Security White Paper Version 3.0 Last Updated: December … · 1 Security White Paper Version 3.0...
Transcript of Security White Paper Version 3.0 Last Updated: December … · 1 Security White Paper Version 3.0...
2
Date:December19,2017
Confidential-donotduplicateordistributewithoutwrittenpermissionfromSurveyGizmo.ThisisacontrolleddocumentthatcanonlybeobtainedfromtheSurveyGizmoportal,whichrequiresthatyouprovideyournameandcontactdetails.
ThisdocumentisbeinggiventoyoutohelpyouunderstandthesecurityenvironmentandcultureofSurveyGizmo,andtoanswerquestionsthatyoumayhavefromyoursecurityteam.Thisdocumentmaybeusedinplaceoftraditionalsecurityassessmentcheckliststohelpyouwithyourduediligence.PossessionofthisdocumentfallswithinSurveyGizmo’sTermsofUse.
Ourteamstrivestoensureaccurateinformation,butbecausewearealwaysevolvingoursecurityposturetomatchcurrentandchangingconditions,thisdocumentmaynotalwaysreflectourexactarchitectureanditmaynotbeerrorfree.
Wereservetherighttomodifythisinformationatanytime.
Questionsorcomments:[email protected]
3
TableofContentsExecutiveSummary......................................................................................................................................5
Environment.................................................................................................................................................5
Application&InterfaceSecurity..................................................................................................................7
ApplicationDevelopment.........................................................................................................................7
AuditAssurance...........................................................................................................................................8
IndependentAudits..................................................................................................................................8
CustomersAuditingSurveyGizmo............................................................................................................8
SecurityIncidentManagement....................................................................................................................8
IncidentResponsePlan............................................................................................................................8
BreachNotification...................................................................................................................................9
BusinessContinuityManagement&OperationalResilience.......................................................................9
ServiceHealthandFailover......................................................................................................................9
BusinessContinuityPlan(BCP).................................................................................................................9
DisasterRecoveryPlan(DRP).................................................................................................................10
PlanTesting............................................................................................................................................11
BusinessImpactAnalysis(BIA)...............................................................................................................11
ReliabilityandBackup............................................................................................................................11
DataRetention.......................................................................................................................................11
ChangeControl&ConfigurationManagement..........................................................................................11
DataSecurity&InfoLifecycle.....................................................................................................................12
DatacenterSecurity....................................................................................................................................12
Encryption&KeyManagement.................................................................................................................13
AWSEncryptionofDataatRest.............................................................................................................13
EncryptionMethodologyandKeyStrength...........................................................................................13
EncryptionKeyManagement.................................................................................................................13
DataEncryption......................................................................................................................................13
SecureSurveyShareLinks......................................................................................................................14
Governance&RiskManagement...............................................................................................................14
SecurityStandards..................................................................................................................................14
4
HumanResources......................................................................................................................................15
BackgroundChecks................................................................................................................................15
BringYourOwnDevice(BYOD)..............................................................................................................15
SecuritySkillsAssessmentandAppropriateTraining.................................................................................15
Training..................................................................................................................................................16
Phishing..................................................................................................................................................16
AccessProvisioningManagement..............................................................................................................16
AdministrativeAccess............................................................................................................................16
AccessforThirdPartyITSolutionandServiceProvider.........................................................................16
PasswordSettings..................................................................................................................................17
AWSHostDatacenter.................................................................................................................................17
AWSFirewalls.........................................................................................................................................18
AWSSecureNetworkArchitecture........................................................................................................19
AWSSecureAccessPoints......................................................................................................................19
AmazonCorporateSegregation.............................................................................................................19
AWSFault-TolerantDesign....................................................................................................................19
Logging&Alerting......................................................................................................................................20
Logs........................................................................................................................................................20
FederatedMulti-TenantDatabaseDesigns............................................................................................20
BackgroundQueuedProcesses..............................................................................................................20
RedundantDataStores..........................................................................................................................20
SupplyChainManagement........................................................................................................................20
Threat&VulnerabilityManagement.........................................................................................................21
ScanningandPatching...........................................................................................................................21
AWSServiceOrganizationControls(SOC)3Report...................................................................................21
References..................................................................................................................................................21
5
ExecutiveSummaryAtSurveyGizmowetakedatasecurity-veryseriously.
SurveyGizmoisanexceptionallypowerful,easytousesoftwarethatgivesyouaccesstotheanswersyou’reafter,nomatteryourbudget.Collectdataofallkindsonourglobal,scalable,reliableplatform,thenuseourreportingtoolstofindtrendsandpatterns.
BecauseSurveyGizmoisprimarilyaDo-it-Yourself(DIY)applicationandisutilizedglobally,westrivetoensurecompliancewithspecificrequirements,butwedon’tguaranteeit.Wehaveimplementedaholisticandcomprehensiveapproachtobothsecurityandprivacy,butSurveyGizmodoesnotclaimtohaveacompleteunderstandingofalltheuniquecomplianceandprivacyrequirementsforeachcountry.SeetheSurveyGizmoPrivacyWhitepaperformoreinformationoncompliance.
Wegiveyouthetoolsbutitisuptoyoutoimplementthemcorrectly.Ultimately,thesecurityofthedatayoucollectisyourresponsibility.
Yourdataisprotectedwithnumerousanti-hackingmeasures,redundantfirewalls,andconstantsecurityscans.Becausesecurityissoimportanttous,ourCEOhasapprovedallInformationSecurityandPrivacypolicies,andourTeamDirectorsandManagersareresponsibleforcomplianceandsecurityattheteamlevel.
Inadditiontoundergoingfullbackgroundchecks,allemployeesattendsecurityawarenessandcompliancetrainingwhentheystartatSurveyGizmo.Thereisalsoanannualrefreshertrainingforcurrentemployees.
Finally,weannuallyreviewallourSecurityandPrivacypolicies,andthisSurveyGizmoSecurityDocumentisfrequentlyupdatedtobringyouup-to-the-momentinformationaboutourdataprotectionefforts.
Someofourmostimportantsecurityinitiativesinclude:
Allofoursoftwareandservicesareonline,andwedon’trequireanysoftwaredownloads.
Weoffermultiplemethodsforsurveytaking,suchaswebbrowsing,offlinemode,QRcodes,smartphones,andtablets.
ThroughAmazonWebServices(AWS),wehaveafault-tolerant,HighlyAvailable(HA),andscalableinfrastructure.Weemployredundantfirewallsandloadbalancerstoprotectagainstintrusionandsurgesintrafficvolume.Wearecommittedtoprovidinga99.9%uptimeforsurveytakersandapplicationusers,andin2015wewereabletoprovide99.95%availability.
