We are committed to guarantee, both the financial industry and the final customer, the best possible user experience while shielding their data.
Óscar Barba
Co-founder & CTO of Coinscrap Finance
Aenor UNE-EN ISO/IEC 27001 certification
This data protection standard was approved and published as an international standard in October 2005. Cyberattacks, information theft or fraud are among the five most important risks for organizations according to the World Economic Forum. For this reason, it is increasingly important to protect yourself against possible threats.
Let’s learn a little more about this certification: the Information Security Management System (ISMS) is a set of processes that allow the establishment, implementation, maintenance and continuous improvement of information security, based on the risks that organizations are facing.
The Aenor ISO/IEC 27001 and the National Security Scheme certifications are the perfect pairing for entities and companies to improve their cybersecurity management. More than five hundred public and private organizations from all over the world have trusted Aenor to certify their cybersecurity management system in accordance with this international standard.
Thanks to this certification, at Coinscrap Finance we can implement cybersecurity oriented towards business processes and objectives, considering risk analysis and controls to minimize cyberthreats. The National Security Scheme helps us guarantee the security of information systems, data, communications and electronic services that we provide to the financial industry.
Our data protection: Safety in the installation of our services
Our modules are set on EKS clusters and production environments are separated from non-production ones. Each environment has its own database, which makes it difficult for a single attack to compromise more than one environment. These clusters consist of two main components:
- The EKS control plane.
- The EKS nodes registered at the control level.
The EKS control level has nodes running Kubernetes software, such as etcd and the Kubernetes API server. Each EKS cluster control level is uniquely tenanted and runs on its own set of EC2 instances. All data stored by etcd nodes and associated EBS volumes is encrypted using KMS.
In addition, daily backup copies of all databases are made. Accesses and actions carried out in the environments are nominally recorded and there is a permission scheme, which is periodically reviewed. If other sensitive data exists, it will be stored encrypted in the cloud. To complete the protocol, all code goes through a vulnerability scan in production.
KYC: Identity Verification for data protection
Our alliance with Alice Biometrics, experts in biometric identity verification, allows us to offer an unbeatable onboarding experience to banking and insurance customers. Due to its artificial intelligence engine, it is possible to receive the approval of new registrations in less than 1 second. It is a 100% automated process, without manual inspections, all you need is a selfie and an ID to register customers instantly!
The acronym KYC (Know Your Customer) refers to the anti-fraud measures that entities are obliged to observe in order to open and maintain any user’s account. The controls used in the “Know your customer” protocol are focused on preventing money laundering, corruption and terrorist financing, among others.
To prove that the customer is who they say they are, they must offer the bank or insurer a series of legal and binding proofs, which can now be checked online and fully automatically thanks to AI. In Europe, KYC is regulated by AML 5 and GDPR, which are binding throughout the EU.
These European directives have also been incorporated into the Spanish legal system, which expands its regulation in Royal Decree Law 7/2021 of April 27 -modification of the Law on Prevention of Money Laundering and Terrorism Financing of 2010-. If you want to know more, do not miss this article.
Our operational security protocols
Operational security is the set of measures and procedures that we implement to guarantee the protection of our customers, assets and processes. With them we guarantee the correct and safe operation of information and communication technology, as well as the creation of backup copies according to defined intervals and periodic verifications. All that in order to guarantee the security of the information and the necessary restoration mechanisms.
Capacity management
Server capacity planning is carried out through monitoring tasks performed by the IT Department. Our tool monitors the behavior of the main systems in real time, in addition to evaluating, solving and projecting the needs of the systems in order to prevent the information from becoming unavailable at any given time.
Our criteria, when determining the need to increase the capacity of any of the systems, must be based at all times on objective data in order to be approved by Management.
Protection against malicious code
All systems are protected by permanently updated resources that perform the following security tasks:
● 1. Detection and repair of malicious code.
● 2. Detection and blocking of network threats.
● 3. Detection of vulnerabilities.
An antivirus tool is installed on all computers. The operating system of the user stations is configured so that security updates are downloaded automatically and installed manually at the initiative and instructions of the IT Department. When a vulnerability is detected, the systems are immediately updated with the corresponding security patches.
Vulnerability management
At Coinscrap Finance we install patches for management applications regularly, previously tested, as well as operating system updates, which are automatic, in order to avoid possible threats associated with the technical vulnerability of equipment and operating systems. Vulnerabilities are controlled by malware detection tools and weekly updates.
Audit trail
In order to detect possible threats, our audit procedures allow the correct identification of the user accessing the information system, their location, date and time, as well as whether the system has granted or denied access and what transaction has been carried out.
Access to all corporate resources is audited by a named user and password VPN IP Address Controller.
Backup management
Backup copies of the information are scheduled and carried out periodically in order to guarantee at all times the reconstruction of the data in the state in which they were at the time they were dumped in them, or to enforce compliance with the external providers what is established in this procedure and constantly review it, when it comes to services contracted to a third party.
Also backup copies are made, on differentiated supports, of the information affected by the scope of this system, and complete backup software, in addition to the event logs and audit trails that the system administrators deem necessary to keep, as well as all the required documentation to be able to carry out a successful recovery, in case it is necessary.
Storage
Backup copies stored in external company locations are protected, labeled and transported in compliance with the requirements established in the asset inventory and information classification procedure, as well as in the management, distribution and reuse of media. In addition, its conservation must be in accordance with current legislation at all times.
The record of having made these backups is generated in the backup history of the server by the backup tool and it only affects this server. The backup copies of the servers hosted in the cloud are made with different periodicities and are registered in the applicative, it also registers the estimation for the next copy. All our servers are hosted on EU territory.
About the Autor
Óscar Barba is co-founder and CTO of Coinscrap Finance. He is an expert Scrum Manager with more than 6 years of experience in the collection and semantic analysis of data in the financial sector, classification of bank transactions, deep learning applied to stock market sentiment analysis systems and the measurement of the carbon footprint associated with transactional data.
With extensive experience in the banking and insurance sector, Óscar is finishing his PhD in Information Technology right now. He is an Engineer and Master in Computer Engineering from the University of Vigo and Master in Electronic Commerce from the University of Salamanca. In addition, Scrum Manager and Project Management Certificate from the CNTG, SOA Architecture and Web Services Certificate from the University of Salamanca and more.