Docstoc

Security - DOC

Document Sample
Security - DOC Powered By Docstoc
					Security

InfoSlips uses strict measures to keep your sensitive data secure, and as an company, you
have the option to omit certain records or fields from the database if required.

Private Sector/Industry Verifications (Not applicable to the 1st release of InfoSlips)

Private Sector/Industry Verifications are those performed by lenders such as banks,
leasing companies and others using secured Internet transactions, or through a 0860
phone number.

Access to the Tilos (InfoSlips) database of employment and income records is only
available to those who have received a Verislip key from the person whose data is being
accessed. No more than three verislip keys can be in use at one time. In addition to a
verislip key, other identifying information must be known by the caller.

NO INFORMATION IS RELEASED UNLESS ALL LEVELS OF SECURITY HAVE
BEEN SATISFIED.

Infoslips delivered Via Electronic Mail

Infoslips emailed to employees on behalf of employers are secured by sending a digitally
signed, with a VeriSign digital certificate, e-mail that is encrypted using 128 bit
encryption.

In addition employers can opt for a second level of security that encapsulates the Infoslip
data in a 448 bit encrypted attachment. Using this method, employees are prompted for a
PUK or password before they can view their InfoSlip. Once viewed the employee is
given the option to erase any InfoSlip data from their computer. This optional method
requires a once off mini-application to be mailed or downloaded by each employee.
Web Security FAQ (Not relevant to the 1st release of InfoSlips)
Here are some commonly-asked questions relating to InfoSlips employment and income
verification service on the World Wide Web.

Q. What's the difference between online verifications and telephone verifications?
A. Tilos (InfoSlips) web site and telephone system can be used interchangeably.
Company codes, Verislip keys and reference numbers are the same for either system.
That way, employees and verifiers can obtain information from whichever source is
convenient for them.

Q. How do verifiers access employee data in a secure manner?
A. To use Tilos (InfoSlips) on the Web, verifiers must register for a membership with
Tilos (InfoSlips), at which point we issue a secure username and password scheme to the
verifier. This username and password, combined with a number of additional security
codes, allows the member-verifier to access employee data. All transactions between a
verifier and Tilos (InfoSlips) are encrypted through the 128-bit Secure Socket Layers
(SSL) standard.

Q. How can my employees obtain Verislip keys?
A. Employees can obtain salary keys through a secure Internet session using any leading
Internet browser like Microsoft Internet Explorer or Netscape Navigator or by phoning
the call center. However, employees cannot access their own income data or the data of
other employees. That information is restricted to parties with the appropriate security
codes and authorization.

Q. How do verifiers access employee data?
A. Like Tilos (InfoSlips)'s telephone system, verifiers must enter a series of codes to
view Tilos (InfoSlips) data on the web. Verifiers will need a username, password, the
employee's company code, the employee's identity number, and for income verification, a
Verislip key provided by the employee. In addition, verifiers will be required to use
browsers that support 128-bit SSL encryption. 128-bit encryption is the strongest
encryption available in Internet browsers today.

Q. What is 128-bit SSL encryption?
A. Encryption is a process by which data is "scrambled" in transit. The only parties who
can see the data in a readable format are the sender and intended receiver. Secure Socket
Layers, or SSL, is an encryption standard that was developed by Netscape Corporation
and is based on a public key/private key encryption scheme. SSL is a widely used
standard on the Internet today and facilitates secure commerce in almost every industry.

The "bit" strength refers to how strong the encryption is. Today, the most common form
of SSL encryption on the Internet is 40-bit. Most Internet browsers inherently support 40-
bit encryption, and it offers a suitable level of security for many e-commerce
transactions. 128-bit encryption is literally trillions of times stronger. It is the strongest
browser-supported encryption available today and is quickly becoming a standard within
the banking and finance industry.
Tilos (InfoSlips) believes that protecting our client’s confidential data is crucial, and we
have adopted the 128-bit encryption standard to reflect that belief. In addition, we feel
that 128-bit encryption will become more common in all industries over the next 12-24
months.

Q. Which Internet browsers support 128-bit SSL encryption?
A. Many popular browsers offer 128-bit SSL versions. We recommend that you use
either Netscape Navigator or Microsoft Internet Explorer. It is important to understand
that these two browsers come in both 40-bit and 128-bit versions. You should always use
the most secure version available (currently 128-bit).

To find out if your current Netscape browser supports 128-bit encryption, follow these
directions:

      Netscape Navigator 2.x: 128-bit is not supported. You should upgrade your
       browser to the newest 128-bit version.
      Netscape Navigator 3.x: In the Help menu, select "About Netscape". If your
       browser provides 128-bit encryption, then on this page there will be an RSA logo,
       along with bolded wording that contains "This version supports U.S. security". If
       the text in this paragraph says "This version supports International security," then
       128-bit encryption is not provided with your version of the browser. You should
       upgrade your browser to the newest 128-bit version.
      Netscape Navigator 4.x: From the Help menu, select "About Communicator".
       Scroll down this page until you see the bolded paragraph that begins with the
       words "This version supports U.S. security". If the text does not say that, then
       128-bit encryption is not provided with your version of the browser. You should
       upgrade your browser to the newest 128-bit version.

