SUBLANDIA

SISTEM




HARDVERSKO - SOFTVERSKO REŠENJE
ISPUNJAVA ZAHTEVE ISO 27000 I ISO 27001


Šta je SUBLANDIA?

SUBLANDIA je sistem izrađen da odgovori na zahteve ISO 27000 i
ISO 27001

Podrazumeva hardversko - softversko rešenje namenjeno Subtitling industriji.

SUBLANDIA je sačinjena od softverskih rešenja podržanih sa 2 ili više serverskih sistema u zavisnosti od zahteva i potreba.

Radni sistem i bekap

SUBLANDIA se u svakoj opciji sastoji od radnog sistema kojim se korisnici služe u radu i bekap sistema koji se pokreće ukoliko dođe do neočekivanih smetnji u radu radnog servera. Time se obezbeđuje neometan rad korisnika.

Email sistem

SUBLANDIA ima svoj Email sistem koji služi za internu komunikaciju kompanije sa zaposlenima, prijem i prosleđivanje radnih materijala i zadataka. Email sistem u potpunosti odgovara na zahteve ISO 27000 i ISO 27001 i ima dvostruku enkripciju.

Rad od kuće

SUBLANDIA je sistem kojem korisnici pristupaju sa udaljene lokacije i omogućava korisnicima rad od kuće. Sistem sadrži softver za subtitling i tekst editor. 

Softver za subtitling

U trenutnoj verziji, SUBLANDIA koristi desktop verziju open source softvera. Web based onlajn softversko rešenje je u fazi izrade.
Nova verzija softvera za subtitling je 50% izrađena i uskoro će proći prvu fazu testiranja samog rada i stabilnosti.
Trenutna verzija softvera biće zamenjena novom bez prekida tokom rada korisnika.

Sistem za automatsku transkripciju

Sistem za automatsku transkripciju SUBLANDIA ima u Standardnom i Optimalnom paketu.
Trenutni softver za subtitling ima ugrađenu opciju za automatsku transkripciju koja je onemogućena jer u mnogome smanjuje radne performanse samog sistema. U Optimalnom paketu, sistem za transkripciju je namenski dizajniran i odvojen od softvera za subtitling i prilagođen je za upotrebu unutar kompanije bez mogućnosti pristupa radnim materijalima trećih lica. Ovaj sistem olakšava rad prevodiocima, rasterećuje Radni sistem i obezbeđuje adekvatnu zaštitu podataka.

Sistem za oporavak od katastrofe

Ovaj sistem se uključuje u rad isključivo prilikom katastrofa, kada je funkcionisanje Radnog i Bekap sistema u potpunosti onemogućeno. Uključivanje sistema za oporavak od katastrofe vrši se u roku 24h od nastanka katastrofalnog događaja.

Bekap radnih materijala

Bekap radnih materijala je moguć uz bilo koji SUBLANDIA paket. Podrazmeva bekap na hard diskove. Količina i karakteristike samih hard diskova se određuju u zavisnosti od potreba i zahteva.

Procesi

1

Order i prijem materijala

Klijenti šalju "Ordere" na unapred definisani Email koji se nalazi na Email serveru u sklopu sistema SUBLANDIA.
2

Pregled i raspodela materijala

Odgovorna osoba vrši pregled "Ordera" i preko softverskog dela unutar sistema SUBLANDIA raspodeljuje preuzeti materijal koji se šalje u radni deo sistema za svakog prevodioca pojedinačno. Email servisom se vrši dodatno obaveštavanje prevodilaca o dostupnim radnim materijalima.
3

Obrada radnog materijala

Povezivanjem na sistem SUBLANDIA, prevodioci imaju pristup softveru za subtitling. Preko tog softvera učitavaju dostupan materijal za rad, prevode i titluju materijale. Završeni materijal se čuva u njihovom radnom delu sistema i šalje se na lekturu. Preko Email sistema, prevodioci obaveštavaju lektora o dostupnim materijalima za lekturu.
4

