OFFICIAL

Shared Responsibility Model for Information Security

Owned by Scott Davey
Last updated: Apr 09, 2022
2 min read

Overview

Security and compliance is a shared responsibility between Datalink, its vendors and the customer.

The shared responsibility model is an industry standard that helps identify security boundaries. It alleviates the customer’s operational burden on information security, as Datalink and its upstream vendors (such as AWS) commit to taking care of the security of the cloud, the platform as well as all Datalink-developed platform solutions, leaving the customer to be responsible for authorisation and conduct of its users, and any configuration of Crisisworks by customer administrators.

The Shared Responsibility Model

The shared responsibility model is as follows:

  1. AWS is responsible for “security of the infrastructure” — AWS is an Infrastructure-as-a-Service provider, and is responsible for protecting the infrastructure and all its services in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

  2. Datalink is responsible for “security of the platform” — Datalink is a Platform-as-a-Service provider, and as such it develops its software and configures its AWS infrastructure and services to host its software. Datalink is responsible for the security of its software, the configuration of the infrastructure that runs the software, and the provision of related services such as its service desk operation. Datalink acts as a processor of the customer information it holds. It has various assurance programs including ISO 27001, penetration tests and monitoring to maintain its security.

  3. The Customer is responsible for “security in the platform” — each customer is allocated its own instance of the platform where it can independently configure parts of the system, store its data and authorise its users to access the data. The customer is responsible its conduct within its own instance, as well as security decisions made by its users. For example, customers can control the creation of events, positions, competencies as well as grant users authorisation, set policies for acceptable behaviour and so on. Users can access data based on authorisation decisions made by customer administrators. The customer is responsible for the conduct, training, monitoring and decisions of its users within the platform. The customer owns its own data and is responsible for the maintaining the privacy that data.