Trust center

Our Camms Trust methodology takes input from each of our customers’ security requirements and industry best-practices, to arrive at a framework unique to us and our environment.

Camms maintains ISO 27001 certification – an independent validation that we take information processes and services seriously, underpinned by our partnership with third party suppliers and our clients to maintain data security.

Trust begins with transparency. Beginning with a foundation of trust is an important building block for us. Here you’ll learn how extensively our framework can support you. Let’s get you connected to the security, reliability, privacy, and compliance of our products and services.

 

Security

 

Camms implements the ISO/IEC 27001:2013 standard as the framework for our Information Security Management System (ISMS) creating a systematic approach to managing information and ensuring security. This includes ongoing mitigation actions, qualitative and quantitative assessment of risk, monitoring of existing controls and tracking, investigating and reporting on incidents and events. We employ rigorous security measures at the organizational, operational and architectural levels to continually ensure that your data, application and infrastructure remain safe.

Organizational and operational security

Live environment infrastructure access

Access to the live environment’s infrastructure is granted only to our IT administrator users, who are authenticated through a secure server using the latest security communication methodologies.

Support access

Our support teams will only access customer data when necessary to resolve an open ticket. Our global support team has access to our cloud-based systems and applications to facilitate maintenance and support processes.

Hosted applications and data are only able to be accessed for the purpose of application health monitoring and performing system or application maintenance, and upon customer request via our support system.

Access reviews

Quarterly performed Access Reviews to in-scope systems ensure limited administrative access to product systems based on appropriate roles and responsibilities. Reviews are completed and results are approved by an Information Security Analyst and the Chief Information Security Officer.

Network security

Camms comes equipped with meticulous operating policies and procedures designed to manage the overall quality and integrity of the Camms environment. This includes implementing proactive security processes, such as perimeter defense.

Training and awareness

Camms employees undergo a comprehensive training on information security and data privacy before coming on-board, followed by continued training as a refresher.  We proudly count on our very own training solution, Camms College, to deliver the required training through questionnaires reinforcing understanding and practical applications on information security and data privacy.

Security incident management

Incidents will happen, but our speed and efficiency in response will keep the impact as low as possible. The security team at Atlassian aggregates information from various sources in the hosting infrastructure and monitors for any suspicious activity. Our internal processes define how these alerts are triaged, investigated further, and escalated appropriately. Our customers and the wider community are encouraged to report suspected security incidents through Camms Support. In the event of a serious security incident, Camms has access to the expertise internally – and through external subject matter experts – to investigate incidents and drive them until closure.

Change management procedures

Camms’ formal Change Management Policy and Procedures mitigate un-authorized changes occurring in production systems. These address the production infrastructure and software development lifecycle and include change requests, approvals, and standard change implementation procedures guiding employees through the implementation of commonly applied changes.

Acceptable usage policy

Camms employees are given access to and review our Acceptable Usage Policy document, after which an acknowledgement form is signed. This includes an agreement with Camms to abide by the policy when using Camms owned information assets.

Product security

Infrastructure

The Camms product’s infrastructure is hosted and managed on Microsoft Azure and runs in datacenters managed and operated by Microsoft. These datacenters comply with key industry standards, such as ISO/IEC 27001:2013 and NIST SP 800-53, for security and reliability. To avoid the risk of single infrastructure site failure, backups are stored in a secondary datacenter by Microsoft on a separate site.

Software development lifecycle

Software development staff perform source code reviews, security, functional and performance testing on all major application changes prior to deployment to the live environment. Camms quality assurance staff who perform these tests do so independently of the original developer. Development and testing activities are carried out in a logically separate environment from the live environments to ensure any changes made to the testing environment have no impact on the live environment.

Encryption

Your confidential data is protected and encrypted in-transit, over a Transport Layer Security connection. Web server authenticity is verified by SHA2 256 and encrypted using RSA 2048 bits, with certificates issued by Rapid SSL and ensures all web data packets are received to and from authorized parties. All CAMMS Solutions enforce web access via HTTPS. Encryption at rest is enabled by default for both Azure VM instances and backup services, encryption using AES 256.

Multi-tenancy

Camms solutions are deployed in both multi-tenant and single-tenant environments. While single-tenant environments only host cloud client tenants within the environment, multi-tenant environments permit multiple clients. In the multi-tenancy environment, customer data is logically separated through strict coding standards, while segregated access to organizations’ data is stored in a separate database for each client. A unique customer identifier is included in each record of data within the solution, where users are authenticated to their respective database. Role-based permissions allow CAMMS Solutions to segregate access to the data through the application as well.