Lektura

Povezivanjem na sistem SUBLANDIA, lektori pristupaju softveru za subtitling i vrše lekturu poslatog materijala uz mogućnost pregleda videa. Lektorisani materijali se zatim šalju na finalnu kontrolu. Preko Email sistema, lektori obaveštavaju finalnu kontrolu o dostupnim materijalima.
5

Finalna kontrola

Povezivanjem na sistem SUBLANDIA, finalna kontrola pristupa softveru za subtitling i vrši finalnu kontrolu poslatog materijala uz mogućnost pregleda videa. Obrađeni materijali se zatim šalju odgovornoj osobi za otpremanje materijala klijentima. Odgovorna osoba za otpremanje materijala se obaveštava preko Email sistema.
6

Otpremanje materijala

Odgovorna osoba sav dostupan materijal otprema klijentu koristeći Email sistem.

SUBLANDIA
i ISO standardi

TABELARNI PRIKAZ ODGOVORA SUBLANDIA SISTEMA
NA ZAHTEVE ISO 27000 I ISO 27001

3.5. Are external vulnerability scans conducted by an internal team on a monthly basis?
 Slika 1 Uz instalaciju sistema, prvog meseca se testiranje podrazumeva. Za ostala mesečna testiranja - dogovor.
3.6. Are internal vulnerability scans conducted on all networks monthly?
 Slika 2 Uz instalaciju sistema, prvog meseca se testiranje podrazumeva. Za ostala mesečna testiranja - dogovor.
4.4. Do you have policies and procedures for managing of user, administrator, and service accounts?
 Slika 3
4.6. Do you manage remote access? Slika 2
4.7. Do you manage access permissions and authorizations, incorporating the principles of least privilege and separation of duties?
 Slika 3
4.8. Are users, devices, and other assets authenticated (e.g. single-factor, multi-factor)?
 Slika 2 Multi-factor
4.9. Do you restrict and control the use of privileged access rights?
 Slika 3
4.10. Do you have a process to rename administrator user IDs and change the password of default accounts?
 Slika 2
4.11. Does your password policy includes the minimum requirement of a secured password (e.g. minimum password length of 8 characters, alphanumeric, maximum password age, maximum logon attempts, password history, etc)?
 Slika 3
4.12. Do you limit the use of generic system administrator accounts (e.g. root, administrator) to only special situations which require the use of these accounts?
 Slika 2
4.13. Do you restrict users from being able to grant themselves access to information systems?
 Slika 1
4.14. Do you log administrator and service account activities?
 Slika 2
4.16. Do you perform periodic access review for dormant access accounts in the domain controller?
 Slika 3
5.1. Do you protect data at-rest and in-transit?
 Slika 2
5.2. Do you implement protections against data leaks?
 Slika 3
5.3. Are the development and testing environment(s) separate from the production environment?
 Slika 2
5.4. Do you implement e-mail content filtering?
 Slika 3
5.4.1. Does it identify phishing e-mails and spam?
 Slika 2
5.4.2. Does it block e-mails from blacklisted domains?
 Slika 3
5.4.3. Does it restrict file sizes? Slika 2
5.4.4. Do you implement content and network traffic filtering?
 Slika 1
5.4.5. Does it filter unauthorized file sharing and storage hubs?
 Slika 2
5.6. Do you have an e-mail encryption system, i.e. secure e-mail application or service to encrypt sensitive data in e-mails or attachments?
 Slika 3
***** 5.7. Are computer drives encrypted with FileVault or Bitlocker? *****
 Slika 2 Sistem je enkriptovan sa nativnom ZFS enkripcijom pošto se radi o Linux OS... Bitlocker je za WinOS, FileVault je za MacOS!!!