EnvironmentSurveyGizmo’sofficesarelocatedat4888EastPearlCircleinBoulder,Colorado.Itisanenergeticanddynamicplacetoworkwhichallowsemployeesthefreedomtoexpressthemselveswhileworkingveryhardtoprovidethebestservicesandapplicationtothecustomers.AfewremoteofficesarelocatedintheUnitedStatesandemployeesareallowedtoworkfromhome.TheBoulderofficesareaccessedviasecurebadgeaccessonlyandthereisastrictvisitorpolicy.
6
SurveyGizmoisamidsizedbusinesssothedefinitionof“formal”and“documented”iswhethertheprocessispredictableandconstantlyrepeatable.SurveyGizmohasimplementedtheexactlevelofpolicies,standards,plans,andproceduresfortheenvironment.SurveyGizmofollowssimilarguidelinesasbiggercompaniesandhowtheseguidelinesareimplementedalignswiththecorporatevisionandmission.
SurveyGizmohasaleanagiledevelopmentenvironmentwithbi-weeklysprints.Releasearesometimedonemultipletimesperday.Thesereleasesareautomaticandthecustomerdoesnotdecideifandwhentheyareapplied.SurveyGizmomayfromtimetotime,initssolediscretion,changesomeorallofthefunctionalityoranycomponentoftheSurveyGizmoapplication.
ApplicationswithcustomerspecificinformationareonlyavailablewhileemployeesarephysicallyintheBoulderofficeorthroughaVPNconnectedtothephysicaloffice.Bypolicy,SurveyGizmodoesnotallowemployeestoworkfrom“Starbuckslike”locationsoruseasplit-tunnelVPN.SurveyGizmohasmultipleemployeepoliciesincludinganAcceptableUsepolicy.NewHiretrainingismandatoryandSurveyGizmoprovidesquarterlytrainingupdates.
BecausewearehostedbyAWS,weleveragetheirpowertobehighlyavailable,toincreaseourreliability,andtoofferincreasedflexibilitythatletsusscaleupforsurgesintrafficinalmostrealtime.Automatedredundanciesareinplaceforascalableinfrastructuretoaccommodatehightraffic.Becauseofthis,securityinthecloudisslightlydifferentthansecurityinonpremisedatacenters.
BecauseSurveyGizmoishostedbyAWS,SurveyGizmoleveragestheirpowertobehighlyavailable,toincreasethereliability,andtoofferincreasedflexibilitythatletsSurveyGizmoscaleupforsurgesintrafficinnearrealtime.WehaveasharedsecurityresponsibilitymodelwithAWS.WeutilizeAWSforInfrastructureasaservice(Iaas),andtheyareresponsiblefortheunderlyinginfrastructurethatsupportsthecloud.TheyareresponsibleforprotectingtheglobalinfrastructurethatrunsalltheservicesofferedintheAWScloud.Thisinfrastructureiscomprisedofthehardware,software,networking,andfacilitiesthatrunAWSservices.
Unlikethetraditionalonpremisesoftwaremodel,wherethecustomerhas100%responsibilityforsecuringtheirsystems.WhenacustomerutilizesaCloudServiceProvider(CSP),theyarenowutilizingthesharedsecuritymodel.AWShasamodelwhichcanbefoundintheSharedResponsibilityModel.BelowistheSurveyGizmosharedsecuritymodel.DependingontheCSPmodeleitherInfrastructure-as-a-Service(Iaas),Platform-as-a-Service(PaaS),orSoftware-as-a-Service(SaaS)selected,thelevelofresponsibilityshiftsfromoneparttotheother.Inallthemodels,WhiteindicatestheCustomer’sResponsibility;theLightGreyisAWS’sResponsibility;andtheDarkGrayisSurveyGizmo’sResponsibility.
7
SharedSecurityDiagramIaaS PaaS SaaSPhysical Physical PhysicalInfrastructure Infrastructure InfrastructureNetwork Network NetworkVirtualization Virtualization VirtualizationOperatingSystem OperatingSystem OperatingSystemApplication Application ApplicationServiceConfiguration
ServiceConfiguration
ServiceConfiguration
Access Access AccessData Data Data
FormoreinformationonAmazon’sextensivesecuritycontrols,seetheirOverview on Security Paperorcheckouttheirenormouslibraryofresources.
Application&InterfaceSecurityApplicationDevelopmentSurveyGizmoisatraditionalLinux,Apache,MySQL,andPHP(LAMP)basedapplication.LAMPisanacronymwhichstandsforLinuxoperatingsystem(OS),ApacheHTTPServer,MySQLrelationaldatabasemanagementsystem(RDBMS),andPHPprogramminglanguage.We’vedevelopedSurveyGizmoasamulti-tier(N-Tier)ApplicationusingtheMVC(Model-View-Controller)Designpattern.
TheN-Tierarchitectureisaclient-serversoftwarearchitectureplatforminwhichthepresentation(webapplication),theprocessing/functionlogic(workers),andthedatabasearelogicallyseparatedprocesses.Thisallowsanypartofthethreetierstobedevelopedandmaintainedindependentlyoftheothers,creatingmaximumflexibilityandtheabilitytorespondtotechnologychangesinanyonetier.MVCisasoftwarearchitecturepatternforimplementinguserinterfacesoncomputers.Thesearchitecturaldecisionshelptocreateseparateofthedifferentlogicalresponsibilitiesoftheapplication.
Wealsoneveroutsource;alldevelopmentandqualityassuranceactivitiesareperformedin-house.TheSurveyGizmoapplicationis100%developedbyemployees.
• Weusesupported3rdpartylibrariesasnecessarytoenhanceandproducenewfeatures.• ManualSourceCodereviewbeforecheck-in.• PeerReviewforcriticalcode.• StateCodeAnalysistool.• WeuseJenkinsforautomatedDevOps.
Toensureasecureplatform,weutilizetheOpenWebApplicationSecurityProject(OWASP)standardsduringthesoftwaredevelopmentprocess.Wefocusonnotonlyimprovingthefunctionalityofourproduct,butonalsoimprovingthesecurityofoursoftware.
AllmembersoftheProductDevelopmentGrouparerequiredtoadheretotheOWASPtop10standards:injection;weakauthenticationandsessionmanagement;crosssitescripting;insecuredirectobject
Customer
8
references;securitymisconfiguration;sensitivedataexposure;missingfunctionlevelaccesscontrol;crosssiterequestforgery;usingcomponentswithknownvulnerabilities,andinvalidatedredirectsandforwards.Formoreinformationpleasesee:OWASPtop10.
