Certification and Compliance Statements

Last updated : February 28, 2022

Last revision : 

 

This Document is will be effective from Tuesday 1st March 2022

To see prior version, please click here.

POPIT SNACK PLATFORM COMPLIANCE DOCUMENTS

Compliance and security are not exclusive, and must be addressed together. PopIt Snack Platform deployments are unlikely to satisfy compliance requirements without security hardening. The listing below provides an PopIt Snack Platform architect foundational knowledge and guidance to achieve compliance against commercial and government certifications and standards.

Commercial Standards

For commercial deployments of PopIt Snack Platform, we recommend SOC 1/2 is combined with ISO 2700 1/2 to be considered as a starting point for PopIt Snack Platform certification activities. The required security activities mandated by these certifications facilitate a foundation of security best practices and common control criteria that can assist in achieving more stringent compliance activities, including government attestations and certifications.

After completing these initial certifications, the remaining certifications are more deployment specific. For example, clouds processing credit card transactions will need PCI-DSS, clouds storing health care information require HIPAA, and clouds within the federal government may require FedRAMP/FISMA, and ITAR, certifications.

 

SOC 1 (SSAE 16) / ISAE 3402

Service Organization Controls (SOC) criteria are defined by the American Institute of Certified Public Accountants (AICPA). SOC controls assess relevant financial statements and assertions of a service provider, such as compliance with the Sarbanes-Oxley Act. SOC 1 is a replacement for Statement on Auditing Standards No. 70 (SAS 70) Type II report. These controls commonly include physical data centers in scope.

There are two types of SOC 1 reports:

  • Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
  • Type 2 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period

For more details see the AICPA Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting.

 

SOC 2

Service Organization Controls (SOC) 2 is a self attestation of controls that affect the security, availability, and processing integrity of the systems a service organization uses to process users’ data and the confidentiality and privacy of information processed by these system. Examples of users are those responsible for governance of the service organization, customers of the service organization, regulators, business partners, suppliers, and others who have an understanding of the service organization and its controls.

There are two types of SOC 2 reports:

  • Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
  • Type 2 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

For more details see the AICPA Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.

 

SOC 3

Service Organization Controls (SOC) 3 is a trust services report for service organizations. These reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality, or privacy but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. These reports are prepared using the AICPA/Canadian Institute of Chartered Accountants (CICA) Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy. Because they are general use reports, SOC 3 Reports can be freely distributed or posted on a website as a seal.

For more details see the AICPA Trust Services Report for Service Organizations.

 

ISO 27001/2

The ISO/IEC 27001/2 standards replace BS7799-2, and are specifications for an Information Security Management System (ISMS). An ISMS is a comprehensive set of policies and processes that an organization creates and maintains to manage risk to information assets. These risks are based upon the confidentiality, integrity, and availability (CIA) of user information. The CIA security triad has been used as a foundation for much of the chapters in this book.

For more details see ISO 27001.

 

HIPAA / HITECH

The Health Insurance Portability and Accountability Act (HIPAA) is a United States congressional act that governs the collection, storage, use and destruction of patient health records. The act states that Protected Health Information (PHI) must be rendered “unusable, unreadable, or indecipherable” to unauthorized persons and that encryption for data ‘at-rest’ and ‘inflight’ should be addressed.

HIPAA is not a certification, rather a guide for protecting healthcare data. Similar to the PCI-DSS, the most important issues with both PCI and HIPPA is that a breach of credit card information, and health data, does not occur. In the instance of a breach, the cloud provider will be scrutinized for compliance with PCI and HIPPA controls. If proven compliant, the provider can be expected to immediately implement remedial controls, breach notification responsibilities, and significant expenditure on additional compliance activities. If not compliant, the cloud provider can expect on-site audit teams, fines, potential loss of merchant ID (PCI), and massive reputation impact.

Users or organizations that possess PHI must support HIPAA requirements and are HIPAA covered entities. If an entity intends to use a service, or in this case, an PopIt Snack Platform cloud that might use, store or have access to that PHI, then a Business Associate Agreement (BAA) must be signed. The BAA is a contract between the HIPAA covered entity and the PopIt Snack Platform service provider that requires the provider to handle that PHI in accordance with HIPAA requirements. If the service provider does not handle the PHI, such as with security controls and hardening, then they are subject to HIPAA fines and penalties.

PopIt Snack Platform architects interpret and respond to HIPAA statements, with data encryption remaining a core practice. Currently, this would require any protected health information contained within an PopIt Snack Platform deployment to be encrypted with industry standard encryption algorithms. Potential future PopIt Snack Platform projects such as object encryption will facilitate HIPAA guidelines for compliance with the act.