To find out if your current version of Internet Explorer supports 128-bit encryption,
follow these instructions:

      Internet Explorer 3.x: While Microsoft's Internet Explorer version 3.x can
       support 128-bit encryption, we recommend that you upgrade from this old
       version. For a variety of reasons, Internet Explorer 3.x is incompatible with many
       of the today's Internet technologies. Upgrading should provide a more enjoyable
       web experience.
      Internet Explorer 4.x: From the "Help" menu, select "About Internet Explorer."
       The following window will say: "Cipher Strength: 128-bit supported" in the
       middle of the page if 128-bit encryption is provided. Otherwise, it will say:
       "Cipher Strength: 40-bit supported". If you have the 40-bit version, you should
       upgrade to the newest 128-bit compatible Internet Explorer.
      Internet Explorer 5.x: From the "Help" menu, select "About Internet Explorer".
       The following window will say: "Cipher Strength: 128-bit supported" in the
       middle of the page if 128-bit encryption is provided. Otherwise, it will say:
       "Cipher Strength: 40-bit supported". If you have the 40-bit version, you should
       upgrade to the 128-bit compatible Internet Explorer.
Q. How can I upgrade my browser?
A. Both Microsoft Internet Explorer and Netscape Navigator are free to download. In
addition, both browsers can be also be purchased for a small fee on CD-ROM.

To download the 128-bit version of either browser free of charge, follow the instructions
below. You may want to print this page for easy reference.

If you want to upgrade your version of Internet Explorer:

      Visit http://www.microsoft.com/windows/ie/download/128bit/intro.htm
       and follow the directions for downloading.

If you want to upgrade your version of Netscape Navigator:

      Visit http://www.netscape.com/download/
       Select the 128-bit download from the available products and then follow the
       instructions. If you are already using a Netscape Version 4.x browser, try their
       "SmartUpdate" feature that is listed on the left of the page.

Q. What else should I know about InfoSlips Internet Security & Privacy?
A. It is both our goal and responsibility to provide a secure and convenient telephone and
Internet service. Strong security serves the interest of all parties, and to assist us in
offering these services, we employ a variety of stringent security measures. These
measures allow us to properly identify you, identify transactions, and safeguard your data
as it travels to and from our service. It is your responsibility to safeguard your access
codes, passwords, and other identifying information, as they are specifically traceable to
you.

Please note that activity on our site is recorded in system and application logs. This
information is reviewed regularly as a part of our standard business practice. For more
information, we encourage you to review our privacy policy.
Privacy Statement

InfoSlips has created these statements and guidelines in order to demonstrate our firm
commitment to privacy. The following discloses our information gathering and
dissemination practices for InfoSlips web properties, including our corporate and branded
sites.

An InfoSlip may contain links to other sites, and we take great care in selecting those
links. However, Tilos is not responsible for the privacy practices or the content of other
web sites. We strongly encourage you to look for and review the privacy policies of every
web site you visit.

General Statistics & Web Site Measurements:

      We collect aggregate information site-wide, including anonymous site statistics.
       We also log domain names and/or IP addresses. We use your IP address to help
       diagnose problems with our server, and to administer our web site as well as
       improve the site-wide experience for you and other users. We do not link IP
       addresses to anything personally identifiable.

      We identify and track the single, previous Web site address that visitors come
       from when accessing our site. This is standard practice throughout the Internet
       and it is used to determine how visitors navigate to our sites. We do not, however,
       attach this information to anything that is personally identifiable. In other words,
       while we may track what site you came from, we do not connect that information
       with anything that identifies you.

      When a visitor registers, "logs in," or accesses parts of our site that require the use
       of data like usernames and passwords, we may store a cookie, a small piece of
       information, on that visitor's computer.

       If used, this small file helps to improve the user's experience by allowing us to
       customize or tailor the web pages that the visitor sees and uses for their specific
       needs. For example, we may use a cookie to allow a user to by-pass having to
       enter their username every time they login. For frequent visitors, this type of
       functionality and personalization can greatly improve their experience. These
       cookies DO NOT contain confidential or personal information. While we may use
       cookies to help us understand and improve the navigation of our site, we DO
       NOT use cookies to personally identify and track the navigation of any specific
       visitor.

       We do not resell, distribute, or disclose any of the above information to third
       parties.
Registration & Personally Identifiable Information:

      On certain pages, we may give users the option of providing us with names,
       addresses, phone numbers, fax numbers, email addresses, demographic data,
       preference information, and various other kinds of details. This more personal
       information is not gathered by us without the users` knowledge, active
       permission, and participation.