Weuseacoderepositoryalongwithamanagedticketing,review,andapprovalprocess.Ourdevelopmentteamutilizesstandardqualityassuranceprocedures,andautomatedregressiontestingisperformedpriortoeachproductiondeployment.
Weneveruseproductiondatafortestingpurposes,unlessitisrequiredtoresolveaclient-reportedsupportissue.
Wehaveseparatedevelopment,test,andproductionenvironmentsforbothourwebsiteandapplication.Workprogressesfromdevelopmenttoqualityassurancetoproduction,whereitcanbeseenandusedbyourcustomers.AmodifiedLeanAgileSystemDevelopmentLifeCycle(SDLC)methodologyisusedfordevelopment,andissuesarereportedfrombothclientsandemployees.IssuesaretestedanddocumentedinSupportandprioritizedbytheProductDevelopmentTeam.ProductionserversareonlyaccessedthroughSecureShell(SSH),orfromtheofficenetworkthroughaVirtualPrivateNetwork(VPN).VPNisIPSECandtrafficislogged.
AuditAssuranceIndependentAuditsIndependentreviewsandassessmentsshallbeperformedatleastannuallytoensurethattheorganizationaddressesnonconformitiesofestablishedpolicies,standards,procedures,andcomplianceobligations.
SurveyGizmoutilizesWhiteHatSecurityhttps://www.whitehatsec.com/toperformanannualapplicationpenetrationtestontheSurveyGizmoapplication.SurveyGizmoalsoutilizestheWhiteHatSecurityapplicationscannertodocontinuousscanningoftheapplication.
SurveyGizmoutilizesTrustWavehttps://www.trustwave.com/home/toperformquarternetworkpenetrationtestsontheSurveyGizmonetworkenvironment.
SurveyGizmostaffalsoutilizesBurpSuitehttps://portswigger.net/burptoperformtheirownquarterscans.
SurveyGizmohiredanindependent,third-partytoperformaHealthInsurancePortabilityandAccountabilityAct(HIPAA)audit.
CustomersAuditingSurveyGizmoWedon’tallowcustomerstoperformapplicationornetworkpenetrationtestingonus.
SecurityIncidentManagementIncidentResponsePlanIncidentResponseisasignificantaspectofanyInformationTechnologyprogram.Preventiveactivitiessuchasapplicationscanning,passwordmanagement,intrusiondetectionandintrusionpreventionsystems,firewalls,riskassessments,malware&anti-virusprevention,anduserawarenessandtraining
9
canreducethenumberofincidents;however,notallincidentscanbeprevented.IncidentResponsecapabilitiesarenecessaryfordetectingincidents,minimizinglossanddestruction,mitigatingtheweaknessesthatwereexploited,andrestoringservices.
OurplancoverstheIncidentResponseRequirements,RolesandResponsibilitiesofeachIncidentResponseTeammember,theircontactinformation,IncidentsHandlingProcedures,IncidentReportingProcedures,andcomplementaryMetrics.Wehaveproceduresfornormalbusinesshoursaswellasforafter-hoursandweekends.Allemployeesaretrainedintheprocedures,andtheyunderstandhowandwhentoescalateanissue.OurComplianceManagerandtheITManagerareresponsibleforenforcinginformationsecuritypolicies,procedures,andcontroltechniquestoaddressallapplicablerequirements.Theyalsoensure100%participationofpersonnelintheSecurityAwarenessTrainingProgram.OurIncidentResponseTeamconsistsoftheDirectorofOperations,DirectorofDevelopment,ComplianceManager,ITManager,andspecificITadministrativeandsupportstaff.
BreachNotificationSuspectedincidentsarereportedtotheTeamManagers,whoareresponsiblefororganizingtheinvestigationandnotifyinginternalstakeholders.Iftheinvestigationfindsaneedforcontainment,thatwilloccur,thenanalysiswillfollow.Ifrepair,recoveryorremediationisneeded,thatwillfollow.
Notificationstoclientswillbemadebasedoncontractualorlegalobligations,reportingwillbemadetoExecutiveManagement,andtrainingissueswillbeaddressed.Ifabreachisdetectedwithyourdata,youwillbenotifiedassoonasweareabletonotify.
BusinessContinuityManagement&OperationalResilienceThepurposeofpreparingforcontingenciesanddisastersistoprovideforthecontinuationofcriticalmissionsandbusinessfunctionsintheeventofdisruptions.SurveyGizmohasbothaBusinessContinuityPlan(BCP)andaDisasterRecoveryPlan(DRP).TheBCPreferstostrategiesabouthowthebusinessshouldplanforbothinterruptionsinserviceandcontinuationafteradisaster.TheBCPallowsfortheadvanceplanningtoensurethebusinesshasdefineditscriticalbusinessproductsandservicesandthatthesecriticalassetscancontinuetobedelivered.WhiletheDRPreferstohowtheinformationtechnologyandinformationsystemsshouldrecoverintheeventofadisaster.TheDRPshoulddetailwhatshouldbedoneimmediatelyafteradisastertorecoverfromtheevent.
ServiceHealthandFailoverCustomerscansubscribetotheSurveyGizmoStatusIOpageforimmediatenotificationofissuesrelatedtotheSurveyGizmoapplication.https://surveygizmo.statuspage.io/AstheSurveyGizmoapplicationiscompletelyreliantontheavailabilityofAWS,customerscancustomizethefollowingAWSpagefortheiravailability.http://status.aws.amazon.com/Also,ifyousendemailsviatheSurveyGizmoapplication,youcanensurethatRackSpace(thehostingproviderforemailservice)isavailableviathefollowingpage.https://rackspace.service-now.com/system_status/.Wecurrentlydon’tallowourcustomerstomoveawayfromeitherAWSorRackSpaceasthehostingprovider.
BusinessContinuityPlan(BCP)TheBCPidentifiesthecriticalbusinessfunctionsneededtoensuretheavailabilityofessentialservicesandprogramsandensuresthecontinuityofoperations.TheidentificationofcriticalbusinessfunctionsiscalledaBusinessImpactAnalysis(BIA).Continuityplanningisonecomponentofamuchbroader
10
emergencypreparednessprocessthatincludesitemssuchascontingencyplanning,businesspractices,andoperationalcontinuity.Preparingforsucheventsofteninvolvesimplementingpoliciesandprocessesatanorganizationallevelandmayrequirenumerousplanstoproperlypreparefor,respondto,recoverfrom,andcontinueactivitiesifimpactedbyanevent.Managersmustalsoconsidertheimpactsofdisruptionsandplan,inalignmentwithorganizationalstandardsandpolicies,forsuchevents.Asonecomponentofacomprehensiveriskmanagementapproach,BusinessContinuityplanningshouldidentifypotentialvulnerabilitiesandthreatsandthenimplementapproachestoeitherpreventsucheventsfromhappeningorlimittheirpotentialimpact.