Authentication

Camms offers several options for authentication to our solutions including:

Self-hosted Environments:

  • Form authentication
  • Windows authentication with SSO
  • Windows authentication without SSO

Cloud Hosted Environments (Private and Public Cloud):

  • Form authentication
  • SAML authentication with SSO
  • SAML authentication without SSO
  • Camms offers Single Sign-On (SSO) using SAML 2.0 compliant Identity provider support. Some of the identity providers we have worked with include ADFS, Okta, Azure AD, Google, Facebook and many more.
Role-based access

Camms solutions allow you to restrict content for certain users with permission to view / edit based on the assigned roles. All user roles and permissions are managed in the staff management section of the application

Product security testing

CAMMS follows secure development guidelines with OWASP top 10 and CWE/SANS top 25 elements taken into consideration. In the development life cycle, Camms utilizes a Static Application Security Testing (SAST) tool which scans the codebase based on OWASP top 10 and CWE/SANS top 25 standards. Vulnerability assessments are performed monthly using Dynamic Application Security Testing (DAST) which utilize tools such as Burp suite and Nessus. Additionally, Camms performs manual penetration tests annually. Internal processes are in place to review any reported vulnerabilities and act on them.

Network 

Camms has adopted a layered approach to network access, with controls at each layer of our solutions.

We implement controls at each layer of our solution portfolio, dividing our infrastructure by zones, environments, and services. Zone restrictions include limiting office, data center and platform network traffic. Environment separation segregates production and development connectivity. Services must be explicitly authorized to communicate with other services through an authentication whitelist.

We control access to our sensitive networks various ways via routing, firewall rules and software defined networking.

Staff connectivity leverages various protection protocols including device certificates, multi-factor authentication, and use of proxies for sensitive network access. Access to customer data requires explicit review and approval.

Application

Threat modeling is used to ensure we’re designing the right controls for the threats we face during the product planning and design phase, Camms uses threat modeling to understand the specific security risks associated with a product or feature.  Threats are identified and prioritized, and that information feeds controls into the design process and supports targeted review and testing in later phases of development. We use the Microsoft Threat Modelling Tool and the STRIDE Threat Model framework. STRIDE is an acronym for a common set of security concerns: Spoofing, Tampering, Reputation, Information Disclosure, Denial of Service, and Elevation of Privilege.

We utilize threat modeling early and often and can ensure that relevant security configuration and controls are designed to mitigate threats specific to each product or feature we develop.

 

Reliability

 

Camms clients run business critical projects and operations on Camms products, which is why we are committed to delivering products, applications and services that are stable and secure.

Cloud hosting infrastructure

We choose our cloud hosting provider to ensure our customers have the advantage of elastic scalability, multi-layer redundancy, and maintain reliability, and scale with your organization’s needs.

Accessibility and availability

Camms has a 99.99% uptime across our primary and failover servers. Any interruptions to access and availability of these servers immediately activates the Camms Business Continuity Plan.

Business continuity plan

Our commitment to maintaining strong Business Continuity (BC) and Disaster Recovery (DR), ensures minimal effect to our customers in case of any disruption to our operations. Our Disaster Recovery Program consists of a few key practices to ensure the appropriate levels of governance, oversight, and testing:

Governance

Leadership involvement is a key part of our DR Program, which allows us to have both business and technical drivers accounted for in our strategy for resilience. Furthermore, Camms emphasizes continual improvement throughout the DR Program.

Oversight and maintenance

Our diskiplined approach to governance, risk, and compliance when monitoring and managing our DR program, enables us to operate more efficiently and effectively, remediating key activities within our DR program.

Testing

As part of our DR lifecycle, Camms conducts regular testing and strives for continual improvement to ensure your data and the use of it, is highly available and performant. Backup and restore procedures are tested on a regular basis, so that when data needs to be restored, our professionally trained support staff is fully prepared to get you up and running.

Customer care and support

Support and activities covered by Customer Care include:

  • Training employees on security and privacy practices
  • Feature / functionality queries
  • Assistance with product functionality and ‘how-to’ questions
  • Minor Service Requests
  • Label replacements
  • Small configuration requests including:
  • tick boxes
  • label replacements
  • small report formatting changes
  • Infrastructure related requests such as providing additional backups or database restorations (cloud)
  • Minor Data upload and entry requests
  • Provision of change request estimates and analysis (applies to unapproved quotations)

Support and activities not covered by Customer Care include:

  • Change requests for modifications
  • Change request specifications
  • Training
Product performance

Camms continuously looks for ways to improve product and infrastructure performance by monitoring key performance metrics, such as load times and search responsiveness. We have continuously achieved to reduce latency for customers located around the globe, by enabling hosting closer to the customer’s region.

 

Privacy

 

Data privacy regulations are complex and vary from country to country, imposing stringent requirements. When choosing an application, select one that can comply with your data protection obligations and protect the privacy of your data. With Camms, you gain leading privacy functionality and practices that enable you to meet your privacy obligations.

Customers can understand and validate the privacy and compliance requirements of their organization, via the compliance and legal teams offered by Camms.

Protecting our customer’s data is of paramount importance to us. Which is why Camms does not transfer personal information to third parties. Our solutions minimize the collection of personal data when identifying/authenticating users, and when administering new users into our products.

