, Clear desk and clear screen policy, Client data confidentiality
- Camms Defenses
Data Privacy:
- Essentials of Cyber Security and Data Protection
- What is GDPR?
- Data Subject Rights and Data Protection Principles
- Data Protection Model for GDPR
- Preparing for GDPR
Change Management Procedures
Camms has a formal Change Management Policy and Procedures that mitigates unauthorised changes occurring in production systems. These policies and procedures address the production infrastructure and software development lifecycle, including change requests, approvals, and standard change implementation procedures to guide employees through implementing commonly applied changes.
Acceptable Usage Policy
Camms employees are required to sign an acknowledgement form on joining the company stating that they have been given access to and have reviewed our Acceptable Usage Policy document, which includes an agreement with Camms to abide by the policy when using various Camms owned information assets.
Information Security Incident Management
Monitoring:
A Host-based Intrusion Detection System (HIDS) is in place to monitor and analyse the in-scope systems for any possible or actual security breaches and send real-time notifications to support personnel upon detection of a potential threat to the network. If a severe incident affects customer data, we will notify customers immediately. Information Security related incidents can be reported to our support line, where responsible officers will be assigned to investigate and confirm the incident.
Corrective and Preventive Action:
As part of the incident response plan of action, the incident will be reported through an appropriate channel where the incident would be logged for investigation, and corrective and preventive action would be taken. Corrective action is the immediate fix to mitigate the threat, while preventive action will involve a long-term solution to fix the identified issue and prevent its recurrence.
Threat Management
Camms contracts several third-party expert firms to conduct independent internal and external network, system, and application vulnerability assessments.
Application / Solution Security Testing
Camms has a vulnerability management plan, which mandates the completion of vulnerability assessments and annual penetration testing. Camms runs regular vulnerability assessment and penetration testing (VAPT) on Camms web application that audits web applications by checking for vulnerabilities like SQL Injection, Cross-site scripting, XSS, XXE, SSRF, Host Header Injection, and other exploitable vulnerabilities. The scanning approach is a combination of black box and white box.
Vulnerability Scanning:
Camms follows secure development guidelines aligned with OWASP top 10 and CWE/SANS top 25 elements taken into consideration. During a development lifecycle, Camms utilises a Static Application Security Testing (SAST) tool, which scans the codebase based on OWASP top 10 and CWE/SANS top 25 standards.
Penetration Testing:
Camms uses an industry-leading third party to perform quarterly scheduled vulnerability assessments using Dynamic Application Security Testing (DAST). The Burp Suite and Nessus detect vulnerabilities such as cross-site scripting (XSS), SQL injection, Cross-site request forgery, and all known vulnerabilities related to web applications. Further, another third party is contracted to perform manual penetration tests annually to ensure no malicious code or other vulnerabilities are present in all our solutions. The outputs of these assessments are reviewed by our Architecture Review Board, Quality Assurance, and information security teams to develop any required remediation plans.
Network
External vulnerability assessments scan all internet-facing assets, including firewalls, routers, and web servers for potential weaknesses that could allow unauthorised access to the network. In addition, an authenticated internal vulnerability network and system assessment is performed to identify potential weaknesses and inconsistencies with general system security policies.
Privacy
Introduction
Data privacy regulations are complex, vary from country to country, and impose stringent requirements. When choosing an application, businesses should select one that can comply with their data protection obligations and protect the privacy of their data. With Camms, our privacy functionalities and practices enable you to meet your privacy obligations.
Additionally, we provide our customers’ compliance and legal teams with the necessary resources and information to help them understand and validate the privacy and compliance requirements for their organisation, as well as show how Camms can help power their compliance efforts.
Privacy Program
Our privacy program follows strict policies and procedures regarding access to and the use, disclosure, and transfer of customer data. The core of our privacy program is that Camms employees do not access, use, disclose, or transfer customer data unless it is in accordance with a contractual agreement or at the direction of the customer.
As data protection issues and global laws continue to evolve and become increasingly complex, Camms understands the importance of a privacy program that is embedded into our company’s culture and services. Our philosophy of Privacy by Design is a testament to this and provides our customers with the assurance they need for the privacy and protection of their data.
