The
Viewpoint Organisation Ltd (TVO)
provides an Online Questionnaire facility aimed specifically at Young
People. A Young Person can access the
questionnaire by going to www.vptol.co.uk.
They log into the questionnaire by using the login information given to them
either by a registered Viewpoint Manager from the client organisation or from a
Viewpoint member of staff.
The login
information comprises Organisation (Specific database reference) Username and
Password.
Only a registered manager is able to
access the data for analysis purposes. Once a manager has been provided with
the login information they will go to the same login screen as the young person
but their login will take them to the ‘Management and Analysis’ part of the
Viewpoint package. Access to the data is
controlled by permissions and the Project Manager within the client
organisation determines what each manager can see.
TVO complies with the Government recommendations
established in ‘e-Government Strategy Framework Policy and Guidelines’ with
regard to the Registration and Authentication of the ‘managers’ who will have
access to the data collected.
The data stored by TVO is classified as Level 1
according to the classifications set out in the e-Government Framework and
Registration and Authentication methods are set accordingly.
Level 1 data is classified as data that could
potentially cause ‘minor damage’ if it became available to anyone without
authorisation. The data stored by TVO is individual young people’s views and
opinions. In the case of a survey type questionnaires hosted by TVO, where all
the data is anonymous, then this data would be classified as Level 0 as it
would cause ‘no damage’ if it became available to anyone without
authorisation. However TVO provides data
security to Level 1 standard because some customer organisations may choose to
include names and other personal information about young people which, although
unlikely to lead to the identification of a particular young person, has the
potential to lead to ‘minor damage’ to the young person if it became available
to anyone without authorisation.
Hosting data which can be classed as
‘Level 2’, that could potentially cause ‘Significant Damage’, would involve the
setting up of a Public Key Infrastructure which would provide client and server
authentication.
TVO uses 128 bit SSL to provide server authentication,
but setting up Digital Certificates on client PCs to provide client
authentication would involve a very significant cost to customers. As the data we store at the moment can only
be classed as Level 0 or Level 1 it is not considered necessary to set this higher
level of security.
According to the Registration and
Authentication e-Gov Strategy Framework Policy and Guidelines version 3.0,
Registration is defined as the “process by which a user gains a credential such
as username or digital certificate for subsequent authentication”.
To access a questionnaire and data
using Viewpoint Online, a customer organisation first needs to agree the
content of the questionnaire and any information about the users. The customer
organisation then applies for a login/username for an individual and the
information is prepared by TVO and passed on to an authorised person within the
customer organisation. It is possible
for a registered manager within the client organisation to be allowed the
facility to create logins. When an application for a username/login is
initially received, the person making the request is firstly verified as
someone authorised to make the request. Once the logins have been created they
are only sent to the authorised/approved location held on record by TVO. In the unlikely case that a false request for
a login/username was accepted, the logins would only go to the authorised
individual either via e-mail or through the post.
It then responsibility of the login
recipient within the customer organisation to make sure that the Young Person
(YP) or professional receiving the login is the right person. Although it is likely that a social worker,
for example, will know the YP in question we still recommend that the YP should
provide some form of ID just to confirm they are the correct YP.
Authentication is defined in the
e-Government document as the “process which the electronic identity of a user
is asserted to, and validated by, an information system for a specific occasion
using a credential issued following a registration process”. The following outlines TVO’s current
authentication methods.
There are three pieces of information
needed for a YP to login and access a Viewpoint Online questionnaire, or for a
professional to access the Management and/or Analysis section of Viewpoint,
namely Organisation, Username and Password.
Each organisation that uses Viewpoint Online will have their own unique
organisation name which can either be decided by TVO or jointly by Viewpoint
and the organisation in question. As
with the username, the organisation name will only be made available to
authorised people within that organisation.
The third piece of information
required to access a Viewpoint Online questionnaire or Management/Analysis
facility is the password. The initial
password will be decided either by TVO or jointly by TVO and an authorised
member of the customer organisation. Once a manager has logged in they will
then be prompted to change their password, thus adding an extra layer of
security.
