• Security

    JobReady is committed to the security of your data. We use industry-standard security technologies, procedures and best practices, detailed below, to protect your information from unauthorised access, use, or disclosure.

    To contact us about a security related issue: security@jobready.com.au

     

     

  • Information Security Governance

    JobReady take a risk-based approach to Information Security. Risk management is an integral part of the organisation processes used to manage the protection of our information and systems. In our design and delivery of software, we use fundamental security principals such as:

    Least necessary privilege
    Separation of duties
    Defence in depth

    The JobReady Information Security Management System (ISMS) contains documentation to support the accurate and consistent application of policy and procedures. The ISMS has been developed in alignment with the Information Security Manual (ISM), published by the Australian Signals Directorate (ASD), an Australian government security framework similar to the internationally recognised ISO 27001.

    A backup strategy ensures all databases and assets are redundantly backed up and audited, with restoration procedures automated and regularly tested.

  • Information Security Monitoring

    Vulnerability management is conducted throughout the system life cycle. Software code, and infrastructure-as-code, is subject to automated test coverage and peer review. Static code analysis and vulnerability checking is performed with each change. Penetration tests are performed by an independent third party annually.
    A formal change management process is used for all routine and urgent changes. All change requirements are planned, tracked and managed within a single software solution.

  • Personnel Security

    All JobReady staff undergo security awareness training. Staff with privileged access to systems or data, receive additional job-specific training on privacy and security.

    Personnel requiring access to production systems or data are required to have undergone appropriate security clearance.

  • Physical & Communications Security

    JobReady web applications are hosted within the public cloud using data centres operating in alignment with Uptime Institute Tier II or above. The data centres provide physical security of the servers and isolation of the virtual network and host.

  • Information Technology Security

    Standard Operating Environments

    JobReady uses a documented Standard Operating Environment for all servers. The servers are provisioned through code and all change to the environment goes through JobReady secure programming practices.

    Software Patching

    Operating systems automatically apply security updates. The web application software which JobReady develop has static code analysis built into the development process to identify known vulnerabilities. Patching and upgrades of software components is a regular part of development procedures.

    Software Development

    JobReady use a series of software development environments, development, staging and production. Software is only able to progress to the next environment after it passes all the checks at each level. Internal peer code review, static code analysis, automated unit and integration testing, manual QA and UAT.

    Web Application Development

    JobReady web applications are developed with using security best practice. All developers are trained to be aware of OWASP security guidelines. Database queries are parameterized. Application inputs and outputs are properly sanitised and encoded. Errors and exceptions are logged and monitored.

    Database Systems

    Databases are securely provisioned with unique credentials. All use and administration of the database is through the web application and framework. Database administrator accounts are only used to provision less privileged accounts for regular use.
    The network is designed to restrict secure access to the database to the fewest necessary systems.
    Volumes used for data are encrypted at rest for an extra layer of protection.
    Production, test and development environments are strictly separated.

    Access Control

    Strong authentication and access controls are implemented to restrict administrative access to production systems, internal support tools, and customer data.
    All administrative access to production systems requires a second factor of authentication. Machine-level access requires key-based authentication and uses transport encryption to provide data confidentiality in transit. Unique user identification, strong passwords and One-Time-Passwords (OTP) are used to help ensure access to customer data is appropriate and authorized.
    Security events on the applicatino, host, network and environment are logged and audited.

    Secure Administration

    Administrative access to production systems is only possible through a dedicated bastion host (jump box) via SSH using a passphrase secured public key.
    Traffic on the bastion host is limited to protocols required for administrative purposes. SSH traffic to any other production instance is only possible directly from the bastion.
    Administrative access to systems with customer data is limited to those engineers with a specific business need.

    Network Security

    JobReady divides its systems into separate networks to better protect more sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting production websites. Customer data is only permitted to exist in the production and staging networks, the most tightly controlled networks.

    Network access to the production environment from open, public networks (the internet) is restricted. Only a single bastion host is accessible from the internet. Only those network protocols essential for delivery are open in the DMZ at the perimeter.
    Changes to the production network configuration are restricted to authorized personnel. The network infrastructure is defined in code and captured in version control.

    Cryptography

    JobReady policy is to always use encryption, where possible, for data in transit and at rest.

    Data at rest, and in transit, is encrypted with ASD Approved Cryptographic Algorithms (AACAs) and ASD Approved Cryptographic Protocols (AACPs).
    Transport Layer Security (TLS) is used for all public network connections with a modern SSL security policy meeting an SSL Labs A rating. The preferred server negotiated connection will be on TLS 1.2 with Elliptic Curve Diffie-Helman session keys and perfect forward secrecy. HTTP Strict Transport Security (HSTS) ensures that a TLS connection is always used.
    SSL Server certificates use RSA-2048 encryption and SHA-256 hashing algorithms.
    SSH servers use Centre for Information Security (CIS) benchmark approved MAC algorithms with SHA-2.
    JobReady staff SSH keys use RSA-4096 encryption.
    AES-256 is used to symmetrically encrypt data at rest.

Just some of our happy customers