SurveyGizmo’sBCPidentifiesthetypesofincidentswhichcouldleadtotheactivationoftheBCPanditincludestherolesandresponsibilitiesofSurveyGizmostaffshouldtheplanbeactivated.Tohelpwithrankingoftasks,itincludesaBIAwhichwasdevelopedbydeterminingthebusinessprocessesandrecoverycriticality,identifyingresourcerequirements,andthenidentifyingrecoveryprioritiesforsystemresources.
DisasterRecoveryPlan(DRP)Bydefinition,adisastercannotbepreventedbutstepscanbetakentoeliminateorreducetheimpactofthedisasteronthebusiness.ForSurveyGizmo,adisastercouldbecompletelossofAWSAvailabilityZonesformorethan24hours,compromiseofinformation/architectureintegrityformorethan24hours,naturaldisasterthatdestroysBoulderOffices,orglobaltolocalenvironmentalfactors.Agreatdealofconsiderationistakentoensurethatifadisasteroccursthenecessarystrategiesareinplacetoreducetheimpacttoourcustomers.SomeofthepreventivemeasuresthatSurveyGizmoutilizesareensuringpropersupportfordatamigrationanddurablestoragefromAWS,ensuringproperalerting,ensuringgoodbackups,ensuringemployeeshaveconnectionsfromtheirhomes,andmonitoringearlywarningsystems.
TheDRPidentifiestherequirementstorecovertheinformationtechnologyassetsfromadisaster.ItalsodefinestheRecoveryPointObjective(RPO)andRecoveryTimeObjective(RTO)andMaximumTolerableDowntime(MTD).Organizationswhosemajorapplicationsareprocessedatasharedfacilityshouldworkwiththefacilitymanagementtodevelopaplanforpost-disasterrecovery(i.e.,whichapplications/buildings/systemsshouldberestoredfirst).SurveyGizmohasaDRPthatincludessharedresponsibilitieswithAmazonanditisreviewedannually.Amazonutilizesdisasterrecoveryfacilitiesthataregeographicallyremotefromtheirprimarydatacenter.WhenusingAWSdisasterrecoverysharedsecuritymodel,theyprovidethephysicalinfrastructure,network,andoperatingsystems,andSurveyGizmoensurestheproperconfigurationandlogicalaccesstotheresources.
ThefollowingrecoveryplanobjectiveshavebeenestablishedforSurveyGizmo:
• Identifytheactivities,resources,andprocedurestocarryoutSurveyGizmoprocessingrequirementsduringprolongedinterruptionstonormaloperations.
• AssignresponsibilitiestodesignatedpersonnelandprovideguidanceforrecoveringSurveyGizmoduringprolongedperiodsofinterruptiontonormaloperations.
• CoordinateDisasterRecoveryplanningactivitieswithBusinessContinuityactionsandIncidentResponseactivities.
• EnsurecoordinationwithexternalpointsofcontactandvendorsassociatedwithSurveyGizmo.• EnsurecoordinationwithotherplansassociatedwithSurveyGizmo.
11
PlanTestingTestandexerciseeventsshouldbeconductedperiodicallytodeterminetheplan’seffectivenessandtoensurethatallpersonnelknowtheirroleandareinformedofthespecificactionsrequiredofthem.Foreachtestand/orexerciseactivitywhichisconductedtheresultswillbedocumentedandlessonslearnedactionitemswillbetakensothattheassociatedplans,polices,andprocedurescanbeupdated.WeannuallytesttheBCPandDRP.
BusinessImpactAnalysis(BIA)Asstatedabove,tohelpwithrankingoftasks,ourBCPincludesaBIAwhichwasdevelopedbydeterminingthebusinessprocessesandrecoverycriticality,identifyingresourcerequirements,andthenidentifyingrecoveryprioritiesforsystemresources.
ReliabilityandBackupAllnetworkcomponentsareconfiguredinaredundantconfiguration.Allcustomerdataisstoredonaprimarydatabaseserverwithmultipleactiveclustersforredundancy.ThedatabaseserversutilizeRAIDdisksandmultipledatapathstoensurereliabilityandperformance.
Automatedencryptedsnapshots(differentials)ofdatabasesareperformedhourly,andalldatastorageisredundant.Encrypteddailysnapshotsaremaintainedforaminimum30daysandtestrestoresareconductedatleastquarterly.BackupmediaresidesonAWS’SimpleStorageService(S3)infrastructure,whichoffers‘119s’ofredundancy.
DataRetentionSurveyGizmoretainsdatathatweprocessonbehalfofourcustomersanddatacollecteddirectlyfromourcustomersaslongasitisneededtoprovideservicestoourcustomers.SurveyGizmowillretainandusethisdataasnecessarytocomplywithourlegalobligations,resolvedisputes,andenforceouragreements.
Sometimesusershaveuniqueneeds,eitherunderspecificregulationsorotherinstitutionalorstaterequirements,thatrequireexceptionstotheseguidelines.Ifyouneedyourdatadeleted,youareresponsibletocontactSurveyGizmoandrequestthisaction.Youcangotothislocationformoreinformationondeletion.https://help.surveygizmo.com/help/delete-data
Forinstance,occasionallydataneedstobecompletelydestroyedafteritsintendeduse.Inmanycases,dataisretiredandlockedawayratherthanactuallydestroyed(e.g.whenacustomerstopspayingforanaccount,downgradestoadifferentaccountplan,etc.).Inmostcasesthismakesthelossretrievableintheeventofamistake.Wecan,however,complywitharequestfortotaldatadestructionifnecessary.
ChangeControl&ConfigurationManagementSystem modifications can introduce risks to system integrity or reliability as well as threats to dataconfidentiality unless the systems include adequate controls. Changemanagement is the process ofrequesting, analyzing, approving, developing, implementing, and reviewing a planned or unplannedchangewithintheITinfrastructure.ThechangemanagementprocessbeginswiththecreationofachangerequestwithinSurveyGizmo’sselectedtechnologyplatform.Itendswiththesatisfactoryimplementationofthechangeandthecommunicationoftheresultofthatchangetoallinterestedparties.
12
Thesystemriskimpactfromchangesandtheriskprobabilityofadverseeventsfallsintothreecategories:
• Low-Ifanadverseeventisencountered,thefinancialdamageorconfidentialdataexposureisminimalornon-existent.Theriskofanadverseeventisstatisticallyverylowandwouldrequirepreventionmeasuresthatoutweightheexpenditureofresources(bothtimeormoney)togainasignificantimprovementinordernottoencounterthisrisk.