The Camms Privacy, Ethics, and Compliance function, led by our Head of Information Security and Compliance, manages the privacy program and monitors its effectiveness. The team is responsible for:
- Formulating, maintaining, and updating our internal privacy policies, procedures, and tools to protect the privacy of personal data handled by employees and partners on behalf of Camms
- Monitoring compliance with our customer-facing privacy policies
- Ensuring that privacy commitments made to our customers, partners, and employees are met
- Maintaining our certifications and regulatory-compliance obligations
- Training Camms staff on our privacy program, monitoring changing data privacy laws across the globe, and making necessary updates and modifications to our privacy program
- Review our privacy policy to learn more about how we manage and protect our customers’ information
Data Transparency, Privacy and Global Data Privacy Standards
We provide transparency into the geographical regions where our customers’ data is stored and processed. All of these are set forth in our standard Service Level Agreement (SLA). The SLA satisfies multiple country-specific requirements regarding data processing.
Global Data Privacy:
Camms and our customers must comply with various international privacy regulations. Common privacy principles throughout jurisdictions include notice, choice, access, use, disclosure, and security. Our application is designed to allow our customers to achieve differentiated configurations, so that their country specific laws can be met.
Camms further achieves compliance with international privacy regulations by maintaining a comprehensive, written information-security program that contains technical and organisational safeguards designed to prevent unauthorised access to and use or disclosure of customer data.
Global Privacy Standards:
Camms remains committed to global privacy standards, as shown by our dedication to programs such as GDPR and the Australian Privacy Act.
GDPR
The General Data Protection Regulation (GDPR), a European Union (EU) regulation, repeals and replaces Data Protection Directive 95/46/EC, as well as Member States implementing legislation. GDPR applies to companies in the EU as well as all companies that process or store personal data of EU citizens, regardless of their location.
Furthermore, as part of the GDPR compliance Camms is registered under the Information Commissioner’s Office, UK (ICO registered).
Camms has comprehensively evaluated GDPR requirements and implemented numerous privacy and security practices to ensure compliance with GDPR. These include:
- Training employees on security and privacy practices
- Conducting privacy impact assessments
- Providing adequate data transfer methods to our customers
- Maintaining records of processing activities
Other Data Privacy Acts
Further, in being compliant with GDPR, Camms complies to the following legal requirements for data privacy:
Australia:
- The Australian Privacy Principles (APPs), which are contained in schedule 1 of the Privacy Act 1988 (Privacy Act). Reference Link: https://www.oaic.gov.au/privacy-law/privacy-act/australian-privacy-principles
- Australian Freedom of Information Act 1982 – https://www.oaic.gov.au/freedom-of-information/rights-and-responsibilities
- ASD compliance – https://asd.gov.au/accountability/legislation.htm
- Cybercrime Act 2001 – https://www.legislation.gov.au/Details/C2004A00937
- Telecommunications (Interception and Access) Act 1979 – https://www.legislation.gov.au/Details/C2019C00299
UK:
- The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). Reference Link: http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
- Date Protection Act 2018- http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
- Freedom of Information Act 2000 and Confidentiality
- Environmental Information Regulations 2004
- Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699)
USA
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- Maine Act to Protect the Privacy of Online Consumer Information
- Maryland Personal Information Protection Act – Security Breach Notification Requirements – Modifications (House Bill 1154)
- Massachusetts 201 CMR 17 (aka Mass Data Protection Law)
- Massachusetts Bill H.4806 — An Act relative to consumer protection from security breaches
- Nevada Personal Information Data Privacy Encryption Law NRS 603A
- New Jersey — An ACT concerning disclosure of breaches of security and amending P.L.2005, c.226 (S. 51)
- New York State Department of Financial Services, Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500)
- New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act
- Oregon Consumer Information Protection Act (OCIPA) SB 684
- Texas – An Act relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council
- Virginia — Consumer Data Protection Act (CDPA)
- Washington – An Act Relating to breach of security systems protecting personal information (SHB 1071)
Sri Lanka:
- Computer Crimes Act (CCA)
- Convention on the Suppression of Terrorist Financing Act No. 25 of 2005 and Prevention of Money Laundering Act No. 5 of 2006. Financial Transaction Reporting Act No. 6 of 2006 and the FIU regulations
- Electronic Transactions Act No.19 of 2006 and Evidence Ordinance of 1995.
