The following is a summary of how Athento assists in complying with each of the Circular 005:
3.4. Verify that the cloud service provider has and maintains in force, at least, the ISO 27001 certification, and compliance with standards or best practices, such as ISO 27017 and 27018. The provider may be certified with standards or best practices that replace, substitute or modify the previous ones and must have service organization controls reports (SOC1, SOC2, SOC3).
3.5. Verify that the provider offers an availability of at least 99.95% in the services provided in the cloud.
Athento offers by contract an availability of 99.95% with compensation in case of lower monthly availability.
3.6. Manage the risks of the APIs or Web Services provided by the cloud service provider.
Athento's APIs are an internal part of the application so they have the same security and availability measures as the rest of the application. Athento can offer alternative APIs and the APIs are very versatile.
3.7. Verify that the jurisdictions where the information will be processed have regulations equivalent or superior to those applicable in Colombia, related to the protection of personal data and penalization of acts that violate the confidentiality, integrity and availability of data and computer systems.
Athento locates processes and data in datacenters in Canada or France, whose data protection laws are compatible with those of Colombia.
3.8. Establish mechanisms that allow for the backup of the information processed in the cloud, which must be available to the entity when required.
Athento has backup copies to which the client will have access upon request.
3.9. Guarantee the independence of its information and backup copies from the information of other entities processing in the cloud. Independence can be at the logical or physical level.
For financial institutions, Athento is installed on independent servers, so that no disk or processing resources are shared with those of other clients.
3.10. Maintain encryption of information classified as confidential in transit or at rest, using internationally recognized standards and algorithms that provide at least the security offered by AES, RSA or 3DES. 3.11. Have under its control the administration of users and privileges for access to the services offered, as well as to the platforms, applications and databases operating in the cloud, depending on the contracted service model.
Athento always uses HTTPS encryption for data in transit and AES encryption for data at rest.
3.12. Monitor contracted services to detect undesired operations or changes and/or take preventive or corrective actions when required.
Athento uses several external providers for monitoring its service. Specifically: Site24x7, for server and high-level service monitoring; Runscope, for REST API service monitoring; and Ghostinspector, for web UI monitoring.
3.13. Establish procedures to verify compliance with the agreements and service levels established with the cloud service provider and its subcontractors or partners, when these are the ones providing the service.
Athento offers access to monitoring tools and use of the service to comply with this numeral.
3.14. Have end-to-end encrypted communication channels with the cloud service provider, using different routes if possible.
Athento only works with SSL encrypted tools in order to secure communications with customers and users.
4. SERVICE AGREEMENTS OR CONTRACTS
The agreements or contracts entered into by the entities for the provision of cloud computing services must include at least the following elements:
4.1. The conditions regarding capacity, availability, recovery times, the existence of continuity plans, incident resolution and service hours of the service provider, which must provide for service levels that allow compliance, at least, with the instructions set forth in section 3 of this Chapter.
Athento's base contract has the details required by Circular 005, so it will be an easy point of compliance for the client.
4.2. The information security and cybersecurity conditions of cloud services and the conditions established to protect the privacy and confidentiality of customer data, which must provide for service levels that allow compliance, at least, with the instructions indicated in section 3 of this Chapter on the information processed in the cloud.
Athento's base contract deals in a special way with confidentiality, security, etc.
4.3. The ownership of the information processed in the cloud computing services, making it clear that the data is the property of the supervised entity and that it cannot be used for any purpose other than that established in the contract.
Athento has a clause in its basic contract specifying that the data is the property of the client.
4.4. The conditions and limitations under which it may subcontract part of the service or make changes to the agreements established with its subcontractors or partners.
Athento transparently specifies in its contract which services are outsourced and to which suppliers.
4.5. The causes for termination of the contract by the entity, including the breach of the agreements or service levels or the change of conditions that generate a negative impact on the contracted service.
4.6. The delivery to the supervised entity of reports and certifications that demonstrate the quality, performance and effectiveness in the management of the contracted services, as well as the validity of the certifications set forth in section 3.4 of this Chapter.
4.7. The obligation of the service provider to inform, as soon as possible, the supervised entity of any event or situation that could significantly affect the provision of the service and, therefore, the supervised entity's compliance with its obligations to financial consumers, the SFC and other entities.
4.8. Secure deletion of existing data on the storage media when the contract is terminated, when requested by the entity or when the cloud service provider deletes and/or replaces such media.
4.9. Timely and effective remediation of detected IT vulnerabilities.
4.10. The use of multiple authentication factor techniques for access to the administration consoles by the supervised entity.
5. BUSINESS CONTINUITY MANAGEMENT
Athento has a Business Continuity Plan that it can make available to its clients to comply with this requirement of the Circular.