Skills Base Technical Policy

1.1   Security Certifications

All Skills Base associated data is hosted on Amazon AWS, subsequently their whitepaper will apply (see attached):

Security certifications held by Skills Base.

Certificate Does Skills Base hold the certificate? Notes
ISO27001/ISO27002 Yes The infrastructure provider (AWS) holds SOC1, SOC2, and SOC3 certifications. See: https://aws.amazon.com/compliance/
SOC 1/SSAE 16/ISAE 3402 and SOC 2 Yes The infrastructure provider (AWS) holds SOC1, SOC2, and SOC3 certifications. See: https://aws.amazon.com/compliance/
PCI DSS Yes The infrastructure provider (AWS) holds PCI DSS Level 1 certification. See: https://aws.amazon.com/compliance/
IRAP Yes The infrastructure provider (AWS) holds IRAP certification. See: https://aws.amazon.com/compliance/

1.2   Security of Architecture 

How is classified data transmitted?

All data is transmitted between Client and server using encrypted SSL channels.

What physical security measures are implemented to protect the service? e.g. physical access to facilities, backups etc.

Skills Base is hosted by AWS. Physical security therefore is provided as per the above whitepaper. Complete backups of all data nightly for use in the case of a disaster.

What controls are in use for protecting internet gateways (including firewall and intrusion detection/prevention systems)?

  • Firewalls are present in front of all Internet-facing assets.
  • Non-public assets (e.g. database servers) are blocked from public access.
  • Monitoring is in place for public assets.
  • Application nodes are immutable and elastically scalable.
  • Self-healing is implemented for application nodes.
  • Countermeasures are deployed and in place for common attacks (e.g. CSRF, Session hijack).
  • Further information available here: http://wiki.skills-base.net/index.php?title=Security

What encryption does Skills Base use?

  • Data at rest:
    • Database file system: AES-256 encryption.
    • Database backup files: AES-256 encryption.
    • Database backup filesystem: AES-256 encryption.
    • File uploads file system: AES-256 encryption.
  • Data in transit:
    • Secure Sockets Layer.

1.3     Technical Architecture

What is the deployment and service model of Skills Base?

Public SaaS.

Where (geographic locations) are software, data records and attached files being stored?

Skills Base is hosted by default in the United States using world-class, highly secure data centres that are certified to comply with global standards including SOC 1/2/3, ISO 27001, PCI DSS and many more. Other hosting locations are available by request for an additional fee.

What is the hosting environment implementation to ensure good connectivity, security, scalability, load balancing, and redundancy of components, encryption and quality of service?

  • All infrastructure hosted by default in the United States. Other hosting locations are available by request for an additional fee.
  • Database back-end is redundant across two availability zones.
  • All transmissions between Client and server are encrypted using SSL.
  • Application nodes are elastically scalable based on demand.

What communication links and bandwidth requirements are in use?

Real-time communications over the Internet via Secure Sockets Layer.

What is the need for a firewall and open ports to traffic?

Access to the public internet is required.

Which ports are open in the firewall?

80, 443

1.4  Data Segregation 

How data is segregated from Client?

Data is logically segregated using the Client’s unique key.

What provisions are in the architecture to confirm segregation?

The Client can perform a full export of data.

What methods do Educrowd staff use to remotely access the system?

HTTPS access via SSL.

What administrative access will Educrowd IT and support employees have to system?

Employees will have administrative access to Skills Base via the web application and can further grant administrative access to other Educrowd employees at their discretion.

What methods are used to ensure that Skills Base employees, who have access to Client’s restricted data, have been properly vetted? (e.g. Law enforcement background checks etc.)

  • Police check on staff as part of recruitment.
  • Only employee access – no contractor access to data.
  • Use of audited support tool for all data access with named users assigned to tasks.
  • Peer review of staff tasks and spot checks.

Are the duties of the Educrowd’s technical staff separated to ensure least privilege and individual accountability?