5.8. Do you block the optical media burners on all content/production workstations (with the exception of systems used for content transfer/ingest)?
 Slika 3 Nema optičkih uređaja
5.9. Do you block access to C: drive for storage on all content/production workstations (with the exception of systems used for content transfer/ingest)?
 Slika 2 Ne postoji C: disk. 
6.2. Do you have a firewall protecting the perimeter of your facility’s IT infrastructure?
 Slika 3
6.2.1. Can firewalls be managed remotely using a secure VPN / encrypted tunnel set up and are sessions logged and monitored?
 Slika 2
6.2.2. Does your firewall conduct deep packet inspections and have the ability to keep up with upload and download traffic?
 Slika 3
6.2.3. Are firewall rules reviewed periodically and at least every six months?
 Slika 2
6.2.4. Are firewalls configured to deny all protocols by default and enable only specific permitted secure protocols to access the WAN and firewall?
 Slika 1
6.2.5. Do you employ multi-factor authentication for remote access on firewall, IDS/IPS, web portal, collaboration tools, e-mail?
 Slika 2
6.4. Do you use intrusion detection or prevention systems?
 Slika 3
6.4.1. Please provide details of the intrusion detection or prevention system used. 
 Slika 2 Koristimo više sistema za monitoring paketa na mreži. Ovi sistemi pomažu u zaštiti servera od više vrsta napada. Analiziraju Log fajlove, prepoznaju obrasce zlonamernog ponašanja, prilikom detekcije blokiraju IP adrese napadača. Analiziraju mrežni saobraćaj u realnom vremenu, upravljaju se pravilima za prepoznavanje zlonamernih aktivnosti, beleže informacije o pretnjama i preuzimaju akcije. Prate promene u fajlovima i direktorijumima u sistemu, prate dozvole, vlasništva, veličine fajlova, generišu izveštaje o svim promenama. Pored toga, koristi se i antivirus sistem koji proverava svaki preuzet fajl.
6.5. Do you have a patch management program to ensure that systems and network infrastructure devices (e.g., firewalls, switches, routers) are up-to-date on patches and maintenance releases?
 Slika 3
6.6. Do you have hardening and configuration requirements in place for networking and computing equipment, including firewalls, routers, switches, servers, workstations, and mobile computing devices?
 Slika 2
6.7. Do you use antivirus, antispam, or endpoint software?
 Slika 3
6.7.1. Please describe the antivirus programs or systems in place.
 Slika 2 Sistem koristi AV koji služi za detekciju raznih vrsta malvera, uključujući viruse, trojance i druge zlonamerne pretnje. Razvijen je kao alat za skeniranje i zaštitu sistema, posebno u okruženjima kao što su serveri za e-poštu i web serveri. AV dolazi sa nizom alata, uključujući:
**Višenitni demon: Ovaj demon omogućava efikasno skeniranje i obradu više zahteva istovremeno.
**Komandna linija: AV nudi komandnu liniju za skeniranje fajlova i direktorijuma, što ga čini pogodnim za administratore sistema.
**Automatska ažuriranja: AV može automatski ažurirati svoju bazu podataka sa potpisima malvera, što omogućava brzo reagovanje na nove pretnje. 
AV skenira fajlove i direktorijume koristeći unapred definisane potpise malvera. Kada se otkrije zlonameran sadržaj, korisnik može biti obavešten ili može automatski preduzeti akciju (npr. obrisati ili izolovati zaraženi fajl). 
Ažuriranje baze podataka: AV redovno ažurira svoju bazu podataka sa potpisima malvera kako bi mogao da prepozna nove pretnje. Ovo se može raditi automatski ili ručno, u zavisnosti od konfiguracije.
