THE HONGKONG AND SHANGHAI HOTELS, LIMITED

INFORMATION TECHNOLOGY SECURITY CHECKLIST

Company : FastComet Hosting Services

Application and version :

Date : 18.09.2017 (dd/mm/yy)

This is the IT Security Checklist for HSH to collect the basic security information and the
technical requirements of any new applications for our internal assessments.

The new IT applications include, but is not limited to, the following models:
SaaS (Software as a Service)
Cloud-based solution
On-Premise Software (i.e. property-hosting)

Please input each item and supplement any additional information in the Remarks for our
reference. This checklist will be used as a supplement document with the contract/agreement
of your proposal.
(A) SaaS (Software as a Service) Feedba Remarks
ck
Y = Yes
N = No
NA = Not
Applicable
1. Please briefly describe the new application, product, solution and/or Y We offer fully managed
services in your proposal. hosting services. You will be
able to manage your hosting
account via the Client Area
and the cPanel.
2. Does your proposal offer a SaaS (Software as a Service) solution? NA

If your solution is an On-Premise software, please mention this in the

Remarks column.
3. Is there any computer or device to be required being hosted in our NA
network for the new application?

(B) Compliances and Certificates for Data Centre Hosting Services Feedba Remarks
(This section is not applicable if the proposal is the On-Premise software) ck
Y = Yes
N = No
NA = Not
Applicable
1 What is the name of the company who operates the Data Centre in which Y The DataCenter is operated
HSH data will be hosted? by Linode, but we manage
our own servers.

IT Security Checklist-v2 Page 1 of 11

 THE HONGKONG AND SHANGHAI HOTELS, LIMITED

2 What is the location of the Data Centre in which HSH data will be Y You can choose your Data
hosted? Center location. In Asia the
locations are Singapore and
Tokyo.
3 Please provide the web address/URL for the Data Centre hosting Y Fastcomet.com/datacenters
services.
4 Has the Data Centre attained compliance or certification for any of the Y
following standards?
a. SSAE16 (Statement on Standards for Attestation Engagements No. N Currently the standard is not
16) supported
http://ssae16.com/SSAE16_overview.html
Please provide the supporting
- SOC1 / SOC2 / SOC3 Reports

b. ISO27001 (Information Security Management) Y You can check more here:

http://www.iso.org/iso/home/standards/management- https://www.linode.com/com
standards/iso27001.htm pliance
Please provide the supporting
c. ISO/IEC 27018:2014 (Standards for Cloud privacy) N Currently the standard is not
http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.ht supported
m?csnumber=61498
Please provide the supporting
d. PCI (Payment Card Industry) DSS Compliance for Data Centre Y The PCI is supported only on
Hosting our VPS and Dedicated
https://www.pcisecuritystandards.org/ Servers.
Please provide the supporting Absolutely, our VPS and DS
Packages are PCI C
e. SAS70 (Statement on Auditing Standards No. 70) if SSAE16 is not N Currently the standard is not
in place supported
http://sas70.com/sas70_overview.html
Please provide the supporting
f. Others Data Centre Compliance Standards and Certificates N We do not provide it, but you
Please provide the supporting can purchase PCI Vendor as
a solution.
Can HSH obtain a copy of reports for all of the above upon request? N
5 Is the Data Centre being performed vulnerability scanning or penetration Y Yes, we perform regular
testing every year? vulnerability scanning and
penetration testing regularly.
Were there any major vulnerabilities found in the last scanning? If This is related to the actual
Yes, what were they and whether they have been addressed? datacenter, hardware and the
virtualization used on
servers.
6 Will the support provided by your company work with Data Centre Y Sure, we do work with them
Support team, when necessary, for any troubleshooting or support? and we are official partners.
7 In any circumstances, will there be any requirement for HSH team to Y The Servers are managed by
work directly with personnel from the Data Centre for any kind of us, so in case if you get any
troubleshooting relating to HSH data? issues, you need to reach us,
no need to reach the Data
Centers support.

