Security at JobReady
JobReady is committed to the security of your data. We use industry-standard security technologies, procedures and best practices, detailed below, to protect your information from unauthorised access, use, or disclosure.
The JobReady Information Security Management System (ISMS) is certified to meet the ISO 27001 global standard.
To contact us about a security related issue: email@example.com
Information Security Governance
JobReady take a risk-based approach to Information Security. Risk management is an integral part of the organisation processes used to manage the protection of our information and systems. In our design and delivery of software, we use fundamental security principals.
Vulnerability management is conducted throughout the system life cycle. Software code, and infrastructure-as-code, is subject to automated test coverage and peer review. Static code analysis and vulnerability checking is performed with each change. Penetration tests are performed by an independent third party annually. A formal change management process is used for all routine and urgent changes. All change requirements are planned, tracked and managed within a single software solution.
All JobReady staff undergo security awareness training. Staff with privileged access to systems or data, receive additional job-specific training on privacy and security. Personnel requiring access to production systems or data are required to have undergone appropriate security clearance.
Physical & Comms
JobReady web applications are hosted within the public cloud using data centres operating in alignment with Uptime Institute Tier II or above. The data centres provide physical security of the servers and isolation of the virtual network and host.
Information Technology Security
Standard Operating Environments
JobReady uses a documented Standard Operating Environment for all servers. The servers are provisioned through code and all change to the environment goes through JobReady secure programming practices.
Operating systems automatically apply security updates. The web application software which JobReady develop has static code analysis built into the development process to identify known vulnerabilities. Patching and upgrades of software components is a regular part of development procedures.
JobReady use a series of software development environments, development, staging and production. Software is only able to progress to the next environment after it passes all the checks at each level. Internal peer code review, static code analysis, automated unit and integration testing, manual QA and UAT.
Web Application Development
JobReady web applications are developed using security best practice. All developers are trained to be aware of OWASP security guidelines. Database queries are parameterised. Application inputs and outputs are properly sanitised and encoded. Errors and exceptions are logged and monitored.
Databases are securely provisioned with unique credentials. All use and administration of the database is through the web application and framework. Database administrator accounts are only used to provision less privileged accounts for regular use. The network is designed to restrict secure access to the database to the fewest necessary systems. Volumes used for data are encrypted at rest for an extra layer of protection. Production, test and development environments are strictly separated.
Strong authentication and access controls are implemented to restrict administrative access to production systems, internal support tools, and customer data. All administrative access to production systems requires a second factor of authentication. Machine-level access requires key-based authentication and uses transport encryption to provide data confidentiality in transit. Unique user identification, strong passwords and One-Time-Passwords (OTP) are used to help ensure access to customer data is appropriate and authorised. Security events on the application, host, network and environment are logged and audited.
Administrative access to production systems is only possible through a dedicated bastion host (jump box) via SSH using a passphrase secured public key. Traffic on the bastion host is limited to protocols required for administrative purposes. SSH traffic to any other production instance is only possible directly from the bastion. Administrative access to systems with customer data is limited to those engineers with a specific business need.
JobReady divides its systems into separate networks to better protect more sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting production websites. Customer data is only permitted to exist in the production and staging networks, the most tightly controlled networks.
Network access to the production environment from open, public networks (the internet) is restricted. Only a single bastion host is accessible from the internet. Only those network protocols essential for delivery are open in the DMZ at the perimeter. Changes to the production network configuration are restricted to authorised personnel. The network infrastructure is defined in code and captured in version control.
JobReady policy is to always use encryption, where possible, for data in transit and at rest.
Data at rest, and in transit, is encrypted with ASD Approved Cryptographic Algorithms (AACAs) and ASD Approved Cryptographic Protocols (AACPs).
Transport Layer Security (TLS) is used for all public network connections with a modern SSL security policy meeting an SSL Labs A rating. The preferred server negotiated connection will be on TLS 1.2 with Elliptic Curve Diffie-Helman session keys and perfect forward secrecy. HTTP Strict Transport Security (HSTS) ensures that a TLS connection is always used.
SSL Server certificates use RSA-2048 encryption and SHA-256 hashing algorithms.
SSH servers use Centre for Information Security (CIS) benchmark approved MAC algorithms with SHA-2.
JobReady staff SSH keys use RSA-4096 encryption.
AES-256 is used to symmetrically encrypt data at rest.