6.13. Do you conduct, maintain and test backups of information?
 Slika 3
6.14. Do you block the USB / Firewire / Thunderbolt ports on all content/production workstations (with the exception of systems used for content transfer/ingest)?
 Slika 2
8.4. Is the network monitored to detect potential cybersecurity events?
 Slika 1
8.9. Do you review user's access rights at regular intervals?
 Slika 2
8.10. Are detection processes tested? Slika 3
8.11. Is event detection information communicated to appropriate parties?
 Slika 2
8.16. Do you investigate notifications from detection systems?
 Slika 3
8.17. Are forensics performed? Slika 2 Unutar SUBLANDIA sistema da. Van sistema je nadležan MUP RS, Odeljenje za visokotehnološki kriminal
8.19. Are processes established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g internal testing, security bulletins, or security researchers)?
 Slika 3
8.22. Do you update detection process, response and recovery strategies?
 Slika 2 Detekcija Da. Ostalo je stvar organizacije firme.
10.2. Do you maintain content transfer servers?
 Slika 3
10.2.1. Are the content transfer servers set up with at least AES 256 bit encryption at rest and in transit?
 Slika 2
10.2.2. Are the access to content transfer systems limited only to dedicated data I/O (content transfer) staff and access limited based on least privilege?
 Slika 2
10.2.3. Do you have a process to remove content from content transfer servers/systems immediately after successful transmission or receipt?
 Slika 3
10.3. Do your web portals employ HTTPS? Slika 2
10.4. Do your web portals avoid the use of persistent cookies or cookies that store credentials in plaintext?
 Slika 3
10.5. Do you segment and isolate the production/content network from the administrative and wireless networks?
 Slika 2
10.9. Do you maintain detailed tracking of access to digital content and maintain logs for at least 12 months?
 Slika 1
10.9.1. What log details are collected? Slika 2
Beleže se:
**Korisničke aktivnosti:
Audit logovi beleže aktivnosti korisnika, uključujući prijave i odjave, kao i sve akcije koje korisnici preduzimaju unutar sistema. Ovo može uključivati kreiranje, izmenu ili brisanje podataka.
**Promene u sistemu:
Sve promene u konfiguraciji sistema, uključujući instalaciju ili deinstalaciju softvera, ažuriranja i promene u postavkama, takođe se beleže. Ovo pomaže u identifikaciji potencijalnih problema ili neovlašćenih promena.
**Pristup podacima:
Audit logovi prate ko je imao pristup određenim podacima, kada je pristup izvršen i koje su akcije preduzete sa tim podacima. Ovo je posebno važno za zaštitu osetljivih informacija.
**Sistemskih događaja:
Beleže se različiti sistemski događaji, kao što su greške, upozorenja i obaveštenja. Ovi podaci pomažu u dijagnostikovanju problema i unapređenju performansi sistema.
**Network aktivnosti:
U nekim slučajevima, audit logovi mogu beležiti mrežne aktivnosti, uključujući dolazne i odlazne veze, kao i pokušaje neovlašćenog pristupa.
**Usklađenost i revizija:
Audit logovi se koriste za proveru usklađenosti sa standardima i regulativama. Oni pružaju dokumentaciju koja može biti potrebna tokom revizija ili inspekcija.
10.9.2. How often are the logs reviewed?
 Slika 3 Po dogovoru.
10.10. Do you remove local accounts on systems that handle content?
 Slika 2
10.11. If local accounts are used, do you change the default user names and passwords?
 Slika 3
10.23. Do you employ multi-factor authentication for remote access on Content Transfer system?
 Slika 2