(C) Backup and Recovery Feedba Remarks

(This section is not applicable if the proposal is the On-Premise software) ck

IT Security Checklist-v2 Page 2 of 11

 THE HONGKONG AND SHANGHAI HOTELS, LIMITED

Y = Yes
N = No
NA = Not
Applicable
1 Please describe the Backup process details in your proposal. Y The backup runs daily on all
our servers and it generates a
copy of your entire account
and all data on it. Depending
on the hosting plan you
choose, we will keep a
different amount of backups
for your account. You can
review that in details here:
https://www.fastcomet.com/c
ompare-shared-package
2 Does the Backup include Data Backup? Y The backups are designed to
store all data on your
account. This includes all
files, databases, email
accounts and messages,
sub/parked/addon domains,
etc. It is a full backup of all
data on your accounts on the
server.
3 Does the Backup include daily backup, weekly backup and monthly Y It depends on the plan you
backup? choose. The shared hosting
plans have different
retention, but they are
generated daily. You can see
the available backup copies
for each of our shared
hosting plans here:
https://www.fastcomet.com/c
ompare-shared-package
4 What is the number of days for the Backup Copy Retention Period? Y It depends on the shared
hosting plan you choose. The
SmartStart and ScaleRight
plans have a retention set to 7
and the SpeedUp plan has a
retention set to 30. You can
see that in details here:
https://www.fastcomet.com/c
ompare-shared-package
5 Does your proposal include Offsite Backup? Y Yes, all our backups are kept
on a remote location.
6 In case of the primary system failure which significantly impacts on Y We can restore the service as
business services/revenue, what is the contingency plan to recover the quickly as technically
system operation? (e.g. Failover to the Backup Site) possible. In case of a disaster,
Please provide the details. we set up a new hardware
node and initiate a full
restore of the latest available
backup of the client, in order
to restore full operation of
the clients website.
7 How long will your application be expected to resume the system Y It depends on the size of the

IT Security Checklist-v2 Page 3 of 11

 THE HONGKONG AND SHANGHAI HOTELS, LIMITED

operation for clients in the contingency plan? backup. It will be done as

(i.e. if the contingency plan is to failover to the Backup Site, how quick soon as it is technically
the backup site can be ready for clients to use?) possible.

8 Does your company undertake a Data Recovery drill every year? N

9 Can HSH obtain a copy of the latest Data Recovery Drill report upon N
request?

(D) Security Feedba Remarks

ck
Y = Yes
N = No
NA = Not
Applicable
1 Is your application ensure secured encryption protocol and protection for Y We can assist you with any
data transmission between our network and your system over the kind of SSL certificate
internet? installation.

If yes, please provide the details of the encryption/protection already in

place.

Is your application supported the following Cryptographic protocols

(which provide secure communication over networks)
a. SSL3.0 (Y/N)
b. TLS1.0 (Y/N)
c. TLS1.1 (Y/N)
d. TLS1.2 (Y/N)
Note : SSL3.0 and TLS1.0 are no longer secure. SSL3.0 no
TLS1.0 yes
SSL Certificate TLS1.1 yes
Is the SSL certificate supported SHA1 or SHA2? TLS1.2 yes
Note: PCI requires SHA2 SSL Certificate.
We support SHA256
2 Is the personal and confidential data are encrypted in the database level Y All your personal Data will
in your application? be encrypted and secured.
The server of our Client Area
If yes, what are the data? is SSL protected.
If not, please advise if any compensating controls are in place to mitigate
the risk.

3 Could your application be restricted to only allow our users to access Y You can request that from the
from our offices? (i.e. users cannot access the new software at home. One Tech Support, you just need
of the reasons is to prevent data leakage out of our office) Please provide to provide us the IP address
the details how to achieve the restriction. of the office.

In addition, if HSH only allows the authorized users to access your

application out of the office network, please advise if your application
able to manage for this remote access requirement.

4 Do you have any anti-malware and firewall/Intrusion Prevention System Y We have An intelligent
to protect the applications and the data in your solution? protection of your cloud
hosting environment
preventing password brute

IT Security Checklist-v2 Page 4 of 11

 THE HONGKONG AND SHANGHAI HOTELS, LIMITED

force, denial of
service(DDoS attacks) and
many other common attacks.
Our In-House Web
Application Firewall is
specifically optimized for
open source applications,
such as Joomla, WordPress,
Magento and etc.
5 Not applicable for On-Premise software Please confirm if there are any N
incidents of non-compliance with your internal data privacy policy
within the last 5 years. If yes, please provide details of the incident(s)
and the actions taken.

6 Please confirm if there are any data breach incidents within the last 5 N
years. If yes, please provide details of the incident(s) and the actions
taken.
7 If your solution includes wireless devices, do the devices provide secured NA We are hosting provider and
wireless encryption and protection for data transmission? we do not offer wireless
devices.
What wireless encryption is used? Example , WPA2, WPA and WEP

(E) Remote Support Services Feedba Remarks

ck
Y = Yes
N = No
NA = Not
Applicable
1 What is the Remote Access software to be used for any remote support Y You can reach our Tech
from your support team to our network? Support at any time by
submitting a ticket to them.
You can reach them via your
client Area with us.
2 Is the remote support connection secured (I.e. encryption)? Y Yeah, the client area is fully
secured.
3 Will your support team accept to use our remote access software if we N The only way to reach the
can provide one for your team? Tech Support is to submit a
ticket to them.

