This has been a busy month, with so many of our clients choosing to expand their use of policyIQ into new areas. We love the surge of activity, but it does mean that we’ve been a little busier than normal. If I didn’t already see my work from this week spilling over into next, I might try to parse out all of our security related datacenter requirements and procedures, structures, features, functionality, policies and implementation recommendations into a list of 101. For the sake of all of those other commitments that I need to get to, suffice it to say that there are a number of layers of security outside and within policyIQ that allow you to securely maintain and share your content with key stakeholders (your policyIQ users and vendors, partners and customers outside of policyIQ).
Here is a sampling of policyIQ security related points:
Data Center Protocols
- Our data center is SAS 70 Type II compliant with reports available annually.
- We certainly have physical security protocols for server access.
- Only a small number of authorized members of the policyIQ team have access to the servers at our data center for the purposes of maintenance.
Site Security
- Access to policyIQ is SSL encrypted. The encryption is included at no additional charge for clients on the second generation of policyIQ (version 6 and later). The SSL certificate is purchased separately by clients still on version 5.7.
- Access can be restricted to explicitly defined IP addresses or a range of IP addresses. The steps to add IP restrictions are located within your online Help guide in the page titled: Restricting User Access by IP Address.
- A User Name and Password are required by every licensed user.
- The Password is set by the administrator who adds the user to the site and is then re-set by the user upon his/her first login.
- The Password Policy is established by your Site Administrator within Setup>System Setup>Password Policy.
- You can now lock users out of policyIQ if their number of attempts to login exceeds your customized limit.
- Read Only Access can be provided by creating a Read Only Access account. A “Pass Through” link is generated when this account is created and can be shared by the organization in a method determined by the organization (often as an icon or shortcut placed on the intranet).
- The users accessing policyIQ via this account bypass the login screen and are able to see the Home module (published content in which their “Group” was added as a viewer) and the WhistleBlower module.
Content Security
- Local Rights to objects
- User Access Type = Advanced, Standard or Read-only.
- Global Permissions = generally granted as a part of the standard Roles.
- Local Rights = Administrator, Editor, Viewer of a Page, for example.
- Formal approval
- For Pages, the Approver(s) Group is designated in the Page Security tab of the associated Template within the Setup module.
- For Forms, Approvers are established in the Form Template Security tab within the Create And Edit module.
- Specific Item Security
- It is possible to further refine rights at the item or object level within policyIQ. See the Security tab on your Form Templates, Pages, Files or Weblinks. You can also adjust who can change or view your Folders and Reports.
This list is, by no means, all inclusive. I really just wanted to help you step back and see the range of parameters and methods in place to allow or restrict access to your content. If you are interested in a specific review of your security settings or you have security related questions, contact our policyIQ Support team.