Ostali zahtevi ISO 27000 i ISO 27001
rešavaju se papirologijom unutar organizacije

SUBLANDIA
i C.S.B.P.C. GUIDELINES

TABELARNI PRIKAZ ODGOVORA SUBLANDIA SISTEMA
CONTENT SECURITY BEST PRACTICES COMMON GUIDELINES

DS-1.0 Separate external network(s)/WAN(s) from the internal network(s) by using stateful inspection firewall(s) with Access Control Lists that prevent unauthorized access to any internal network and with the ability to keep up with upload and download traffic. Slika 1
DS-1.1 Implement a process to review firewall Access Control Lists (ACLs) to confirm configuration settings are appropriate and required by the business every 6 months. Slika 2
DS-1.2 Deny all incoming and outgoing network requests by default. Enable only explicitly defined incoming requests by specific protocol and destination. Enable only explicitly defined outgoing requests by specific protocol and source. Slika 3
DS-1.2.1 Firewalls should be configured to actively alert security members of key security events Slika 2
DS-1.3 Place externally accessible servers (e.g., web servers, remote access servers (e.g., VPN gateways, remote access brokers, etc.) within a DMZ VLAN or a public subnet DMZ within a VPC (Virtual Private Cloud) and not on an internal network. Slika 3
DS-1.6 For onsite, and/or remote facilities, do not allow direct management of the firewall from any external interfaces (i.e., Internet or WAN
facing).
 Slika 2
DS-1.7 Store local backups of network infrastructure / SAN/NAS devices and servers on a server in a secure internal network. Slika 3
DS-1.8 Perform on at least a monthly basis network vulnerability scans of all external IP ranges and hosts and remediate issues. If applicable, the scope of external scans should include any cloud deployments. Slika 2
DS-1.9 Perform on at least an annual basis, penetration testing of all external IP ranges and hosts and remediate issues. Slika 3
DS-1.10 Secure any point-to-point connections by using dedicated, private connections and / or encryption. Slika 2
DS-1.11 Implement a synchronized time service protocol (e.g., Network Time Protocol) to ensure all systems have a common time reference. Slika 1
DS-2.0 Prohibit production network and all systems that process or store digital content from directly accessing the internet, including email. If a business case requires internet access from the production network or from systems that process or store digital content, only approved
methods are allowed in the implementation guidance section.
 Slika 2
DS-2.1 Implement - corporate filtering software or appliances that block the following:
• Potential phishing emails
• Prohibited file attachments (e.g., Visual Basic scripts, executables, etc.)
• File size restrictions limited to 30 MB
• Known domains that are sources of malware or viruses
 Slika 3
DS-2.2 Implement web filtering software or appliances that restrict access to websites known for peer-to-peer file sharing, viruses, hacking or other malicious sites for all corporate devices, regardless of location, and including remote/WFH locations. Slika 2
DS-3.0 Isolate the content / production network from non-production networks (e.g., office network, DMZ, the internet etc.) by means of physical or logical network segmentation. Slika 3
DS-3.2 Remote access into company networks should be restricted following a tiered approach, depending on the level of access required, and whether or not access will be to a content/production network. Access tiers will fall into the following general tiers:
Tier 1: Access only to a corporate network or service that doesn’t store content (e.g., VPN to corporate VLAN for file share access, Webmail, Office365, etc.)
Tier 2: Remote worker (WFH) access to a content production network via studio approved pixel streaming (e.g., PCoIP, RGS, Parsec, NICE DCV, etc.) to perform post-production, VFX work etc.
Tier 3: Restricted VPN administrative access to a production network, to perform maintenance work or approved personnel requiring elevated access to perform their job responsibilities. 
 Slika 2
DS-3.6 Implement a network-based intrusion detection /prevention system (IDS / IPS) to protect the content / production network. Other Basic Border Gateway services (e.g., Gateway Anti-Virus, and URL Filtering) should also be enabled. Slika 3
DS-3.9 Conduct internal network vulnerability scans and remediate any issues, at least quarterly Slika 2
DS-3.10 Store local backups of local area network, SAN/NAS, devices, servers, and workstations on a server in a secure internal network. Slika 3
DS-3.11 Domain Name System (DNS) Servers should be securely configured, and only trusted DNS Servers should be used for domain name resolution. Slika 2
DS-4.0 Prohibit wireless networking and the use of wireless devices on the content / production network. Slika 1
DS-5.0 Designate specific data I/O systems to be used for uploading / downloading content from / to external networks (Internet). Slika 2