       In other words, you must voluntarily supply this information. On the Internet, this
       voluntary submission of personally identifiable information is commonly referred
       to as "Opting In."

       In some cases we may use the information to tailor our users` web experience,
       generate anonymous statistics, or to contact users via email, postal mail,
       telephone, or fax (e.g. to send newsletters, action alerts, product updates, etc.)
       Users may choose opt out at any time; see the cancel subscription section below.

      For security purposes, our e-commerce site (https://verify.theworknumber.com)
       requires users to give us unique identifiers (like social security number and other
       password-type data). Unique identifiers are ONLY collected to verify the user's
       identity and ensure security for all users of the site.

WE DO NOT RESELL, DISTRIBUTE, OR DISCLOSE ANY OF THE DATA THAT
HAS BEEN DISCUSSED IN THE PRECEDING SECTION (REGISTRATION &
PERSONALLY IDENTIFIABLE INFORMATION) TO THIRD PARTIES.

Security & Protection of Your Data

      This site has security measures in place to protect the loss, misuse and alteration
       of the information under our control. Portions of our site make extensive use of
       Secure Sockets Layer (SSL) encryption, the Internet's leading encryption
       standard, as well as password-like identifying information. SSL is used to encrypt
       the information being sent between a visitors computer and our web site.

       Encryption is a process in which the information being transmitted between two
       parties is "scrambled" in transit. SSL encryption creates a secure link between two
       computers by establishing a process in which each computer can unscramble
       (unencrypt) the other's information.

       Because we take the protection of your data very seriously, you may be asked to
       "upgrade" your Internet browser to a more recent version if it does not currently
       support the high levels of SSL encryption that portions of our web site require.

      Your browser should indicate whether or not it is operating in a secure site. Most
       browsers will display an alert box advising you that you are requesting pages
       from a secure site, and they will ask your permission to continue. Most browsers
       will also alert you when you are leaving a secure site, and again, ask you
    permission to continue. However, this alert feature can be turned off within the
    browser's preferences. If you have doubts about whether or not you are on a
    secured web page, contact the web site's operator to clarify your questions, and
    DO NOT transmit sensitive information like credit card numbers until you are
    confident of the page's security.

   In addition, we take great care to safeguard all information that is transmitted to
    us and stored by us on our computers, servers, and databases. This protection
    includes the use of network intrusion prevention and detection technology as well
    as other industry accepted security practices. We protect the physical location of
    our systems through the use of access control and monitoring technologies. We
    take extensive measures to limit the risk of damage or loss of any data due to
    hazards like fire, water damage, power loss, etc.
South African Revenue Service’s on e-Payslips

The South African Revenue Service (SARS) has issued an official statement detailing the
requirements for a legal electronic tax invoice or pay slip.

The first requirement is that an electronic invoice, pay slip, debit or credit note must
contain the mandatory information as required by the Act for that type of document. In
the case of a pay slip, this includes:

* The name and company number of the employer;

* The name, payroll code and identity number of the employee;

* A unique pay slip number;

* The date;

* The words 'pay slip';

* A description of the earnings, deductions and company contributions;

* The net pay and P.A.Y.E. and S.I.T.E. amounts due

The second requirement concerns the security of the document in transit (between the
sender and the recipient). In order to be valid, documents must be transmitted using
encryption with a key length of at least 128-bits or contain an electronic signature, which
means that the software used to create and send electronic pay slips must have encryption
capability. In addition, the recipient must have a means of decoding the document.

A further requirement is that the electronic pay slip be treated as the original (assuming
no paper version), and that any copies printed by the recipient bear the words 'copy pay
slip'.

In its initial statement, SARS tabled a further requirement that the issuer retain the
documents in a readable and encrypted format for a period of five years from the date of
issue.

The primary objective of these requirements is to ensure that when a SARS audit
encounters pay slips that were generated and delivered electronically, these pay slips are
accurate and complete in terms of content, and the integrity of the invoice has not been
compromised by the process.

These requirements also guarantee that the electronic pay slip conforms to the
characteristics of its paper predecessor. Most employers opt to mirror their paper invoices
in the format of their electronic pay slips, but this is not a SARS requirement as long as
the mandatory information appears on the document.
The security requirements are stipulated to ensure that electronic pay slips cannot be
tampered with en route from the e-billing server to the invoice recipient. The encryption
technology used by the issuer must meet SARS's requirement, but it should also be easily
obtainable and simple for the pay slip recipient to use.

The conclusion to be drawn from the Act and SARS's statements is that an electronic
invoice is perfectly legal, as long as the process and the end result adhere to these simple
criteria.

The same logic can be applied to credit notes, debit notes and statements. As long as the
electronic versions of the documents adhere to the specifications of their paper
counterparts, and have the right level of security, the document that lands in your inbox is
just as legal as the one that ends up in your postbox.

				
DOCUMENT INFO
Shared By:
Tags: Secur
Stats:
views:146
posted:12/7/2009
language:English
pages:9
Description: Security