Information Technology Security
Standard Operating Environments
JobReady uses a documented Standard Operating Environment for all servers. The servers are provisioned through code and all change to the environment goes through JobReady secure programming practices.
Operating systems automatically apply security updates. The web application software which JobReady develop has static code analysis built into the development process to identify known vulnerabilities. Patching and upgrades of software components is a regular part of development procedures.
JobReady use a series of software development environments, development, staging and production. Software is only able to progress to the next environment after it passes all the checks at each level. Internal peer code review, static code analysis, automated unit and integration testing, manual QA and UAT.
Web Application Development
JobReady web applications are developed using security best practice. All developers are trained to be aware of OWASP security guidelines. Database queries are parameterized. Application inputs and outputs are properly sanitised and encoded. Errors and exceptions are logged and monitored.
Databases are securely provisioned with unique credentials. All use and administration of the database is through the web application and framework. Database administrator accounts are only used to provision less privileged accounts for regular use.
The network is designed to restrict secure access to the database to the fewest necessary systems.
Volumes used for data are encrypted at rest for an extra layer of protection.
Production, test and development environments are strictly separated.
Strong authentication and access controls are implemented to restrict administrative access to production systems, internal support tools, and customer data.
All administrative access to production systems requires a second factor of authentication. Machine-level access requires key-based authentication and uses transport encryption to provide data confidentiality in transit. Unique user identification, strong passwords and One-Time-Passwords (OTP) are used to help ensure access to customer data is appropriate and authorized.
Security events on the applicatino, host, network and environment are logged and audited.
Administrative access to production systems is only possible through a dedicated bastion host (jump box) via SSH using a passphrase secured public key.
Traffic on the bastion host is limited to protocols required for administrative purposes. SSH traffic to any other production instance is only possible directly from the bastion.
Administrative access to systems with customer data is limited to those engineers with a specific business need.
JobReady divides its systems into separate networks to better protect more sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting production websites. Customer data is only permitted to exist in the production and staging networks, the most tightly controlled networks.
Network access to the production environment from open, public networks (the internet) is restricted. Only a single bastion host is accessible from the internet. Only those network protocols essential for delivery are open in the DMZ at the perimeter.
Changes to the production network configuration are restricted to authorized personnel. The network infrastructure is defined in code and captured in version control.
JobReady policy is to always use encryption, where possible, for data in transit and at rest.
Data at rest, and in transit, is encrypted with ASD Approved Cryptographic Algorithms (AACAs) and ASD Approved Cryptographic Protocols (AACPs).
Transport Layer Security (TLS) is used for all public network connections with a modern SSL security policy meeting an SSL Labs A rating. The preferred server negotiated connection will be on TLS 1.2 with Elliptic Curve Diffie-Helman session keys and perfect forward secrecy. HTTP Strict Transport Security (HSTS) ensures that a TLS connection is always used.
SSL Server certificates use RSA-2048 encryption and SHA-256 hashing algorithms.
SSH servers use Centre for Information Security (CIS) benchmark approved MAC algorithms with SHA-2.
JobReady staff SSH keys use RSA-4096 encryption.
AES-256 is used to symmetrically encrypt data at rest.