DS-5.0.1 Implement a multi-layered network architecture for ingesting content from external networks (Internet) into the production network, and moving content from the production network to external networks. Slika 3
DS-5.1 Block input/output (I/O), mass storage, external storage, and mobile storage devices (e.g., USB, FireWire, Thunderbolt, SATA, SCSI, Bluetooth, NFC, MTP, PTP, etc.) and optical media burners (e.g., DVD, Blu-Ray, CD, etc.) on all systems that handle or store content, with the exception of systems used for content I/O. Refer to DS-4.0 for disconnecting wireless NICs. Slika 2
DS-6.0 Install endpoint protection, and/or anti-virus and anti-malware software on all workstations, servers, and on any device that connects to production networks where content is stored (e.g., SAN/NAS etc.). This includes WFH and remote worker machines, along with VDI (virtual desktop infrastructure) used to access remote production networks. Slika 3
DS-6.1 Update all anti-virus and anti-malware definitions daily, or more frequently on all workstations, servers, WFH/Remote worker machines, and virtual desktops and servers. Slika 2
DS-6.2 Scan all content for viruses and malware prior to ingest onto the content / production network. Slika 3
DS- 6.2.1 Local firewalls should be implemented on workstations, including WFH, and remote worker machines, to restrict unauthorized
access to the workstation.
 Slika 2
DS-6.3 Perform scans as follows: 
• Enable regular full system virus and malware scanning on all workstations
• Enable full system virus and malware scans for servers and for systems connecting to a SAN/NAS
 Slika 3
DS-6.4 Implement a process to regularly update systems (e.g., file transfer systems, operating systems, databases, applications, network
devices, WFH/Remote worker machines) with patches/updates that remediate security vulnerabilities.
 Slika 2
DS-6.5 Prohibit users from being Administrators on their own workstations, unless required for software (e.g., ProTools, Clipster and authoring software such as Blu-Print, Scenarist and Toshiba). Documentation from the software provider must explicitly state that administrative rights are required. Slika 1
DS-6.8 Restrict software installation privileges to IT management. Slika 2
DS-6.9 Implement security baselines and standards to configure corporate systems (e.g., laptops, workstations, servers, SAN/NAS, VDI (Virtual Desktop Infrastructure)) used at an onsite facility and for those used by WFH and remote workers. Slika 3
DS-6.10 Unnecessary services and applications should be uninstalled from content transfer servers. Slika 2
DS-7.0 Establish and implement an account management process for administrator, user, and service accounts for all information
systems and applications that handle content.
 Slika 3
DS-7.1 Maintain traceable evidence of the account management activities (e.g., approval emails, change request forms). Slika 2
DS-7.5 Monitor and audit administrator and service account activities. Slika 3
DS-7.6 Implement a process to review user access for all information systems that handle content and remove any user accounts that no longer require access quarterly. Slika 2
DS-7.7 Restrict user access to content on a per-project basis. Slika 3
DS-7.8 Disable or remove local accounts on systems that handle content where technically feasible. Slika 2
DS-8.0 Enforce the use of unique usernames and passwords to access information systems. Slika 1
DS-8.1 Enforce a strong password policy for gaining access to information systems. Password policy should include guidance for service accounts. Utilize MFA for all administrative accounts, any internet facing systems. MFA should be utilized by remote and WFH users when
connecting to corporate and/or production systems.
 Slika 2
DS-8.2 For remote access (e.g., VPN) to the networks, implement two-factor authentication (e.g., username / password and hard token) and monitor activity. Slika 3
DS-8.2.1 Implement two-factor authentication (e.g., username / password and hard token / verification code text message) for access to web-based e-mail (Google, Microsoft, etc.) from desktops or mobile computing devices. Slika 2
DS-8.3 Implement password-protected screensavers or screen-lock software for servers and workstations. Slika 3
DS-8.4 Consider implementing additional authentication mechanisms to provide a layered authentication strategy for WAN and LAN / Internal Network access. Slika 2
DS-9.0 Implement real-time logging and reporting systems to record and report security events; gather the following information at a minimum:
• When (time stamp)
• Where (source)
• Who (username)
• What (content)
 Slika 3
DS-9.01 Implement logging mechanisms on all systems used for the following:
• Key generation
• Key management
• Vendor certificate management
 Slika 2
DS-9.2 Configure logging systems to send automatic notifications when security events are detected in order to facilitate active response to incidents. Slika 3