(F) Single Sign On Feedba Remarks

ck
Y = Yes
N = No
NA = Not
Applicable
1 Can the application support Single Sign On authentication with our NA All our servers are Linux
Corporate Windows Accounts (AD) for our key Operations? based, so we do not support
any kind of Windows based
applications.
2 The majority of our operations are using Office 365 with integration for All our servers are Linux
our AD user accounts. based, so we do not support
NA any kind of Windows based
Is your application directly integrated with Microsoft Azure Active applications.
Directory for Single Sign On?

IT Security Checklist-v2 Page 5 of 11

 THE HONGKONG AND SHANGHAI HOTELS, LIMITED

(G) Password Settings Feedba Remarks

ck
Y = Yes
N = No
NA = Not
Applicable
1 In your proposal, is each user of your application assigned with his/her Y Yeah, each client has his own
own login account? Client Area and cPanel
details.
2 Can your application be configured to require minimum password length N The minimum length of the
of 7 digits? password for the Client area
and cPanel is 6 digits, which
Can the length of the account password be configured by ourselves in cannot be changed. You can
your application? (e.g. HSH changes the minimum password length to be change the passwords at any
8 digits next year) time without any issues. This
is a cPanel feature and you
can submit a feature request,
in case you wish to see that
in a future release. The
official Feature Request
portal of cPanel is available
here:
https://features.cpanel.net/
3 Can your application be configured to expire passwords every 90 days? N At this point we do not offer
such kind of services. This
depends on the cPanel
service and you can submit a
feature request, in case you
wish to see that in a future
release. The official Feature
Request portal of cPanel is
available here:
https://features.cpanel.net/
4 Can your application be configured to require password complexity of at N The Client area and cPanel
least one alphabetic character and one numeric character? password configurations can
not be changed.
5 Can your application be configured to trigger account lockout for at least N It currently does. If someone
30 minutes after 5 consecutive bad password attempts? attempts to brute-force your
cPanel account, s/he will be
blocked for 30 minutes
before being able to attempt
that again.
6 Can your application be configured to allow users to change their own Y The Client can change his
passwords? password at any time

7 Can your application be configured to require passwords to be re-entered N At this point we do not offer
after idle time over 30 minutes? such kind of services. This
depends on the cPanel
Can the length of the idle time be configured by ourselves in your service and you can submit a
application? feature request, in case you
(E.g. 5 minutes, 15 minutes) wish to see that in a future
release. The official Feature
Request portal of cPanel is
available here:

IT Security Checklist-v2 Page 6 of 11

 THE HONGKONG AND SHANGHAI HOTELS, LIMITED

https://features.cpanel.net/
8 Can your application be configured to ensure that new password cannot N At this point we do not offer
be the same as any of the last four used for that account? such kind of services. This
depends on the cPanel
service and you can submit a
feature request, in case you
wish to see that in a future
release. The official Feature
Request portal of cPanel is
available here:
https://features.cpanel.net/
9 Does your application have the Forget Password function? Y Yeah, we do offer Password
Reset option for the Client
area.
1 Can the application be configured with an option to force a password N At this point we do not offer
0 change for a user when the use login? such kind of services. This
(This will be used when the System Administrator helps a user to reset depends on the cPanel
his/her password) service and you can submit a
feature request, in case you
wish to see that in a future
release. The official Feature
Request portal of cPanel is
available here:
https://features.cpanel.net/

(H) User Activities Reports Feedba Remarks

ck
Y = Yes
N = No
NA = Not
Applicable
1 Is your application able to keep track of changes of users access rights? NA At this point we do not offer
such kind of services. This
depends on the cPanel
service and you can submit a
feature request, in case you
wish to see that in a future
release. The official Feature
Request portal of cPanel is
available here:
https://features.cpanel.net/
2 Is your application able to keep track of data amendment action? NA At this point we do not offer
such kind of services. This
depends on the cPanel
service and you can submit a
feature request, in case you
wish to see that in a future
release. The official Feature
Request portal of cPanel is
available here:
https://features.cpanel.net/
3 Is your application able to generate a report to indicate bad password N At this point we do not offer
attempts? such kind of services. This
depends on the cPanel
service and you can submit a

IT Security Checklist-v2 Page 7 of 11

 THE HONGKONG AND SHANGHAI HOTELS, LIMITED

feature request, in case you

wish to see that in a future
release. The official Feature
Request portal of cPanel is
available here:
https://features.cpanel.net/
4 Is your application able to provide a user activity report for N At this point we do not offer
a. Generate reports such kind of services. This
b. Downloading files depends on the cPanel
c. Export Data service and you can submit a
feature request, in case you
wish to see that in a future
release. The official Feature
Request portal of cPanel is
available here:
https://features.cpanel.net/

