Didasko Security Statement (including use of Didasko Cloud Service)

16 March 2018

Didasko International Pty Ltd (t/a as Didasko Learning Resources and LearnCheckTest) (Didasko) uses SoftLayer ®, an IBM Company which provides cloud infrastructure services including private cloud solutions, virtual servers, networking and turnkey data solutions. Headquartered in Dallas, Texas, SoftLayer provides on-demand cloud infrastructure as a service through its Platform Services system in providing a cloud service to its clients (Didasko Cloud Service). SoftLayer permits its clients to create bare metal, virtual server, or hybrid computing environments, leveraging global data centres and points of presence (PoP). SoftLayer infrastructure includes providing Platform Services from 25 data centers located within the USA and in locations outside of the USA including Sydney, Melbourne, Hong Kong, Singapore and Tokyo. The primary Network Operations Center (NOC) is based in Houston, Texas. In the event of a failure at the NOC any other data center can resume operations. Through the NOC, SoftLayer provides 24 hours per day monitoring to support all data centers. Each data center also has its own local Data Center Room (DCR), which is used to monitor and resolve any potential issues locally.

Global Network

SoftLayer’s global network offers more than 2,000 gigabits per second of bandwith (Gbps) of connectivity between data centers and networks. These locations each have ten Gbps transit connections as well as peering links to additional service providers and access networks. The SoftLayer production network delivers scalability and control because of its unique topology as a ‘network of networks’. Public, private and management traffic travel across separate network interfaces, segregating and securing traffic while streamlining management functions.

Public Network

Every data center and network PoP has multiple ten Gbps connections to top tier transit and peering network carriers. Network traffic from anywhere in the world will connect to the closest network PoP and it will travel directly across the network to its data center, minimising the number of network hops and handoffs between providers.

Private Network

All SoftLayer data centers and PoPs are connected by SoftLayer’s private network backbone. This private network is separate to the public network and provides a seamless connection to clients’ servers (bare metal or virtual) in SoftLayer data centers around the world.

Management Network

In addition to the public and private networks, each SoftLayer server is connected to an out-of-band management network. This management network, accessible via Virtual Private Network (VPN), allows access to each server independently of its CPU, enabling the client to perform Operating System (OS) reloads, power-cycle the server, or use the Intelligent Platform Management Interface (IPMI) connection to watch the server boot up as though the client was physically present in the data center.

Network Design for Availability and Information Management System (IMS) Impact on Clients’ Environments

Based on SoftLayer’s ‘Network-within-a-Network’, with three network interfaces, if an outage occurs at a data center on the public network, the traffic will be routed and can traverse through the other established networks to provide continuity of access to data and availability of the server. The Infrastructure Managed Services (IMS) is connected to the client’s bare metal and virtual servers, and any outage in the IMS that may occur will have no impact on a client’s environments as it is set up separately such that public and private traffic will route even if IMS becomes unavailable.

Data Protection

Under the agreement between Didasko and SoftLayer, services provided by SoftLayer are not designed to any specific security requirements other than the physical security of the computing resources containing Didasko’s content (or any client of Didasko’s content). Neither IBM nor SoftLayer will access Didasko’s content except i) when it is expressly authorised in connection with requested support; ii) as mutually agreed between the parties; iii) to the extent required by law or as necessary to comply with the request of a governmental or regulatory body or order from a court of competent jurisdiction.

Facility Management Services Supporting SoftLayer

The controls the SoftLayer implements at its data centers either within or outside the USA include:

  1. Physical access to the Data Center, including sensitive areas, is restricted;
  2. Access to the Data Center is restricted to authorised personnel;
  3. Surveillance cameras are located at strategic locations at the Data Center as a deterrent to unauthorised access;
  4. Failed access attempts to the Data Center are logged for follow-up as necessary;
  5. Visitors and contractors to the Data Centers are signed in. Visitors are escorted by authorised personnel and contractors escorted as necessary;
  6. Fire detection and suppression systems, including dry pipe, fire extinguishers, smoke and fire alarms, exist in the Data Center;
  7. Backup power, including UPS and generators, exist in the Data Center;
  8. Heating and cooling (HVAC) mechanisms, such as CRAC/CRAH units, air handlers and chillers, exist in the Data Center to monitor and control temperature and humidity;
  9. Power distribution units and electrical panels exist in the Data Centers; and
  10. Periodic maintenance is performed over: a) fire detection and suppression systems, b) generator and UPS, and c) HVAC.