DS-9.3 Investigate any unusual activity reported by the logging and reporting systems. Slika 2
DS-9.4 Review all logs weekly, and review all critical and high daily. Slika 3
DS-9.5 Enable logging of internal and external content movement and transfers and include the following information at a minimum:
• Username
• Timestamp
• File name
• Source IP address
• Destination IP address
• Event (e.g., download, view)
 Slika 2
DS-9.6 Retain logs for at least one year. Slika 3
DS-11.1 Encrypt content on hard drives or encrypt entire hard drives using a minimum of AES-256 encryption by either:
• File-based encryption: (i.e., encrypting the content itself)
• Drive-based encryption: (i.e., encrypting the hard drive)
 Slika 2
DS-11.3 Implement and document key management policies and procedures:
• Use of encryption protocols for the protection of sensitive content or data, regardless of its location (e.g., servers, databases, workstations, laptops, mobile devices, data in transit, email)
• Approval and revocation of trusted devices
• Generation, renewal, and revocation of content keys
• Internal and external distribution of content keys
• Bind encryption keys to identifiable owners
• Segregate duties to separate key management from key usage
• Key storage procedures
• Key backup procedures
 Slika 3
DS-11.4 Encrypt content at rest and in motion, including across virtual server instances, using a minimum of AES-256 encryption. Slika 2
DS-11.5 Store secret and private keys (not public keys) used to encrypt data/content in one or more of the following forms at all times:
• Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key
• Within a secure cryptographic device (e.g., Host Security Module (HSM) or a Pin Transaction Security (PTS) point-of-interaction device)
Has at least two full-length key components or key shares, in accordance with a security industry accepted method
 Slika 3
DS-12.0 Implement a digital content management system to provide detailed tracking of digital content. Slika 2
DS-12.1 Retain digital content movement transaction logs for one year. Slika 3
DS-12.2 Review logs from digital content management system periodically and investigate anomalies. Slika 2
DS-13.0 Use only client-approved transfer systems that utilize access controls, a minimum of AES-256 encryption for content at rest and for content in motion and use strong authentication for content transfer sessions. Slika 3
DS-14.0 Implement and use dedicated systems for content transfers. Slika 2
DS-14.1 Separate content transfer systems from administrative and production networks. Slika 3
DS-14.2 Place content transfer systems in a Demilitarized Zone (DMZ) and not in the content / production network. Implement allow listing on content transfer servers to only allow transfers to and from authorized external transfer servers. Slika 2
DS-14.3 Remove content from content transfer devices/systems immediately after successful transmission/receipt. Slika 3
DS-14.4 Send automatic notifications to the production coordinator(s) upon outbound content transmission. Slika 2
DS-15.0 Restrict access to web portals which are used for transferring content, streaming content and key distribution to authorized users. Slika 3
DS-15.1 Assign unique credentials (e.g., username and password) to portal users and distribute credentials to clients securely. Authentication should be multi-factor authentication as described in DS-8.1 Slika 2
DS-15.3 Place the web portal on a dedicated server in the DMZ and limit access to/from specific IPs and protocols. Slika 3
DS-15.4 Prohibit the use of third-party production software/systems/services that are hosted on an internet web server or cloud provider unless approved by client in advance. Slika 2
DS-15.5 Use HTTPS and enforce use of a strong cipher suite (e.g., TLS v1.3) for the internal/external web portal. Acquire an HTTPS public key certificate signed by a certificate authority trusted by a majority of web browsers. Slika 3
DS-15.6 Do not use persistent cookies or cookies that store credentials in plaintext. Slika 2
DS-15.7 Set access to content on internal or external portals to expire automatically at predefined intervals, where configurable. Slika 3
DS-15.8 Perform at least annual penetration testing of web applications and remediate any validated issues, as per DS-1.9 Slika 2
DS-15.11 Prohibit transmission of content using email (including webmail). Slika 3
DS-15.12 Review access to the client web portal at least quarterly. Slika 2
DS-15.13 Implement a process to review the facility's public informational website and other online industry resources for sensitive information that could be leveraged by an attacker (e.g., mentions of internal infrastructure and technologies, content transfer servers, IP addresses, photos of sensitive areas, current content being worked on, etc.) Slika 3