(I) Users Permission Review Feedba Remarks

ck
Y = Yes
N = No
NA = Not
Applicable
1 Is your application able to generate a matrix report for all Login N At this point we do not offer
Accounts with the granted permissions by operation and department? such kind of services. This
depends on the cPanel
service and you can submit a
feature request, in case you
wish to see that in a future
release. The official Feature
Request portal of cPanel is
available here:
https://features.cpanel.net/

(J) PCI (Payment Card Industry) Compliance Feedba Remarks

www.pcisecuritystandards.org ck
Y = Yes
N = No
NA = Not
Applicable
1. Does your application store, process or transmit credit card holder data? Y We are a PCI compliant
company and we use
Braintree as a Payment
Processor for storing
sensitive information.
2. Is your application compliant with PCI-DSS (Payment Card Industry Y We are a PCI compliant
Data Security Standard) or PA-DSS (Payment Application Data Security company and we use
Standards)? Braintree as a Payment
Processor for storing
sensitive information.
3. If your application is PCI-compliant, please provide the supporting for Y We are a PCI compliant
our information. company and we use
Braintree as a Payment
Processor for storing
sensitive information.
4. Does your application offer Credit Card Number Masking except the last Y If you are talking about your

IT Security Checklist-v2 Page 8 of 11

 THE HONGKONG AND SHANGHAI HOTELS, LIMITED

4 digits? Credit Card in our System,

yeah, your Credit card
number will be hidden
(without the last 4 digits )

(K) User Workstation Requirements Feedba Remarks

Remarks: Our current Standard for workstation is Windows 7, IE9/IE10 and Office ck
2010/2013. It is subjected to change to another higher version when our standards is Y = Yes
reviewed and updated. N = No
NA = Not
Applicable
1 Is your application fully compatible with Windows 7.x and Windows 10? NA We are hosting provider, we
offer Linux based Hosting
Please list out the modules/functions in your application if there is any Services. You can access the
areas incompatible.

2 Is your application fully compatible with Microsoft Office 2013 and NA

Office 2016?

Please list out the modules/functions in your application if there is any

areas incompatible.

3 Is your application fully compatible with IE11 and Microsoft Edge? Y Yeah, the client area is
supported by IE11 and
Please list out the modules/functions in your application if there is any Microsoft Edge.
areas incompatible.

4 What other browsers and versions are fully compatible with your Y Our website is accessible
application? from all the browsers.

(L) Mobile Devices Feedba Remarks

If your solution is not applicable in Mobile, please simply put NA for each item in ck
this section. Y = Yes
N = No
NA = Not
Applicable
1 Does your application support iOS mobile devices? Y Our website, Client area can
be accessed from any kind of
device
2 What versions of iOS versions with the default browser (i.e. Safari) are Y It is supported from the last
supported? version of IOS.

Please list out the modules/functions in your application if there is any

areas incompatible.

3 Does your application support Android mobile devices? Y Our website, Client area can
be accessed from any kind of
device
4 What Android versions with the default browser are supported? Y It is supported from the last
version of IOS.
Please list out the modules/functions in your application if there is any
areas incompatible.

(M) Support Services and SLA Feedba Remarks

ck

IT Security Checklist-v2 Page 9 of 11

 THE HONGKONG AND SHANGHAI HOTELS, LIMITED

Y = Yes
N = No
NA = Not
Applicable
1 Where is your helpdesk/support centre? Y We are based in San
Francisco.
2 What is the support service hours for your helpdesk support? Y We work 24/7.
E.g. 24x7x365, 9am-6pm Mon-Fri
3 In your proposal, what is the SLA response time for the support services? Y The Tech Supprt update the
tickets in up to 10 minutes.
4 Any escalation paths such as emergency mobile numbers will be Y We are 24/7 available and
provided to HSH for critical incidents. you can reach us at any time
via ticketing system, chat or
Is the escalation valid in the non-office hours? Phone

(N) Upgrade and Change Management Feedba Remarks

ck
Y = Yes
N = No
NA = Not
Applicable
1 How frequent will your application usually be upgraded? Y We do update our Client area
and cPanel. We keep them up
to date.
2 When will we be notified in advance if application upgrade is planned? Y If there is some kind of
maintenance, we will inform
you week before
3 Will the new version of your application be fully tested with our Y Sure, we do test our
configuration before it is deployed in the production platform? application.

SIGN OFF
Vendor / Services Provider: Hotel / Operation:
FastComet hosting Services

Name: Mike Myler Name:

Position : Senior Sales Agent Position :
Company : FastComet Hosting Services Hotel/Operation :

SIGN OFF (HSH Internal Use Only)

IT Security Checklist-v2 Page 10 of 11

 THE HONGKONG AND SHANGHAI HOTELS, LIMITED

Name: Name: Name:

IT Security Checklist-v2 Page 11 of 11