TVO has endeavoured to make the
registration and authentication process as rigorous as possible. TVO assumes
that if a person is able to provide the three pieces of information required to
access a questionnaire or data they are who they say they are. TVO provides
training sessions for users within a customer organisation to make them aware
of, amongst other things, the importance of security within the login
process. Also when a professional logs
in to the Management/Analysis module, they are required to accept the Terms and
Conditions which reminds them about their security responsibilities.
The web server is a dedicated Windows
Server 2003 and the data is stored on a SQL server. The server is held with a
web hosting company called UKFast and
the details of their security can be found either in Appendix I, or at:
http://www.ukfast.net/datacentre.html
None of the UKfast administrative
staff have accounts on the server so are unable to access it. There are only
four people in TVO who are able to access the server, accessed via terminal
services. All TVO staff, whatever their role in the organisation are subject to
Criminal Records checks, a process carried out by an independent organisation
approved for this purpose.
The server sits behind a dedicated hardware
firewall and also has Norton Antivirus and Microsoft Antispyware installed
which are updated and used daily. Addiitonally all but the necessary ports and
services have been closed to make sure that security is even tighter.
The Microsoft Baseline Security
Analyzer has been employed, and all accounts, which are kept to a minimum, use
complex passwords. Also NTFS permissions are as tight as possible.
With
regards to the program itself Secure Sockets Layer (SSL) has been installed.
This encrypts data and ensures that it goes to the correct location and that it
cannot be intercepted.
Disk mirroring, in the form of two 220GB
hard drives, is used to provide Fault Tolerance, ensuring that there will be no
break in service should one of the drives fail.
A 24 hour 7 day a week backup service
from Live Vault is employed ensuring that all data can be retrieved
electronically quickly and easily (within an hour).
In terms of a Service Level Agreement
(SLA), if it became necessary to rebuild the server, the site would be back up
within 24 hours during the week and within 48 hours over the weekend
We choose to offer our clients only high-performance,
secure data centre facilities for your dedicated server solution, that's
why we established the
MANOC is located at the home of MaNAP, one of the first
Internet Exchanges to be established in this country. This location is ideal
for companies wishing to locate in
MANOC connects to Telehouse London via a 2 x 155MB link and because there's no "single point failure", you can be totally confident that in the remote event of a connection failure, your traffic will be intelligently re-routed in the alternative direction.
Key benefits of the MANOC data centre:
Uninterrupted power supply(UPS)
Power to your racks will be provided via individually wired 16 Amp supplies with separate breakers. This means that the power supply to your equipment is not at risk from others overloading shared breakers - a common problem in less sophisticated facilities. The UPS and diesel generator system ensures continuous power supply to all equipment and these systems have a seven-day independent run time in the event of mains failure.
Environmental monitoring
MANOC provides a range of monitoring solutions to cover your network devices and servers. We operate an SMS text messaging system from all servers, so that our technicians are alerted immediately in the event of a problem with your equipment. Tailored procedures such as these allow our skilled technical team to react swiftly to specific conditions as they arise.
Optimised Facility
MANOC is situated at a Secure Data Facility with a total area of 900m2. Raised flooring allows the provision of power and data cabling between racks and to telecommunications suppliers. Within the facility the temperature is controlled to 22°C and relative humidity maintained at 45%. Plus air conditioning is provided by under floor cooling by in room air handling units, the air flow directed appropriately by grilles in the floor.
Security
The main data area is situated away from all exterior walls and benefits from a number of security features for maximum protection at all times. These features include CCTV monitoring, motion detection, 24/7/365 security guards and an advanced access control system.
Protection
A sophisticated VESDA fire detection system is in operation and is coupled with CO2 and Halon gas fire suppression systems. This equipment is designed to ensure that any potential fire hazard is detected at a very early stage. In the extremely unlikely event of a fire breaking out the suppression systems will extinguish the fire without damage to your valuable equipment.