• Medium-Ifanadverseeventisencountered,thefinancialdamageorconfidentialdataexposureimpactismoderate,andcouldbeoutsideoftherisktoleranceforSurveyGizmo.Theriskofanadverseeventisstatisticallymoderateandtheinvestmentofresourcestomitigatethepossibilityofaneventwouldessentiallycostaboutasmuchastheimpactoftheeventinresources.
• High-Ifanadverseeventisencountered,thefinancialdamagecouldbehigh,thefinancialdamageorexposureofconfidentialdatacouldbewidespreadorcritical.Theriskofanadverseeventisstatisticallyhigh.TheadverseeffectsfaroutweightheinvestmentinresourcestosignificantlyreducethelikelihoodofaneventortoreducetheoverallriskimpactofdamagestoplaceitintoalowerRiskImpactcategory.
Inadditiontoimpactandprobability,thescopeornumberofcomponentstouchedduringachangealsocanpartiallydeterminethesecurityrisk.Ingeneral,moreplacestouchedmeansthepotentialformorerisk. SurveyGizmo defines scope as small, medium, large, and extra-largewith extra-large being theriskiness.
DataSecurity&InfoLifecycleWeallowtheabilityforcustomerstopermanentlydeletetheirdatafromoursystems.Duetobeingamulti-tenantsolution,backupsforanyindividualtenantwillbepermanentlydeletedoncetheageofthebackupexceedtheageoftheoldestbackupbeingretained.
DatacenterSecurityAccordingtotheAWSSecuritywhitepaper,AWS’sdatacentersarestateoftheart,utilizinginnovativearchitecturalandengineeringapproaches.Amazonhasmanyyearsofexperienceindesigning,constructing,andoperatinglarge-scaledatacenters.ThisexperiencehasbeenappliedtotheAWSplatformandinfrastructure.
AWSdatacentersarehousedinnondescriptfacilities.Physicalaccessisstrictlycontrolled,bothattheperimeterandatbuildingingresspointsbyprofessionalsecuritystaffutilizingvideosurveillance,intrusiondetectionsystems,andotherelectronicmeans.IntheUS,wearepartoftheUSEast(VA)Region,whichhas5highlyredundantandreliablezones.TheyareinNewYork,NY;DA3&DA6,DallasTX;DC6&DC10Ashburn,VA.IntheEU,ourdatacenterisinFrankfurt,Germany,whichispartoftheEUCentralregion.ForsecurityreasonsandaspartofAWSpolicy,AWSdoesn'tprovidethephysicaladdressesofthedatacenters.Themainreasonourcustomerswouldwantthephysicaladdressistoensurethedatacentersaresufficientlygeographicallyseparatedtoconformtostandarddisasterrecoveryrequirements.AWSensurestheyhavethatlevelofredundancyandreliability,whicheliminatestheneedforactualphysicaladdresses.
13
AllphysicalaccesstodatacentersbyAWSemployeesisloggedandauditedroutinely.Authorizedstaffmustpasstwo-factorauthenticationaminimumoftwotimestoaccessdatacenterfloors.Allvisitorsandcontractorsarerequiredtopresentidentificationandaresignedinandcontinuallyescortedbyauthorizedstaff.
AWSisalsoresponsibleforthesecurityconfigurationoftheirproductsthatareconsideredmanagedservices.Theseservicesprovidethescalabilityandflexibilityofcloud-basedresourceswiththeadditionalbenefitofbeingmanaged.Fortheseservices,AWSwillhandlebasicsecuritytaskslikeguestoperatingsystem(OS)anddatabasepatching,firewallconfiguration,anddisasterrecovery.
Encryption&KeyManagementData encryption is a primary control to protect confidential information fromunauthorized access ormisuse.PrivacylawsinsomeUSstatesdesignatedataencryptionastheonlycontrolthatcanhelpavertclaimsfornegligenceinprotectingconfidentialinformation,andprovidessafeharborfrombeingrequiredtodiscloseadatabreach.
SurveyGizmo employees do not on a regular basis transmit protected confidential information.SurveyGizmoemployeesdonotstoreconfidentialinformationincleartextontheirlaptops,smartphonesorothermobiledevices.
AWSEncryptionofDataatRestAlldataatrestisencryptedondiskusingAWSEBSencryptedvolumes.AWSprovidestheabilitytoencryptEBSvolumesandtheirsnapshotswithAES-256.TheencryptionoccursontheserversthathosttheEC2instances,providingencryptionofdataasitmovesbetweenEC2instancesandEBSstorage.
EncryptionMethodologyandKeyStrengthAllencryption isaccomplishedusingnon-proprietary industry standardencryptionalgorithms. Wherepossible,SurveyGizmowillensurethatstrongencryptionkeysareimplemented.AES-256keylengthandgreaterarerecommendedencryptionalgorithmsandkeystrengths.
EncryptionKeyManagement EncryptionkeyswhethercreatedandmanagedbySurveyGizmooranencryptionsolutionvendor,aresecurelystoredandmaintained.
DataEncryptionAllsurveydata,eventhosethataredesignatedasunencrypted,areencryptedatthedisklevelonthedatabaseservers.Surveysthataredesignatedbythecustomerasencryptedarefurtherencryptedattherowlevel.Whensurveysareflaggedtobeencrypted(bythecustomer),wefurtherencryptthedataattherowlevelwhenit’sinsertedintothedatabaseonthosedrives,viasurveyspecificapplicationlevelencryption.Thismeansthatstoreddatacannotbeaccessedwithoutakeyandalgorithmthatismanagedoutsideofthedatastore,andthereforeprovidesahigherlevelofprotectionforyourstoreddata.ProjectDataEncryptionmustbeactivatedonasurvey-by-surveybasis.Onceyouhavecollecteddatainanencryptedsurvey,encryptioncannotbeenabled/disabled.
14
AccesstotheSurveyGizmoApplicationisavailableonlythroughsecureHTTPS.DataintransitisencryptedwhencustomerschoosetouseHTTPSprotocolsfortheiraccount,API,orsurvey.WeutilizeTLSforoursecurecommunicationprotocolandwearecurrentlyatthemostrecentpatchlevel.
Additionally,dataisencryptedatrestandadditionallayersofencryptioncanbeenabled,managed,andcontrolledviaclient-facingfeatures.
SecureSurveyShareLinksIfyouwishtotakeadvantageofanextralayerofsecuritywhencollectingdata,youcanusesecurelinks,designatedbythe“https”protocol.HttpslinksuseaSecureSocketLayer(SSL)totransportdatasafelybetweenclientandsurveyusinganencryptionalgorithm.Bydefault,allnewlycreatedstandardweblinksaresecuredbydefault.