Ostali zahtevi CONTENT SECURITY BEST PRACTICES COMMON GUIDELINES
rešavaju se papirologijom unutar organizacije ili su nepotrebni u organizaciji rada

Sadržaj SUBLANDIA
paketa

Osnovni paket

30 korisnika

  • Radni sistem
  • Grafička podrška
  • Email sistem
  • Bekap radnog sistema

  • Mogući dodaci:
  • Bekap radnog materijala
  • Sistem za automatsku transkripciju
  • Sistem za oporavak od katastrofe
  • Hausing sistema
€... godišnje
Standard paket

30 korisnika

  • Radni sistem
  • Grafička podrška
  • Email sistem
  • Bekap radnog sistema
  • Sistem za automatsku transkripciju

  • Mogući dodaci:
  • Bekap radnog materijala
  • Sistem za oporavak od katastrofe
  • Hausing sistema
€... godišnje
Optimalni paket

30 korisnika

  • Radni sistem
  • Grafička podrška
  • Email sistem
  • Bekap radnog sistema
  • Sistem za automatsku transkripciju
  • Sistem za oporavak od katastrofe

  • Mogući dodaci:
  • Bekap radnih materijala
  • Hausing sistema
€... godišnje

Potrebno je obezbediti

  1. Internet -  SUBLANDIA zahteva minimum jednu brzu internet konekciju i jednu statičku IP adresu. Brzina interneta koja mora biti obezbeđena je minimum 300/300 Mbps, preporuka je 500/500 Mbps
  2. Rezervno napajanje i UPS - ISO 27000 i ISO 27001 zahtevaju rezervno napajanje sistema električnom energijom. Svaki deo sistema mora da se napaja sa druge faze. UPS za svaki deo sistema je takođe neophodno obezbediti. 
  3. Klimatizacija - Prostorije u koje se postavlja SUBLANDIA sistem, prema ISO 27000 i ISO 27001, moraju biti klimatizovane sa temperaturom od 20 stepeni celzijusa.
  4. Bezbednost - Prostorije u koje se postavlja SUBLANDIA sistem, prema ISO 27000 i ISO 27001, moraju biti opremljene sigurnosnim kamerama. Pristup neovlašćenim licima mora biti fizički onemogućen. Poželjno je da prostorije imaju alarmni sistem.

Hausing SUBLANDIA sistema

postavljanje sistema u specijalno opremeljeni telehausing centar

PODRAZUMEVA

  1. Zakup rack ormana
  2. Internet
  3. Klimatizovana prostorija
  4. Redudantna klimatizacija
  5. Agregatsko napajanje
  6. UPS prednaponska zaštita
  7. Protivpožarna zaštita 
  8. Video nadzor
  9. Fizički pristup telehausing centru samo ovlašćenim licima
  10. Fizički pristup rack ormanu sa serverima u server sali isključivo licima sa specijalnom dozvolom


CENA: €355 do €595 mesečno   * cena je bez PDV-a

Cena zavisi od veličine rack ormana i brzine interneta.
U cene je računat internet brzine 300/300 Mbps i brzine 500/500Mbps mesečno.
Cene se odnose na zakup za period od minimum 12 meseci.

SUBLANDIA SISTEM
verzija 3.3.9.

Vladimir Bezdan
ideja - razvoj - implementacija

2025.