Security

Where is Connectworks’ data stored?

The application makes use of the Amazon data services established within the Sydney, Australia Amazon region.

Amazon is a SAS 70 certified infrastructure-as-a-service provider that maintains a high level of internal security.  More information about Amazon’s security is available here.

https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf

We employ encryption for backups including data-at-rest.  

 

SECURITY POLICY AND ORGANISATION

How is management’s direction and support for information security demonstrated to staff?

 The company has documented policies and procedures.  These are made available to all staff on induction, upon request and when revised.

 All staff are required, as of their employment contracts, to ensure they are familiar with current policies and procedures.  Any changes to any given policy or procedure is notified to staff by way of email.

 

Ensuring that the security policy, standards and procedures are up to date

Management is responsible for maintaining their respective policies and procedures with six monthly reviews and review outcomes reported to the board. 

 

 Managing threats & vulnerabilities

Risk assessments are included are a component of the review of policies and procedures (compliance, shortfalls and completeness).

At this stage, sensitive data is limited to client information maintained in the application and in transit to the application (for the purpose of loading).  Policies and procedures exist in this regard to ensure correct handling, destruction and security thereof.

 

PERSONNEL SECURITY

Vetting staff 

 All employees are vetted by way of references from previous employers.  Where relevant  criminal background checks are also performed and considered.

 

Ensuring that security responsibilities are addressed by staff

All employment contracts include a confidentiality clause that includes third party and client information.  Breach of confidentiality is clearly indicated as serious misconduct in the context of employment.

Policies and procedures clearly define security concerns and data handling procedures.

 

Measures to ensure no over reliance on key personnel

 All policies and procedures are documented.  With respect to key activities within IT the majority of these are automated or semi-automated and are accompanied by relevant documentation.

At least two staff members are knowledgeable in respect of critical roles for which such staff members are available.  Where staff based duplication is not possible a trusted third-party is engaged to provide backup support.

 

Controls covering employee resignation or dismissal

We have policies and procedures that relate to staff induction and termination.  Both these include provision and return of keys.

We use a single directory service to manage user access rights to systems. Management policy includes direct removal of user access upon termination, including access to email and other business systems.

 

DATA  SECURITY AND DISPOSAL

Ensuring safe handling of client data

Long-term data is retained in the application. We may handle data for loading purposes, but this is deleted once no longer needed. All transfer of data is done securely either online or via secure encrypted storage.

 

Secure disposal/destruction of client data

Data managed by us is deleted once no longer needed. We employ encrypted storage on all devices that handle data and secure deletion techniques when deleting data.

Data is only held long-term within the application.

 

SYSTEM MANAGEMENT

Ensuring on-going service availability in the event of a system failure

We leverage the Amazon AWS infastructure to offer high availability including database failover, geographic failover and scaling of the app.  

 

Processes and procedures in place to manage system problems

All systems are actively monitored 24x7 with events sent by email or mobile. Account managers act as liasons with clients when issues are significant. 

 

Security administration

Access to secure systems on on an as-needs basis, managed through a central login service. Access to the production environment is highly restricted.  

 

System patch and vulnerability identification

We make use of long-term service operating system and actively monitor terminal notification channels for relevant patches. All services are hardened to use a minumal suite of software. Additional vulnerability is actively managed with our intrusion detection partner.  

 

CONTINGENCY AND RESILIENCE

Business continuity management processes

We have policies and procedures that cover business continuity.  

We have contingency in respect of business operations and ensuring that the application remains serviced in the event of a localized impact to the business.

With respect to the hosting environment; although we are hosting in Sydney, Amazon does provide hosting services in multiple other locations and by the nature of virtualization we may deploy the application in any of these locations.

 

ANTIVIRUS  STRATEGY AND POLICIES 

All files uploaded to the apllication are subject to virus scanning. Internally, we emply standard virus-scanning policies.

 

NETWORK SECURITY

Use of Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS)

We employ ID through a trusted third-party. 

 

Security testing on the external facing infrastructure

We have engaged a third-party to perform comprehensive additional penetration testing.  Amazon perform their own (and we note that our services are very narrow in respect of access).

 

PHYSICAL SECURITY

Physical security of the location

In the respect of uploaded and application data all data is maintained within the Amazon infrastructure.  Amazon AWS is a SAS70 certificated infrastructure-as-a-service provider.  An overview of Amazon AWS security is available at http://aws.amazon.com/security/.

No third-party to Trustworks, Amazon or the client is permitted access to data.