- Personal Data Protection Act, No. 9 of 2022
Compliance
Introduction
Today’s technology leaders are charged with securing and protecting the customer, employee, and intellectual property data of their companies in an environment of increasingly complex security threats. Additionally, companies are responsible for complying with all applicable laws, including those related to data privacy and transmission of personal data, even when a service provider holds and processes a company’s data on its behalf.
Camms maintains a formal and comprehensive security program designed to ensure the security and integrity of customer data, protect against security threats or data breaches, and prevent unauthorised access to our customers’ data. To help your compliance and legal teams understand and validate the compliance requirements for your organisation, we have gathered the following compliance resources.
ISO 27001
Camms has established an ISO/IEC 27001:2013 accreditation plan to support achieving and maintaining robust compliance standing with the global standard. Camms offices globally are all certified under the ISO/IEC 27001:2013 accreditation, including all the operations conducted by each site.
ISO 27001 is an international standard giving requirements related to Information Security Management System to enable an organisation to assess its risk and implement appropriate controls to preserve confidentiality, integrity, and availability of information assets.
A rigorous ISO/IEC 27001:2013 audit is conducted to provide our customers with an independent third-party assurance that our security controls are designed and operate effectively. This audit is part of maintaining the certification with a combination of internal and external audits.
Benefits include:
- Due to dependability of information and information systems, confidentiality, integrity, and availability of information is essential to a maintain competitive edge, cash-flow, profitability, and commercial image
- Compliance with legal, statutory, regulatory, and contractual requirements
- Improved corporate governance and assurance to stakeholders such as shareholders, clients, consumers, and suppliers
- Through a proper risk assessment, threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated, and potential impact is estimated, so your investment is allocated where it is necessary
Sri Lanka Office – GSDC
Camms Global Service Delivery Centre (GSDC) in Sri Lanka has been certified after the audit and certification process was completed by Bureau Veritas. The certified scope is “Management of information security pertaining to IT infrastructure and software development provided by the Global Service Delivery Centre of Camms in accordance with the Statement of Applicability”.
Functions include:
- IT Operations and Infrastructure
- Software Development and Deployment
- Pre-sales and Sales
- Implementation and Consulting
- Client Support
- Product Management
Australia Office – Adelaide, Melbourne, Sydney
Camms Australia offices have been certified after the audit and certification process was completed by Bureau Veritas. The Certified Scope is “Management of information security pertaining to all functions provided by Camms offices in Australia; Adelaide, Melbourne, and Sydney in accordance with the Statement of Applicability”.
Functions include:
- Pre-sales and Sales
- Implementation and Consulting
- Client Support
- Product Management
United Kingdom Office
The scope and boundary of the Information Security Management System (ISMS) is covered to secure information and IT infrastructure, and it is limited to “Management of information security pertaining to all functions provided by the Camms office in Manchester, in accordance with the Statement of Applicability”.
Functions include:
- Pre-sales and Sales
- Implementation and Consulting
- Client Support
- Product Management
United States of America Office
The scope and boundary of the Information Security Management System (ISMS) shall be covered to secure information and IT infrastructure, and it is limited to “Management of information security pertaining to all functions provided by Camms office in New York in accordance with the Statement of Applicability”.
Functions include:
- Pre-sales and Sales
- Implementation and Consulting
- Client Support
- Product Management
Cyber Essentials and Cyber Essentials Plus
The UK Government’s Cyber Essentials Scheme focuses on the five most important technical security controls. Certification on this assessment indicates a good level of all-round information security. Camms UK has been awarded the Certificate of Assurance in Compliance with the requirements of the Cyber Essentials Scheme. Camms is currently Certified for both Cyber Essential and Cyber Essential Plus.
The Cyber Essentials certificate testifies to the self assessment and independly verified by the assessor that assures that Camms meets the requirements of the Cyber Essentials scheme. Cyber Essentials Plus is similar to Cyber Essentials with an additional component of having an independent technical audit.