Yes. Educrowd staff have support-level access via the Skills Base web interface, using personalised login credentials. Only Skills Base authorised engineers have access to lower levels of the system (e.g. database and file system).

Are there documented job descriptions that accurately reflect assigned duties and responsibilities and that segregate duties?

Yes. Our support tool also assigns tickets to specific individuals and supports auditing of tasks against named individuals.

1.5    User Credential Management

What authentication mechanisms are in use?

There is a choice of two different authentication mechanisms available to Clients:

  • Forms based authentication over HTTPS, or
  • SAML2 based authentication

What authorisation mechanisms are in use?

Authorisation is administered by administrators appointed by the Client using a mechanism called “Security Groups” within the product.

How is user access invoked and revoked?

Forms based authentication: User access is explicitly granted by an administrator appointed by the Client.

SAML authentication: User access is granted by the Clients Identity Provider (IdP)

Can Educrowd assume full control of provisioning user access?

The Client assumes full control over the provisioning of user access.

How are credentials other than passwords managed, in case of multi-factor authentication?

Multi-factor authentication can be employed by the Client when using SAML authentication which places the management of those MFA credentials within the Client’s remit. MFA is not available for the forms-based authentication option.

What procedures are in place to manage user credentials?

SAML authentication (Credentials are managed by the Client on-premises)

Forms-based authentication (Please see: http://wiki.skills-base.net/index.php?title=Security)

What methods, of federating Agency identity, store (Active Directory) with the service offering exist

SAML federation with ADFS will be used for authentication.

Is Single Sign On possible?

Yes

2.1   Level of Data Classification

What level of data does Skills Base and Educrowd handle?

Confidential data

What is the policy regarding responsibility, in terms of implementing security controls?
Refer attached:

PL.1.101 Information Security Policy

  • 1.210 Patch Management Policy
  • 2.100 Change Control Policy
  • 2.200 Vulnerability and Threat Management Policy
  • 2.100 IT Access and Account Management

Will data be disposed of?

Disposal can be completed on request

2.2   Off Shore Agreements

Geographical location where data will be stored

Skills Base is hosted by default in the United States. Other hosting locations are available by request for an additional fee.

How the onshore or offshore agreements are enforced.

AWS allows for specific designation of location under their service offering. It is enforceable and can also be checked based on IP range.

2.3   Penetration Test Results

What penetration tests can be conducted against the infrastructure

Client initiated penetration testing can be arranged by request.

What processes or procedures are required to allow an external penetration test against the cloud infrastructure and the hosted system/application?

Client initiated penetration testing can be arranged by request.

Existing results from previous penetration tests

See attached “Vulnerability Report”.

Has another organisation performed a penetration test against the cloud provider?

Yes

2.4   Incident Handling and Reporting

Does Skills Base perform on-going monitoring to detect unusual activity with an automated intruder detection system, or by some other means? 

Yes

What expectations does Educrowd place on the Clients’s role regarding information security incident management? 

See: http://wiki.skills-base.net/index.php?title=Terms_and_Conditions.

What is Educrowd and Skills Base process for disclosing, any data requests, such as subpoenas or warrants, from a third party? 

Such notices are disclosed to impacted parties within 24 hours.

What information is captured in system logs (e.g. Successful/unsuccessful log-on and log-off attempts; identification and authentication failures; failed attempts to access information)? 

Authentication/Authorisation-related events that are logged:

  • Successful login
  • Unsuccessful login
  • Log off
  • Locked account (repeated failed attempts)
  • Failed attempts to access information
  • Confirm Issue is Addressed

Is this information available to Educrowd under the terms of the agreement?

Yes

How will exceptions (including risks or vulnerabilities) identified by data validity checks, audits or activity logging be communicated? 

To administrators appointed by the Client via email if there is an impact.

How long are logs kept for? 

Indefinitely

How are the logs protected from unauthorised access? 

Through application authorization mechanisms and encryption (when archived).