[Note: Didasko Cloud physical and environment security, fire detection and suppression, and power-related security matters are managed by IBM SoftLayer Cloud Services.]

Roles and Responsibilities between Client, Didasko Cloud, and IBM SoftLayer

The following chart sets out a summary of various roles and responsibilities under this Data Security Statement:

Roles Responsibility
  Data Center Management Hypervisor Provisioning & Management Virtual Provisioning & Management Data Security (Including Backup, Anti-virus, & Storage Security) LMS Web and Database Services Provisioning & Management Customer LMS site Management (Including user accounts & assessments management, and course Delivering) Customer LMS site Additional unit creation, upload, and local Data Security
Customer LMS Administrator              
Didasko LMS Conline courses Provider (Virtualized, Didasko Cloud)              
Public & Private Cloud Service Provider (Virtualized, Sydeney Data Center, IBM Softlayer)              
Customer LMS Administrators or Customer's authorized agent
Didasko LMS Online Courses Provider
IBM Softlayer Cloud Service Provider

Cloud Network Security

Cloud Network Architecture and Asset Management

Asset Management
Didasko Cloud Service is paid by Didasko on a monthly access basis. All hardware and software on the Didasko Cloud are leased from IBM SoftLayer Cloud Services.

Internal Network Architecture

Didasko Cloud infrastructure is designed in a High Available (HA) network infrastructure to service Didasko Web Learning Management Systems (LMS) and the eCampus Training platform. The Cloud infrastructure is designed and implemented with dual firewalls, dual Bare Metal Servers and dual load balancers for web server Virtual Machines (VM) and Database VM. It provides both hardware and software level fault tolerance for Didasko Cloud Service.

Cloud Network Monitoring and Protection

The following steps are taken by Didasko in relation to network monitoring and protection:

Cloud Data Transmission Protection
Corporate Segregation
Confidentiality and Non-Disclosure Agreements

All Didasko employees are required to sign confidentiality and non-disclosure agreements as part of their employment with Didasko. These obligations survive the termination of employment and are reviewed periodically.

Business Continuity and Disaster Recovery

System Security
Physical and Environmental Security

Apart from the security measures in place at all SoftLayer locations referred to above, Didasko has the following physical and environmental security systems in place at its offices:

Security Threats

Didasko maintains vigilant and high-level security of all internal networks and interfaces by:

Ownership and Retention of Data
Data Sovereignty and Cross-border Data Flows

Didasko is aware of its obligations under the Privacy Act 1988 (Cth) (as amended from time-to-time) (Privacy Act) including in relation to any cross-border disclosures of personal information under Australian Privacy Principle (APP) 8.

Where there is any ‘disclosure’ of personal information to SoftLayer through the use of the Didasko Cloud Service, Didasko undertakes to take such steps as are reasonable in the circumstances to ensure that any overseas recipient does not breach the APPs (other than APP 1) in relation to the information.

Where the provision of services by SoftLayer to Didasko via the Didasko Cloud Service constitutes any ‘use’ of personal information Didasko accepts that any handling of personal information by SoftLayer, including any acts or practices undertaken by it on behalf of Didasko, will be treated as been having done by Didasko.

Data Security

Didasko takes any data security maintenance outside of the SoftLayer and Didasko Cloud Service framework seriously including:

Insurance

Information Technology Liability Insurance

Professional Indemnity
$2M any one claim / $4M in aggregate

General Liability (Product and Public Liability)
$20M

Management Liability Insurance
Various

Business Insurance
Various