SOC 2 Type 1 and SOC 2 Type 2
Camms provides Business Software solutions globally; the SOC 2 Type 1 and SOC 2 Type 2 attestations encompass operations related to this SaaS solution and its services offered globally.
SOC 2 is among the highest standards for ensuring our customers’ data and services are managed securely based on the established Trust Services Principles defined by the AICPA. For more information on AICPA, please visit https://www.linkedin.com/company/aicpa
HIPAA Compliance
Camms has successfully completed HIPAA attestation. This demonstrates our commitment to protecting patient health information (PHI) and adhering to the regulations set forth by the Health Insurance Portability and Accountability Act (HIPAA). We are dedicated to maintaining this compliance and continuing to ensure the privacy and security of PHI.
GDPR
Camms is GDPR-compliance through practices like internal and customer privacy impact assessments, secure data transfer methods, and record maintenance. Standard contractual clauses in the Data Processing Addendum support data handling. Annual registration with the UK Information Commissioner’s Office reinforces compliance efforts.
IRAP
Camms Australia-specific IRAP accreditation, which is to provide a level of security assurance to a given environment. We are currently in the process of developing this environment to be accredited to the Protected classification as per the Australian Government Information Security Manual (ISM).
CSA STAR
The CSA STAR Self-Assessment certification serves as a valuable tool for cloud customers, providing insight into the security protocols of cloud service providers. Camms has completed Level 1 of the CSA STAR Self-Assessment documenting our security controls to help customers assess the security.
Hosting Provider Security and Privacy Compliance
Our hosting providers are Microsoft Azure and Macquarie Government Data Centre. Information security responsibilities for Microsoft Azure and Macquarie Government Data Centre are shared between Camms and the hosting providers. Our primary hosting provider Microsoft Azure, complies with various international security and privacy standards including:
- ISO 27001, ISO 27017, ISO 27018
- SOC 1, 2, 3
- CSA STAR
- IRAP ASD Certified
- GDPR
- FedRAMP
- Cyber Essentials Plus
- PCI DSS
For more information about security, privacy, and compliance at Microsoft Azure, please visit: https://azure.microsoft.com/en-gb/explore/trusted-cloud/compliance/
To read related audit reports, please visit: https://servicetrust.microsoft,com/ViewPage/MSComplianceGuide
- ISO 27001
- IRAP ASD Certified
- PCI DSS
To read more about Macquarie Government’s security, please visit: https://macquariegovernment.com/why-us/certifications-and-accreditations-irap/
Camms Hosting Partner Attestations
Cloud Service Panel (Federal Govt, Australia):
- There are currently 108 suppliers that have been appointed to the Panel through an open approach to the market. The Panel is a non-mandatory procurement avenue for entities subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act).
- Camms can be procured directly of the listed panel under contract SON2914302
ISO 27001 (IAAS):
- ISO 27001 is a globally recognised, standards-based approach to security that outlines requirements for an organisation’s Information Security Management System (ISMS).
G-Cloud:
- The G-Cloud framework is an agreement between the UK government and cloud-base service providers.
- G-Cloud enables cloud-based service providers to apply and once accepted, sell their cloud services to UK public sector organisations. The G-Cloud framework is updated annually by the governing body, Crown Commercial Services (CCS). Camms has been an authorised G-Cloud service provider since 2015.
UK public sector organisations can currently purchase Camms service offerings via the CCS Digital Marketplace.
Other steps
Few other steps taken by Camms to secure the environment.
The following steps are taken to secure the Azure Environment for migration:
- Operating System level hardening as per CIS benchmark for the respective operating systems
- Network level hardening and reviews conducted to ensure that internal systems are not exposed to the Internet and inter-server communications are restricted to only server specific functional requirements by port and IP filtering from the Azure Firewall
Application-level vulnerability assessment has been conducted on the application to ensure that all security controls placed are functioning as intended prior to deployment.
Risk Management
Compliance & Policy Management
Incident & Event Reporting
Environmental, Social & Governance (ESG)
Workplace Health & Safety
Cyber & IT Risk Management
Third-Party Risk Management
Audit Management
BCM & Operational Resilience
Registers & Workflows
About
Leadership
Our Partner Network
Careers
News & Events
Blog
Ebooks & Reports
Webinars
Content Collections
Customer Events
