Security

Cybercriminals are constantly finding new ways to exploit software vulnerabilities, and a website and its various components are no exception. It is important to bear in mind that cyber attacks are constantly being attempted on all sites connected to the Internet, without exception. Depending on the seriousness of these vulnerabilities, a successful attack can have catastrophic consequences for your business and your image, with, for example, the installation of ransomware (software that locks your data and makes it unavailable until a ransom has been paid) or the theft of your customers’ data..

> By updating your software regularly, you can ensure that you have the latest security features and patches.

Performance

These updates can help to improve the speed and overall performance of your website, which translates into a better user experience for your visitors. The speed at which your site’s pages load is also an important factor that can influence a number of things, for example your natural ranking with the various search engines such as Google or Bing, or your conversion rate in the case of an e-commerce site.

Compatibility

Your website needs to be compatible with the latest versions of web browsers, devices and software. Updating your website ensures that it works correctly on all devices and browsers, providing a seamless experience for your visitors. Compatibility issues can have a negative impact on the user experience and lead to a loss of visitors, which can be detrimental to the success of your website.

Features

Updates to the components of your website regularly include improvements to existing functions as well as new features. Access to these new features facilitates new developments, reduce their cost and also provides the best possible user experience for your visitors.

At Ice Development, nous développons uniquement sur des versions dites LTS “Long Term Support” versions, according to Sensio.
Whatever technology you use (WordPress, Magento, etc.), it’s essential to keep your environment up to date!

Do you have a Symfony project to update?

Contact us

L’article The importance of Symfony version upgrades est apparu en premier sur Ice Development.

“S” for security, the difference between HTTP and HTTPS

HTTP (Hyper Text Transfer Protocol) is a protocol that designates the exchange that takes place between an Internet user and the server with which they are connected when browsing the Internet. More specifically, it enables Internet users to access data stored on a server.

Adding an SSL (Secure Socket Layer) certificate to the HTTP protocol ensures that exchanges on your site are secure. This ensures data confidentiality and makes it impossible to fake any information exchanged. In fact, the entire communication between your site and the visitor will be encrypted thanks to the SSL certificate.

Why switch to HTTPS ?

Improve your ranking on Google

Since January 2017, Google has taken a stand in favour of secure sites.
The impact on referencing has been noted on many sites.

Reassure your visitors

Google Chrome now displays a green padlock next to the URL in question as a token of “Google certification” of the security of the site and exchanges with Internet users. This will reassure your visitors and give them confidence, which is essential on an e-commerce site, for example.

However, Google also indicates “not secure” for sites that do not have SSL certification. E-commerce sites are naturally affected by this, as the number of bank frauds on the Internet is increasing, and this will have a negative psychological impact on your visitors.

Increase the speed of your site

The speed at which your site loads on your computer will also be accelerated with HTTPS, as the protocol is much more recent than HTTP, which dates back to 1999.

How can you switch your HTTP site to HTTPS?

Contact us now to receive a quote for securing your site by switching to https.

Contact us to switch to HTTPS.

L’article Why you absolutely must secure your site with HTTPS ? est apparu en premier sur Ice Development.

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It’s a bit technical, but ICE DEVELOPMENT explains everything: your responsibilities, the risks and above all what you absolutely must do between now and the 25th.

Why is the European Commission introducing the RGPD ?

To strengthen the rights of Internet users

From 25 May, Internet users will be able to exercise the following 4 fundamental rights :

• The right to inspect : They must be informed of the nature of the data collected and how it is used.
• The right to object : They may request the total deletion of their data at any time.
• The right to recover this data and pass it on to a third party.
• The right of access: They can have access to their data whenever they wish.

Co-responsibility :

You are a customer of Ice Development and we store your customers’ data on our servers. You are therefore a data controller and we are not only your partner but also your processor.

The RGPD makes the data controller and its processor jointly responsible. The latter will have as many responsibilities and obligations as the company responsible for data processing. Transparency and trust will be the cornerstones of this relationship.

Who does the GDPR apply to ?

The RGPD applies to all organisations, private or public, that process data, provided that :

• The organisation is established in Europe
• The organisation processes the data of European citizens

What are your obligations in terms of information ?

Mandatory information

To generate your mandatory information, you can use the CNIL generator by clicking here.

Cookies

When a web page is opened, it is no longer permitted to force users to accept cookies. “Accept” or “refuse” buttons must be visible and the related message must be understandable to a child. A link to the legal notice explaining why and how cookies are used is recommended.

Forms

For each item of personal data collected, you must define a clear and precise purpose and set a time limit for storing the data. These objectives and storage limits must be displayed on the site and the terms used must be understandable to children.

The data protection officer

The appointment of a data protection officer is compulsory if your organisation :

• Is a public entity.
• Carries out regular and systematic monitoring of individuals on a large scale.
• Carries out sensitive processing or processing related to criminal convictions and offences.

It is nevertheless advisable to appoint a data protection officer whom your customers or employees can contact at any time to assert their rights.