For more details see the Health Insurance Portability And Accountability Act.

 

PCI-DSS

The Payment Card Industry Data Security Standard (PCI DSS) is defined by the Payment Card Industry Standards Council, and created to increase controls around card holder data to reduce credit card fraud. Annual compliance validation is assessed by an external Qualified Security Assessor (QSA) who creates a Report on Compliance (ROC), or by a Self-Assessment Questionnaire (SAQ) dependent on volume of card-holder transactions.

PopIt Snack Platform deployments that store, process, or transmit payment card details are in scope for the PCI-DSS. All PopIt Snack Platform components that are not properly segmented from systems or networks that handle payment data fall under the guidelines of the PCI-DSS. Segmentation in the context of PCI-DSS does not support multi-tenancy, but rather physical separation (host/network).

For more details see PCI security standards.

 

Government Standards

Indonesia’s National Work Competency Standards (SKKNI) Category Security Operations Center

Competency Standards are required by several institutions/institutions that relating to the development of human resources, in accordance with individual needs and scope:

1. For educational and training institutions

a. Provide information for program development and curriculum.
b. As a reference in the implementation of training, assessment, and certification.

2. For the world of business/industry and the use of labor

a. Assist in recruitment.
b. Assist in performance appraisal.
c. Assist in compiling job descriptions.
d. Assist in developing training programs that specifically based on the needs of the business/industry world.

3. For testing and certification providers

a. As a reference in formulating program packages certification according to qualifications and levels.
b. As a reference in the implementation of assessment and training training certification.

 

Indonesia’s Standard Information Security Index (Indeks KAMI)

The Information Security Index (KAMI) is an application that is used as a tool to assess and evaluate the level of readiness (Completeness and Maturity) of the application of information security based on the criteria of SNI ISO/IEC 27001, namely Governance, Risk Management, Framework, Asset Management, Aspects Technology supplemented by Service Provider Third Party Engagement Security, Cloud Infrastructure Services Securing and Personal Data Protection. The KAMI index is not intended to analyze the feasibility or effectiveness of existing forms of security, but rather as a tool to provide an overview of the state of readiness of the information security framework.

One standard that can be used to measure the maturity level of information security in an organization is the KAMI index developed by Indonesia’s Cyber Agency and National Password standards refer to ISO standard ISO / IEC 27001: 2009. This assessment is used to see how far the maturity level of information security in the platform environment, which results can be used as a medium for evaluation in order to improve the information security of the company platform in the future.

For more details see The Information Security Index.

 

Indonesia’s Standard Electronic System Operator (Penyelenggara Sistem Elektronik/ PSE)

Indonesia has issued a government regulation in the scope of information and electronic transactions namely Government Regulation No. 71 of 2019 on Organization of Electronic Systems and Transactions (GR 71/2019). This regulation comes to substitute for the previous regulation, Government Regulation Number 82 of 2012 on Organization of Electronic Systems and Transactions (GR 82/2012). In its transitional provision, the Private ESP that has been in operation before the promulgation of GR 71/2019, must adjust to the provisions in Article 6 (regarding registration obligation) within 1 year. The GR 71/2019 became effective on 10 October 2019, so the deadline for Private ESP to adjust is until 10 October 2020.

There are several important points for Electronic System Providers (ESP) in the GR 71/2019, as follows:

A. Classification of Electronic System Operators.

GR 71/2019 identifies two ESPs. The division is as follows:

  1. Public ESP – the state administering agency and the institution designated by the agency.
  2. Private ESP – providers overseen by ministries/agencies and providers that have portals, sites, or online applications including offering/trading goods/services, financial transaction services, paid digital cargo delivery, operating communications services, search engine services, and processing of personal data.

B. Electronic System Operator Registration

Same as GR 82/2012 before, each ESP is required to register. However, the registration procedure has been regulated by the Minister of Communication and Informatics.

C. Electronic System Governance

In managing electronic systems, the following are important points that ESP must fulfill:

  1. ESP guarantees the availability of service level agreements, the availability of information security agreements for the Information Technology services used, and the security of information and internal communication facilities organized.
  2. ESP must apply risk management to damage or loss.
  3. ESP must have an Electronic System policy, Standard Operational Procedure, and periodic audit mechanism.

D. Data Center Placement

Concern over the obscurity of Data Center placement on GR 82/2012 has now been given legal certainty, that is:

  1. For the Public ESP is required to manage, process, and/or store Electronic Systems and Electronic Data in the territory of the Republic of Indonesia, but it is excluded if it is not yet available.
  2. Private ESP can manage, process, and/or store Electronic Systems and Electronic Data in the Republic of Indonesia and/or outside Indonesia. If management is carried out outside, it must ensure the effectiveness of supervision by the ministry, etc. The financial sector will be regulated further by BI and OJK.

