Decos is a ISO-27001 certified company. This well-known security standard governs a broad range of security measures covering the entire company and its processes. Using an Information Security Management System (ISMS), all processes playing a role while developing, hosting and supporting JOIN Application are covered.
The certification covers:
Our ISO certification and Statement of Applicability can be shared with customers upon request.
Microsoft Azure is our hosting provider and has a broad range of ISO certifications. ISO-27001 is among them. See https://servicetrust.microsoft.com/ for all details.
ISO-27001 ensures to embed software security in our development processes. A security checklist based on the OWASP top 10 is known to all developers and is part of the Definition of Done (DoD).
Additional security is tested automatically using tooling. All developers use OWASP ZAP to scan their applications. The Quality Assurance department checks the release candidates of the software using BurpSuite and are reporting to the Product Owners and Security Officers at Decos.
Apart from testing using tools, all products in the JOIN Suite are audited externally at least once per year. This audit is a requirement for ISO-27001, but is also a requirement from Logius in order to connect applications to DigiD. The auditors also perform a thorough penetration test.
Decos has an internal penetration test schedule as well, where the developers are trying to hack each other’s applications. This is a recurring process, part of our ISO-27001 procedures.
It might be that issues still end up in the released software. We encourage ethical hackers to work with us using a Responsible Disclosure Policy. We reward every security issue that was not yet known to us, as long as the hacker did not make abuse of his finding.
See our Responsible Disclosure Policy online: https://www.decos.com/en/security.
All data is being retained in a Microsoft Azure Recovery Services Vault with a minimum retention of 30 days. This applies to all files and scans stored in the applications, as well as all databases.
All data is encrypted at rest. Storage Accounts use Azure Storage Encryption (https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption) and databases are encrypted at rest using Transparent Data Encryption (https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview?tabs=azure-portal)
The recovery point objective (RPO) can be anywhere between the retention period. The recovery time objective (RTO) is quite limited. Depending on the amount of data being restored, the recovery process is usually complete within an hour.