The Data Protection Officer can be :

• An employee.
• A contractual service provider.
• A specialist company.

Your responsibilities and obligations

Prioritising your actions

A company that processes data must be organised to comply with the law. To do this, the organisation must list and prioritise all the data processing actions it undertakes. This list is then made available in the site’s legal notices.

List the events that may occur

Like the fire alert protocol, you must always anticipate the worst. A structure that recovers or processes data must be alert to any potential fault. Listing the events that may occur is one way of putting in place action protocols and dealing with problems quickly and in an organised manner.

The two mandatory documents in the event of an inspection

1. Contract between your company and a subcontractor

The contract must include mandatory clauses :

• The purpose of the processing
• The nature and purpose of the processing
• The type of personal data and the categories of data subjects
• The obligations and rights of the data controller
• At the end of the service, all data must be deleted or returned to your customer
• At the end of the service, it is necessary to destroy all existing copies unless there is a legal obligation to retain them (if the country concerned has made this a law).

2. Traceability register

The traceability register is mandatory. It must include all information relating to the recovery and processing of data. You must list all the activities in your company that require data to be processed (training, payroll management, canvassing, etc.).
For each data processing activity, you must define :

• The objective
• List the data collected by category
• Who has access to the data
• How long the data is kept

Download the model register proposed by the CNIL.

Processing risky data

Processing sensitive data is considered to be risky data processing, since it may have a direct impact on the privacy of the individuals concerned.

Sensitive data

Data is said to be sensitive when it :

• relates to sexual orientation
• relates to political, religious or trade union membership
• concerns biometric or genetic data
• reveals racial or ethnic origin

Processing risky data

Data processing has effects that may be considered risky when the processing :

• Leads to the rating of a person.
• Involves a large-scale database.
• Excludes a person from a right, benefit or service.
• Enables innovation or the application of new technologies (e.g. connected objects).
• Targets vulnerable individuals (e.g. minors).
• Implements automated decision-making.
• Applies to a personal surveillance service.
• Falls within the field of health.

These types of processing require you to draw up a document analysing the impact of your data processing.

Analysing the impact of your data processing

It is your responsibility to draw up this document, and it is our duty to support you throughout the process and do everything we can to provide you with the necessary information.

This document must include :

• A description of all the processing operations envisaged and their purposes.
• An assessment and ranking of the risks to the rights and freedoms of data subjects.
• The measures envisaged to address the risks, by means of security measures and mechanisms designed to ensure the protection of personal data.

Subcontracting

Who are the subcontractors?

• IT service providers (hosting, maintenance, etc.), software integrators, IT security companies and digital services companies that have access to data.
• Marketing or communications agencies that process personal data on behalf of customers.
• Any organisation offering a service involving the processing of personal data on behalf of another organisation.
• A public body or an association may also receive such a qualification.

The obligations of the subcontractor

A duty of transparency and traceability:

• The processing must only be carried out on documented instructions from the data controller
• Make available to the data controller all the information necessary to demonstrate compliance with obligations
• Create a traceability register of exchanges and actions carried out, in case of control by the authorities.

Guarantee compliance with legal requirements :

• Ensure that persons authorized to process the data are subject to confidentiality standards
• Guarantee that only the data processed are necessary with regard to the quantity and extent of their processing and the duration of retention and the number of people who will have access to it.

Ensure the security of stored data :

• Notification to the data controller of any breach is mandatory
• Take all necessary measures to ensure a level of security appropriate to the risk

A duty of assistance, alert, and advice :

• Assistance: When an individual wishes to exercise their rights regarding data, the subcontractor must do everything possible to assist the data controller in responding to this request
• Alert : If the data controller’s request constitutes a violation, the subcontractor must immediately inform them
• Advice : The duty to assist the data controller in ensuring compliance with obligations regarding the security of processing.

Check the subcontractor’s guide on the CNIL website.

The penalties

2 types of penalties applicable depending on your turnover, noting that the larger of the two amounts will be applied :

• In case of failure to comply with the basic principles, the fine can reach 10 million Euros or 2% of your global turnover.
• In the case of non-compliance with users’ rights, the fine can reach 20 million Euros or 4% of your global turnover.

Are you ready for the GDPR ?

1. Have you appointed a person responsible for the governance of your organization’s data ?
   
   Yes

   No
2. Have you implemented a traceability register of all actions related to data processing ?
   
   Yes

   No
3. If so, have you included in the traceability register a list of the actions taken and prioritized them regarding the processing of your customers’ data ?
   
   Yes

   No
4. Have you written the impact assessment of your data processing in case of “risky” data processing ?
   
   Yes

   No
5. If so, have you identified and taken into account all the events that can occur during processing ? (security breaches, changes in the collected data, changes in service providers…)
   
   Yes

   No
6. If so, have you identified the high risks associated with your data processing?
   
   Yes

   No

If you haven’t answered “yes” to all the questions

contact us immediately to prepare your compliance in view of May 25th.

L’article General Data Protection Regulation, are you ready ? est apparu en premier sur Ice Development.