Governance&RiskManagementTheSurveyGizmoITRiskManagementProgramintegratesriskidentificationandmitigationwithpolicyand regulatory IT compliance management. SurveyGizmo will implement and maintain an IT RiskManagementProgramthatwill leverageindustrybestpractices,guidelinesandstandards,andincludethefollowingelements.SurveyGizmowill:
• PerformanITRiskAssessmentandanalysisatleastonceperyear.• Developand implementPoliciesandStandards tomeet IT riskmitigationobjectivesaswellas
maintainingcompliancewithprivacyandotherregulatoryrequirements.• Establish a remediation prioritization process that allocates a priority level to the threat and
vulnerabilities that have the potential to cause significant impact or harm to SurveyGizmoservices,systems,devices,orconfidentialdata.
• Perform an information technology risk assessment and select adequate controls tomitigateknownrisks.ThecontrolswillbeconsolidatedinaRiskRegister.AnITRiskAssessmentwillbeperformedpriortodeploymentofnewormodifiedsystems.
RiskDeterminationisusedtoassessthelevelofrisktotheITsystems.Thedeterminationofriskforaparticularthreat/vulnerabilitypairwillbemeasuredusingarisklevelmatrix.Therisklevelmatrixwillbeexpressedintermsofprobabilityandimpactlevelasshownbelow:
SecurityStandardsIn2016,weareimplementingtheCISCriticalSecurityControls.WealsoutilizetheOpenWebApplicationSecurityProject(OWASP)standardsduringthesoftwaredevelopmentprocess.Weperformariskassessmentandself-audit,whichisdoneeachfall.AllemployeesreceiveannualrefresherSecurityAwarenessTraining.
Wedonotallowunauthorized,externalpartiestoconducttestingagainstoursystems.Itisourpolicythatwedonotshare,atanylevel,thepoliciesandproceduresrelatedtothesecurityandcomplianceofoursystems.
15
HumanResourcesThepurposeofimplementingaHumanResourcesStandardistoensurethatdataandITAssetsareusedinanappropriate,responsible,andlegallycompliantmannerconsistentwiththebusinessstrategyofSurveyGizmo.TheHumanResourceStandardensurestheconfidentiality,integrity,andavailabilityofSurveyGizmosystemsanddata.Thefollowingdescribeshowouremployeesaremanaged.
• Allemployeesaresubjecttobackgroundverification.• We specifically train our employees in regard to their specific role and information security
controlstheymustfulfill.• Allemployeetrainingisdocumentedwiththeiracknowledgementofcompletion.• All personnel are required to sign NDA or Confidentiality Agreements as a condition of
employmenttoprotectcustomerinformation.• Allpersonnelaretrainedandprovidedwithsecurityawarenesstrainingprogramsatleastoncea
year.• We have documented policies, procedures and guidelines in place to govern change in
employmentand/ortermination.Ourdocumentedpolicies,proceduresandguidelinesaccountfortimelyrevocationofaccessandreturnofassets.
• WecanprovidedocumentationregardinghowwemayaccesscustomerdataviaanAcceptableUsePolicy.
• Usersaremadeawareoftheirresponsibilitiesformaintainingawarenessandcompliancewithpublished securitypolicies,procedures, standardsandapplicable regulatory requirementsandunderstandthesanctionsfornon-compliance.
• Users aremade aware of their responsibilities for leaving unattended equipment in a securemanner.
• Weuseindustrystandardendpointprotectionsoftwareonallcompanylaptops.Laptopscanningisscheduledtorundaily,andemployeesareencouragedtoreportanyerrorstotheprivilegedITAdmins.Wemanageadministratorprivilegesonallequipmentandallnewlaptopsareencrypted.
BackgroundChecksWepartnerwithanemploymentscreeningvendortocompletebackgroundchecksonallemployeesbeforetheyarehired.Thehumanresourcesdepartmentcompletesreferencechecksonallemployees.WecomplywiththefederallymandatedrequirementsregardingI-9(TheEmploymentEligibilityVerificationForm)documentation.
BringYourOwnDevice(BYOD)Allemployeesareissuedcompany-ownedequipment,andallcompany-ownedequipmentismanagedbytheofficeITadministrators.Percompanypolicy,employeescannotaccesscustomerdatafromtheirpersonaldevices,includinglaptopsandcellphones.
SecuritySkillsAssessmentandAppropriateTrainingSecurityTrainingandmeasurementistheresponsiblyoftheSecurityandComplianceManager.The9thannual,Verizon2016DataBreachInvestigationReport(DBIR)statesthatthehumanthreatvectoristhemostpressingissuestoday.Ouremployeesareourbiggestweaknessandthat63%ofconfirmed
16
breachesinvolvedweak,default,orstolenpasswords.Tocombatthisthreat,SurveyGizmoensuresmanagementsupport,increasesemployeeawarenessofsecurityissues,measuresoursuccess,andcontinuouslyimprovesourmethods.Studiesshowthatittakes90daystobreakahabitand90daystoformanewhabitsoasuccessfulprogramwilltakeconsistentattentionanddeterminationtoturnouremployeesfromsecurityliabilitiestosecurityassets.
TrainingWehavedevelopedarobust,ongoingtrainingplanforallnewandexistingemployees.AllnewemployeesarerequiredtoattendsevendaysofSurveyGizmotraining.
Duringthistraining,inadditiontotheapplicationtrainingtheyalsoattendthefollowing:
• two-hourWelcomeandOrientation• two-hourSGBrandandLifecycleofanSGCustomer• three-hourGivingGreatService• one-hourSecurityandComplianceTrainingsession
PhishingIn2016,weimplementeduserbehaviortrainingduringwhichwe‘phish’ourownemployees.Thistrainingallowsustotrainouremployeesongoodemailandwebbrowsinghabits.Weutilizeamethodofassessingtheirknowledgeandidentifyingareasofvulnerability,educateandperformquicklessonslearned,followedbyadditionaltrainingifneeded.Weareconstantlymeasuringandreinforcinggoodinternet-usehabits.
ExistingemployeesreceiveannualrefresherSecurityAwarenessTraining.WehaveaweeklycompanymeetingwheretheExecutiveManagementTeamreportsourrevenue,expenses,andaccountnumbers.Wealsoutilizethistimewiththeentirecompanytodiscussimportanttopics,likesecurityandcompliancetraining.
AccessProvisioningManagementAccesswillbeprovisionedtousersbasedonspecificjobona‘needtoknow’basis.Userswillbeprovidedthe least amount of access required to successfully complete their job requirements. A request toprovisionaccesstosystemsordatabeyondthosenormallyrequiredforjobresponsibilitiesthatincludeadministrative access or elevated access to confidential data must be reviewed and approved bySurveyGizmoSeniorManagement.