How often does the Educrowd review system logs? Can system logs be reviewed by the Client organisation administrative staff and imported to other log analysis tools? 

Application logs are reviewed as required, however high priority log events are pushed to support staff via email notification. Application logs can be made available to administrative staff upon request.

2.5   Patching Regime 

To what extent does the cloud provider test its software for security vulnerabilities, including conducting software penetration tests?

  • Regular penetration testing
  • Unit testing
  • Application monitoring
  • Application logging
  • User testing

How often will the cloud provider review system risks and vulnerabilities?

Quarterly

How will virus prevention be assured? 

Skills Base does not require any downloadable software.

If a virus is introduced, how will the cloud provider take appropriate steps to minimise the effects of the virus?

In the event of a virus on a machine used by Skills Base staff to accesses Skills Base infrastructure.

  • The virus would be detected by virus scanning software that is mandated for installation on all employee machines that access Skills Base infrastructure.
  • The virus would automatically be disabled or removed, thereby preventing spread.
  • The actions would be logged and the user notified.
  • An investigation into the cause would be conducted and recommendations made and implemented.

How often will the Skills Base Business patch systems or networks?

Quarterly at minimum, or sooner in the event of a security release.

Will a patch require the cloud service to be restarted or systems rebooted? 

No

2.7   Backup and Recovery  

What disaster recovery and business continuity options or arrangements are in place, to safeguard service continuity?

See:

Who owns the infrastructure used to deliver the SaaS. Who owns and controls the complete hardware infrastructure used to provide the service i.e. servers, network connectivity, firewalls, log file management, web application firewalls and access and identity management etc.

Amazon Web Services

Are there extra charges for backup, restoring data or other services?

  • Backup: No
  • Restoring data in the event of system failure: No
  • Restoring data in the event of Client user error: Yes
  • Other services: Yes

Does backup allow for point-in-time recovery in case of failure?

Yes, however point-in-time is constrained to fixed 24 hour intervals.

What testing and backup arrangements are in place for installing new patches and upgrades to the service offering?

  • Penetration testing.
  • Unit testing.
  • Application monitoring.
  • Application logging.
  • User testing.

How frequently does the Skills Base Business test the integrity of the backups?

Quarterly.

To what extent, and by what means, does the Skills Base Business ensure system availability consistent with the Client’s disaster recovery objectives 

As per SLA – Appendix A – Educrowd Skills Base Proposal (290817).

How often does the Skills Base Business test disaster recovery process and procedures?

Annually

Agreed times for how long a data recovery or restore will take

See: http://wiki.skills-base.net/index.php?title=Service_Level_Agreement.

Is the infrastructure dispersed; are the primary site and the disaster recovery site geographically separated and allow for redundancy for all infrastructure components (networks, power grids etc.)?

Yes

Is your data ‘safe-harboured’? i.e. copy of your data stored securely by a 3rd provider separate from the cloud provider

No

2.8   Reliability

What is uptime history of Skills Base?

99.999%

What is the longest outage experience by Skills Base?

15 minutes

Can the Client operate offline if the system/service becomes unavailable?

No

What reports are available regarding system reliability?

See attached “Uptime Report”

What notice is provided for scheduled maintenance periods?

From: http://wiki.skills-base.net/index.php?title=Service_Level_Agreement

Standard Scheduled Maintenance Windows apply weekly on Saturdays and Sundays from 2:00am UTC to 5:00am UTC. During Scheduled Maintenance Windows services may become unavailable, but not for a period longer than 15 consecutive minutes, and not for longer than 30 minutes in aggregate.

Scheduled Maintenance Windows are not an indication that maintenance will necessarily be performed or that services will be unavailable, however those windows will be used in cases where maintenance is required on a given week.
Additional Maintenance Windows, or extensions to the standard Scheduled Maintenance Window, may be scheduled by way of announcement on the Skills Base Blog with at least 5 days notice being given.

GET IN TOUCH

Ready to eliminate skill gaps for better outcomes?

Share This