Access to customer data

Access to customer data stored within applications is restricted on a ‘need to access’ basis

Within our SaaS platform, we treat all customer data as equally sensitive and have implemented stringent controls governing this data. Awareness training is provided to our internal employees and contractors during the on-boarding / induction process which covers the importance of and best practices for handling customer data.

Within Camms, only authorized employees have access to customer data stored within our applications.

Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.

Physical access to our data centers, where customer data is hosted, is limited to authorized personnel only, with access being verified using biometric measures. Physical security measures for our data centers include on-premise security guards, closed-circuit video monitoring, man traps, and additional intrusion protection measures.

Global privacy standards

Camms remains committed to global privacy standards, as shown by our dedication to programs such as GDPR and the Australian Privacy Act.

The General Data Protection Regulation (GDPR), a European Union (EU) regulation, repeals and replaces Data Protection Directive 95/46/EC, as well as Member States implementing legislation. The GDPR applies to companies in the EU as well as all companies that process or store the personal data of EU citizens, regardless of their location.

Camms has comprehensively evaluated GDPR requirements and implemented numerous privacy and security practices to ensure compliance with the GDPR. These include:

EU-GDPR:

Internal reviews and independent legal counsel have confirmed that our various policies, procedures and implemented controls meet GDPR regulations. These initiatives include:

  • Ensuring employees who access customers’ personal data have been trained to handle such data and strictly maintain the confidentiality and security of that data.
  • Obtaining written acknowledgement from all vendors that handle personal data, and ensure that they meet all security and privacy requirements Camms is contracted to maintain.
  • Providing each client with a separate database, to ensure segregation in multi-tenancy (Camms Public Cloud) environments.
  • Data processing agreed as per data controllers’ requirements. The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act) established requirements for entities in responding to data breaches. Entities have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.

Camms has conducted comprehensive evaluations of the requirements and implemented numerous privacy and security practices to ensure compliance with the Australian Privacy Act. These include:

Australian Privacy Act

Camms remains committed to global privacy standards, as shown by our dedication to programs such as GDPR and the Australian Privacy Act.

  • Training employees on security and privacy practices
  • Conducting Privacy Impact Assessments
  • Providing adequate data transfer methods to our customers
  • Maintaining records of processing activities
Data breaches

Camms fully complies with all legal and regulatory requirements in the location of hosting. Associated with this is Camms data breach policy which defines the Camms response to an eligible data breach. This has a number of process-driven steps to identify, investigate and rectify any data breach. In addition to this Camms notifies customers of any data breach regardless of size and scale on its cloud infrastructure even if the breach does not impact the data of the customer.

 

Compliance

 

In an environment of increasingly complex security threats, technology leaders are charged with securing and protecting the customer, employee, and intellectual property data of their companies. Companies must also comply with all applicable laws, including those related to data privacy and transmission of personal data, even when a service provider holds and processes a company’s data on its behalf. Our formal and comprehensive security program is designed to ensure the security, confidentiality, integrity and availability of customer data, while protecting them against security threats or data breaches and prevent unauthorized access to customer data.

To help your compliance and legal teams understand and validate the compliance requirements for your organization, below are the compliance resources, standards and frameworks that are used by Camms and our third parties:

Camms certifications and audits

ISO/IEC 27001:2013  is a globally recognized, standards-based approach to security that outlines requirements for an organization’s Information Security Management System (ISMS). Camms undergoes multiple ISO/IEC 27001:2013 audits annually, which include internal audits by qualified and experienced auditors and external audits by the certification body, to assure customers that our security controls are designed and operating effectively. Camms was awarded ISO27001:2013 certification.

ISO/IEC 27001:2013

Camms has established an ISO/IEC 27001:2013 accreditation plan, to support achieving compliance with the standard.

IRAP assessments

Camms has undergone IRAP Assessments and is experienced in the processes that are required to meet customer requirements as they relate to IRAP Compliance.

Cloud environment certifications

All client application environments are running on Azure public cloud with SOC 1,2, 3 Standards, ISO27001, ISO9001, CIS Benchmarks, ISO27018, ISO27017, ISO22301, ISO20000, CSA Star Attestation, Certification and Self-Assessment Cyber Essentials and IASME – currently in the implementation stage.

The UK Government’s Cyber Essentials Scheme focuses on the five most important technical security controls, while the IASME standard is risk-based and includes holistic aspects such as physical security, staff awareness, and data backup. Certification against both indicates a good level of all-round information security. The IASME assessment process includes the Cyber Essentials element, where a company can be accredited to both standards with just one self-assessment.

Terms & conditions

By accessing this WebSite you agree to the following terms:

The contents of this Web Site are Copyright © to CA Technology Pty Limited trading as Camms 2015 herein referred to as Camms. Any rights not expressly granted herein are reserved. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, transfer, or sell any information, software, products or services obtained from the site. Camms is a trademark of CA Technology Pty Ltd. and may not be used without permission.