AdministrativeAccessAdministrativeprivilegesmustbe limited toonly thoseadministratoraccounts required tomanageormaintain systems, applications or data. Only Administrator accounts will be used to performadministrativefunctions. Allotheruseraccountswillhavelowerlevelsofprivilege. Highlevelsystemprivilegessuchas‘root’,administrator,SAordefaultuserfilepermissionsthatallowunrestrictedaccesstocomputersystemsarereservedforITsystemadministration.
AccessforThirdPartyITSolutionandServiceProviderSurveyGizmoutilizesAWS,athird-partyproviderofITsolutionsandservices,toprovidetheSaaSservicesincluding network and system infrastructure to support SurveyGizmo IT needs. AWS has agreed to
17
maintaintheconfidentiality,integrityandavailabilityofthesystemsanddatapertheirITSecurityPolicies,andcontractualobligationstoSurveyGizmo.
• AcontractwasenteredintowithAWSinJuly2014.Thestandardtermsofusewereutilizedwithnocustomization.
• ABusinessAssociateAgreement(BAA)wassignedwithAWSonJune10,2015.• ADataProcessingAgreement(DPA)wassignedwithAWSonSeptember20,2016.
SurveyGizmoutilizesSalesforce,forcustomersupportticketing.• AcontractwasenteredwithSaleforcein2016.Thestandardtermsofusewereutilizedwithno
customization.• ABusinessAssociateAgreement(BAA)wassignedwithSalesforceonJanuary23,2017.• ADataProcessingAgreement(DPA)wassignedwithSalesforceonDecember14,2016.
PasswordSettingsPasswordsarestoredusingasaltedencryption.Applicationcredentials-username/passwordsareNEVERlogged.Ifyouchoosetousethelogin/passwordaction,thisinformationisstoredincleartextsothisshouldn’tbeusedforsensitivedatacollection.SurveyGizmopersonnelwillnotresetuserpasswords.Intheeventofapasswordbeingmisplaced,usersaresentauniquelinkviaemail,whichtheywillusetoresettheirpassword.
SomeSurveyGizmocustomerscollecthighlysensitivedatathatrequirestheutmostsecurity,whileothersfindthesestringentmeasuresannoying.Toaccommodateourwiderangeofusers,ourpasswordsecuritysettingsallowadministratorstodeterminethepreciselevelofsecuritynecessarytoprotecteachSurveyGizmoaccount.Anadministratorcanconfiguretheseoptionswithintheiraccount:
• ExpirationInterval:Setatimeintervalforpasswordexpiration(e.g.3daysto12months)• PasswordReuseRules:Disallowpasswordreuse,eitherbypasswordhistoryorintervaloftime
elapsed(e.g.everyXpasswordsoreveryXmonths/years)• Minimum/MaximumLength:Specifyaminimumand/ormaximumpasswordlength• Requireatleastoneupperandonelowercaseletter:Choosingthisoptionrequiresallusers'
passwordstocontainatleastoneuppercaseandonelowercaseletter• Requireatleastonenumber:Choosingthisoptionrequiresallusers'passwordstocontainat
leastonenumber• Requireatleastonespecialcharacter:Choosingthisoptionrequiresallusers'passwordsto
containatleastonespecialcharacter• Setupacomplexrule(usingRegex):YoucanspecifyyourownpasswordpatternusingRegular
Expressions(Regex)• PasswordcannotcontainSurveyGizmouserinformation:Thismakesitimpossibleforusersto
incorporatetheirusername,emailaddress,oruseridintotheirpassword.
AWSHostDatacenterThefollowingisahighlevelviewofSurveyGizmo’stopology.
18
AWSFirewallsAccordingtotheAWSSecurityWhitePaper,AmazonEC2providesacompletefirewallsolution;thismandatoryinboundfirewallisconfiguredinadefaultdeny-allmode,andweexplicitlyopentheportsneededtoallowinboundtraffic.Thetrafficisrestrictedbyprotocol,byserviceport,andbysourceIPaddress(individualIPorClasslessInter-DomainRouting(CIDR)block).
Amazon Web Services - Overview of Security Processes - August 2015 page 28
TheAWSfirewallresideswithinthehypervisorlayer,betweenthephysicalnetworkinterfaceandtheinstance'svirtualinterface.Allpacketsmustpassthroughthislayer;thusaninstance’sneighborshavenomoreaccesstothatinstancethananyotherhostontheInternet.Theycanbetreatedasiftheyareonseparatephysicalhosts.ThephysicalRAMisseparatedusingsimilarmechanisms.Thefirewallisn’tcontrolledthroughtheguestOS;rather,itrequiresaX.509certificateandkeytoauthorizechanges,addinganextralayerofsecurity.
ToeliminateIPSpoofing,thefirewallwillnotpermitaninstancetosendtrafficwithasourceIPorMACaddressotherthanitsown.
AWStechnologies:WebApplicationFirewall/CloudFront/Route53. FunctionsInclude:IDS,IPS,blacklists,DDoSandspoofingprevention.
AWStechnologies:VirtualPrivateCloud/SecurityGroups/NetworkACLs,EC2 Functionsinclude:Subnetacls,inboundandoutboundportrestrictions,DMZproxylayer.
19
Additionaltechnologies:TheDMZproxylayerwhichincludessoftwarethatprovidesadditionallayer3-7protectionHost-basedprotection:Functionsinclude:subnet/portacls
Amazon Web Services - Overview of Security Processes - August 2015 page 23
AWSSecureNetworkArchitectureAccordingtotheAWSSecurityWhitePaper,networkdevices,includingfirewallandotherboundarydevices,areinplacetomonitorandcontrolcommunicationsattheexternalboundaryofthenetworkandatkeyinternalboundarieswithinthenetwork.Theseboundarydevicesemployrulesets,accesscontrollists(ACL),andconfigurationstoenforcetheflowofinformationtospecificinformationsystemservices.
ACLs,ortrafficflowpolicies,areestablishedoneachmanagedinterface,whichmanageandenforcetheflowoftraffic.ACLpoliciesareapprovedbyAmazonInformationSecurity.ThesepoliciesareautomaticallypushedusingAWS’sACLManagetool,tohelpensurethesemanagedinterfacesenforcethemostup-to-dateACLs.
