SPA Cloud - Cloud Service Information Security Policy

Last Updated: 13/Dec/2018

KB#: 000016066

1. Information security that applies to the design and actual condition of cloud services
   WingArc1st provides stable and safe services to customers by streamlining development guidelines in-house, and carrying out development along those guidelines.
   
   
2. Risks from authorized insiders
   WingArc1st’s policy states that the production environment cannot be accessed without a valid reason.
   
   
3. Segregation of multi-tenancy and cloud service customers (including virtualization)
   WingArc1st’s cloud services provide multi-tenant services and logically separates the IT resources of each company.
   
   
4. Access to assets of cloud service customers by cloud service providers’ personnel
   Generally, WingArc1st personnel do not directly access customer data on the cloud. If necessary, personnel must obtain prior approval from cloud users.
   
   
5. Access control procedures (e.g. strict authentication for administrative access to cloud services)
   Access control procedures to the production environment are protected by multi-factor authentication.
   
   
6. Notifications to cloud service customers about change management
   WingArc1st will send notifications by email and via the support site at 2 weeks, 1 week and 1 day prior to change management. Notification will also be sent once the change is done.
   
   
7. Virtualization Security
   WingArc1st’s cloud service prevents information security damage using the PDCA cycle of the ISMS.
   
   
8. Access and protection of cloud service customer data
   
   • Information from customers is managed on Amazon Web Services (referred to as AWS below).
   • WingArc1st monitors the latest trends and adopts highly evaluated technology for its encryption.
     Customer data is protected by encryption and hashing.
     This includes communication with WingArc1st’s cloud services and customer accounts (password).
     Disks containing customer data files are encrypted transparently. 
   • WingArc1st’s cloud service security is protected from hacking by AWS functions that prevent unauthorized access.
     
     
9. Life cycle processing of cloud service customer accounts
   Customers can change, add or delete their own accounts. Please refer to the online manual in the link below.
   
   https://manual.wingarc-support.com/ja/manual/spa/spac-manual/index.html (Japanese)
   
   
10. Information sharing policy to support notifications of violations, investigations and forensics
    Investigations are conducted by downloading log information or by request to WingArc1st (business operator).