E. Obligations to Safeguard Electronic System Organization

In carrying out its practice, ESP must guarantee security in the following manner:

  1. ESP must provide a track record of all phases of the implementation audit;
  2. ESP must display the full electronic information and/or Electronic Document under the format and retention period;
  3. ESP must maintain the confidentiality, integrity, authenticity, accessibility, availability, and traceability of Electronic Information and/or Electronic Documents;
  4. For the criminal proceding, the Electronic System Provider is required to provide Electronic Information and/or Electronic Data contained in the Electronic System or Electronic Information and/or Electronic Data generated by the Electronic System upon the legitimate request of the investigator for certain criminal acts following the authority stipulated in the law.

F. Electronic System Worthiness

To carry out its activities the ESP is required to conduct an electronic system feasibility test. This obligation can be applied to all components or some components in the electronic system in accordance with the characteristics of the electronic system and protection requirements.

G. Supervision

The Minister of Communications and Informatics supervises the administration of the Electronic System. This supervision by the Minister includes monitoring, controlling, examining, searching & security.

H. Personal Data Protection

ESP must protect personal data in processing and request approval in processing. Processing of Personal Data must be based on the valid approval from the Data Owner. ESP must implement the principle of Personal Data Protection in conducting processing includes:

  1. acquisition & collection;
  2. processing & analyzing;
  3. storage;
  4. revision & update;
  5. display, announcement, transfer, distribution or disclosure; and
  6. deletion or removal.

Failure to protect personal data must be notified in writing to the data owner.

I. Right to Erasure & Right to Delisting (Right to be Forgotten)

ESP must delete the irrelevant Electronic Information and/or Electronic Documents under its control at the request of the Data Owner. The deletion consist of: right to erasure and right to delisting from the list of search engine.

J. Electronic Signatures

GR 71/2019 specifically regulates electronic signatures in administering electronic systems. Electronic Signature used in Electronic Transactions can be generated through various signing procedures. In the case of using an Electronic Signature representing a Business Entity, the Electronic Signature is referred to as an electronic seal. Electronic Signature Making Data must uniquely refer only to Signatories and can be used to identify Signatories. In the signing process, a mechanism must be made to ensure the Electronic Signature verification data related to the Electronic Signature Making Data is still valid or not revoked.

K. Competence of the Electronic System Provider

Each ESP must be competent in its field. Business Entity that conduct Electronic Transactions can be certified by the Reliability Certification Agency. Professionals who make up the Reliability Certification Agency include at least the following professions:

  1. Information Technology consultant;
  2. Information Technology auditor; and
  3. legal consultant in Information Technology.

Reliability certification agencies produce reliability certificates aimed at protecting consumers in Electronic Transactions. Reliability Certificates issued by the Reliability Certification Agency include the following categories:

  1. Identity registration;
  2. Electronic System security;
  3. Guarantee statement on the goods/services; and
  4. Privacy policy.

L. Sanctions

Violation of the GR 71/2019 would lead to administrative sanctions, in the form of:

  1. Warning letters;
  2. Administrative fines;
  3. Temporary suspension of activities;
  4. Termination of access; and/or
  5. Removal from the list.

M. Transitional Provisions

In carrying out this regulation, ESPs are given time to make adjustments:

  1. After enactment of GR 71/2019, the Private ESP that has been in operation before the promulgation of GR 71/2019, must adjust to the provisions in Article 6 (regarding registration obligation) within 1 year. The GR 71/2019 became effective on 10 October 2019, so the deadline for Private ESP to adjust is until 10 October 2020.
  2. After enactment of GR 71/2019, the Public ESP that has been in operation before the promulgation of GR 71/2019, must adjust to the provisions in Article 20 : (2) (regarding placement of data storage in Indonesia) within 2 years.

For more details see Indonesia’s Stardard Electronic System Operator.

Indonesia Law of Information and Electronic Transaction or Law number 11 of 2008

The Indonesian government initially adopted a conservative and relatively traditional approach to regulating internet-based activities. Prior to 2008, there was no legislation or guidelines in Indonesia that regulated the internet and how electronic information was offered and consumed, for both commercial and non-commercial purposes. In response to this growth, the Indonesian government issued an underlying regulation to address potential issues resulting from activities conducted on the internet. On 21 April 2008, through the House of Representatives, the Indonesian government issued Law No. 11 of 2008 on Electronic Information and Transactions (the ITE Law).

For more details see Indonesia’s Law number 11 of 2008.