AWSSecureAccessPointsAccordingtotheAWSSecurityWhitePaper,theyhavestrategicallyplacedalimitednumberofaccesspointstothecloudtoallowforamorecomprehensivemonitoringofinboundandoutboundcommunicationsandnetworktraffic.ThesecustomeraccesspointsarecalledAPIendpoints,andtheyallowsecureHTTPaccess(HTTPS).ThisaccesstypeallowsyoutoestablishasecurecommunicationsessionwithyourstorageorcomputeinstanceswithinAWS.
Inaddition,AWShasimplementednetworkdevicesthatarededicatedtomanaginginterfacingcommunicationswithInternetServiceProviders(ISPs).AWSemploysaredundantconnectiontomorethanonecommunicationserviceateachinternet-facingedgeoftheAWSnetwork.Theseconnectionseachhavededicatednetworkdevices.
AmazonCorporateSegregationAccordingtotheAWSSecurityWhitePaper,logically,theAWSProductionnetworkissegregatedfromtheAmazonCorporatenetworkbymeansofacomplexsetofnetworksecurityandsegregationdevices.AWSdevelopersandadministratorsonthecorporatenetworkwhoneedtoaccessAWScloudcomponentsinordertomaintainthemmustexplicitlyrequestaccessthroughtheAWSticketingsystem.Allrequestsarereviewedandapprovedbytheapplicableserviceowner.ApprovedAWSpersonnelthenconnecttotheAWSnetworkthroughabastionhostthatrestrictsaccesstonetworkdevicesandothercloudcomponents,loggingallactivityforsecurityreview.AccesstobastionhostsrequireSSHpublickeyauthenticationforalluseraccountsonthehost.
AWSFault-TolerantDesignAccordingtotheAWSSecurityWhitePaper,Amazon’sinfrastructurehasahighlevelofavailabilityandprovidesitscustomerswiththecapabilitytodeployaresilientITarchitecture.AWShasdesigneditssystemstotoleratesystemorhardwarefailureswithminimalcustomerimpact.Datacentersarebuiltinclustersinvariousglobalregions.Alldatacentersareonlineandservingcustomers;nodatacenteris
20
“cold.”Incaseoffailure,automatedprocessesmovecustomerdatatrafficawayfromtheaffectedarea.CoreapplicationsaredeployedinanN+1configuration,sothatintheeventofadatacenterfailure,thereissufficientcapacitytoenabletraffictobeload-balancedtotheremainingsites.
Logging&AlertingThelackofeffectivesystemloggingandmonitoringreducesSurveyGizmo’sabilitytoidentifythreats,cyber-attacksorsecurityevents.
LogsLogsarekeptforaminimumof90daysandarestoredinAWS.Wemaintainuseraccesslogentriesthatcontainthedate,time,customerinformation,operationperformed,andsourceIPaddress.Ifthereissuspiciousofinappropriateuse,SurveyGizmocanprovidecustomerlogentryrecordstoassistinanalysis.Thisserviceisprovidedonatimeandmaterialsbasis.
Robustmonitoringsoftwareisusedtomonitorperformanceandnotifyusofanyproblemsinourproductionenvironment.Thechecksinclude,butarenotlimitedto,businesslogic,databaselayer,diskspace,resources,andapplicationlogs.
FederatedMulti-TenantDatabaseDesignsInordertoensurethatdatacollectedfordifferentpurposescanbeprocessedseparately,SurveyGizmologicallyseparatesthedataofeachofitsclients.WeensurethateachcustomerhasauniqueloginID,andthatdatasegmentationiskeyedoffauniquecustomerID.Eachcustomerhasauniqueusername(emailaddress)andauniquepassword.Afterrepeated,unsuccessfullogins,thelockoutfeaturespreventtheloginpagefrombeingresubmitted.ByFederatingourdata,wearealsoabletoscalehorizontallytosupportincreasingusersandcustomers.
BackgroundQueuedProcessesWeleverageanumberofqueuingsystemstodeferjobsthatdonotneedtobetransactional.Thisallowsustoscaleupanddownthenumberofqueuesandworkerstomirrorthedemandsonoursystemswithoutimpactingthefront-endexperienceofusersintheapplication
RedundantDataStoresToensurethatweneverloseanyofourcustomer’sdata,wehavemultiplestrategiesutilizingredundantdatastores.ThisincludesRAID-basedstorage,Master/ReadDatabasesin-memorycaching
SupplyChainManagementSurveyGizmowillidentify,classifyandfulfilltherequiredbusinessneedthroughaconciseandconsistentVendorManagementprocess.SurveyGizmoprospectiveandcurrentvendorswilladheretothesamelevelofsecuritythatSurveyGizmohas.
SurveyGizmorequiresthevendorprocurementprocesstofollowaspecificsetofstepsbeforeadeterminationismadetocontractwithavendorforaparticularbusinessneed.Creatingandfollowinganappropriateselectionprocess,selectioncriteriaandassignmentofvendorrisklevelprovidestheconsistencyneededtoensurethatallcontractedvendorsarefulfillingtherequiredbusinessneed.
21
Threat&VulnerabilityManagementVulnerabilitymanagementisapro-activeapproachtomanagingnetworksecurity.Itincludesprocessesfor checking for and identifying vulnerabilities, verifying and mitigating vulnerabilities, and patchingvulnerabilities.Avulnerabilitymanagementprogramprovidesawaytoassess,monitorandremediatevulnerabilitiestoITSystems.Managingvulnerabilitieshelpstodecreasetheriskandexposuretimethatvulnerabilitiescanbeexploited.Patcheswillalsobedeployedtominimizevulnerabilitiesresultingfromnon-patchedsystems.
ScanningandPatchingFirewalllogsandotherlogsarerestrictedtoauthorizedusersviasecuremulti-factorauthentication(MFA)controls.WeutilizeAmazon’sRecommendMFA,andonlyourprivilegedITAdminshaveaccesstothisinformation.
Localsystemsareprotectedwithindustrystandardantivirussoftware.ProductionserversareLinux-basedandfrequentlypatchedtoensuretheirsecurityisalwaysuptodate.Securitypatchesareappliedwithin2-3daysofnotificationofthepatchesbeingavailable.Werollpatchesoutthroughthedevelopmentrolloutprocessoutlinedearlierinthisdocument:developmenttoQAtoproduction.
Whenvulnerabilitiesareidentified,ourmitigationscaleisasfollows:
• Critical:addressedimmediately• High:addressedwithin72hours• Medium:includedinthenextappropriatesprint
AWSServiceOrganizationControls(SOC)3ReportHereisthelinktoAWS’sreport.Thisreportisdated4-25-16andisrelevanttosecurityandavailabilityfortheperiodofOctober1,2015-March31,2016.
ReferencesThisdocumentwascreatedwiththefollowingreferences:
https://aws.amazon.com/compliance/resources/
https://aws.amazon.com/security/
https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdf
https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf