- Sitepass business, processes, procedures and application goes undertake regular reviews or every 12 months to ensure everything we do meets stringent international quality and security standards.
- Amazon web services is compliant with a range of standards including ISO 27001:2013 as outlined in their website https://aws.amazon.com/compliance/programs/.
- All of our services run in the cloud and hosted using Amazon web services (AWS). Sitepass does not run our own routers, load balancers, DNS servers, or physical servers.
- All of our services and data are hosted in AWS facilities in Australia and protected by AWS security, as described at https://aws.amazon.com/security/sharing-the-security-responsibility.
- Sitepass services have been built with disaster recovery in mind, as described in our business continuity plan, ensuring we meet our availability targets as defined in our service levels.
- Amazon does not disclose the location of its data centres. As such, Sitepass builds on the physical security and environmental controls provided by AWS. See https://aws.amazon.com/security for details of AWS security infrastructure.
- All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorised requests getting to our internal network.
- All user/customer data is stored in Australia.
- Customer data is stored in multi-tenant datastores;
- We do not have individual datastores for each customer. However strict privacy controls exist in our application code that are designed to ensure data privacy and to prevent one customer from accessing another customer’s data (i.e., logical separation).
- Sitepass engages certain third parties to process customer data. These third parties are listed at the end of this policy and will be updated from time to time.
- All data collected in the database and in backups are encrypted at rest (AES256).
- Our API and application endpoints are TLS/SSL only (TLS1.2).
- All data sent to from Sitepass is encrypted in transit using TLS/SSL (TLS1.2).
- Sitepass is served 100% over https.
- We have two-factor authentication (2FA) and strong password policies on all cloud services use in the hosting and development of Sitepass.
Web Application firewall (WAF)
- The WAF helps secure the application by blocking common web application threats.
- The WAF is implemented to mitigate automation threats (DDoS), block malicious bot abuse and prevent customer data being breached.
Security audits and penetration testing
- We annually engage with third party auditors to audit our application, and work with them to resolve potential issues
- Sitepass annual internal and external audits with third party auditors occur regarding our information security management system.
- We use a technology that provides an audit trail over our infrastructure and the Sitepass application. Auditing allows us to do security analysis, track changes made and audit access to the application.
- The annual security penetration tests target the following: Information Leakage, Configuration Management Testing, Authentication, Authorisation, Business Logic, Data Validation, Data Protection, Denial of Service, Auditing and Logging, Exception Handling, Web Services specific vulnerabilities, AJAX specific vulnerabilities.
- Sitepass conducts annual penetration tests as part of its security calendar. As a shared platform, we conduct penetration tests in a controlled environment, this test is always monitored by the infrastructure team to ensure no impact to any Client or user. As a multi-tenanted platform unauthorised penetration testing is limited to Sitepass.
- For security and confidential reasons, we do not divulge or share any information or penetration test results.
- All passwords stored by the application are salted and hashed using the BCrypt algorithm. They cannot be retrieved only reset.
- Minimum password complexity rules for the application are: 8 characters in length, must contain 1 lowercase and 1 uppercase character and 1 number.
- User access will be locked for 1 minute after three failed login attempts.
- Password resets are emailed to the account holder, to verify before the password can be reset.
Security awareness training
- Annually all employees undertaken security awareness training as part of our security calendar.
- All employees sign a non-disclosure agreement outlining their responsibility in protecting customer data.
Security calendar and governance structure
- We employ an information security working group (ISWG) to manage and oversee the information security processes, procedures and risks of Sitepass.
- The ISWG meet monthly to review security events, incidents, risks, projects and processes.
- The ISWG follow a security calendar with scheduled events to manage the compliance, governance, documentation, physical security, access management security awareness and business continuity events and procedures for Sitepass.
- Quarterly reporting is undertaken by the ISWG to measure the performance of Sitepass security and security process and procedures.
Data breach incident response
- In the case of a security incident, an incident and response plan is followed, which provides guidance and the associated steps to follow in the event that Sitepass suspects or becomes aware that a data breach has occurred.
- This plan is ensuring we contain, assess and manage a data breach in a timely fashion and in compliance with relevant legislative requirements to mitigate any potential harm to affected individuals.
- The plan includes an assessment report that contains key tasks, roles and responsibilities, checks and procedure for notification in the event of a data breach.
Security Policies and procedures
The following security policies are followed in the development, support and hosting of Sitepass:
- Access Management Policy – The purpose of this policy is to define the approach for user access management to Sitepass networks, systems and applications in order to prevent unauthorised access, and ensure that effective controls are in place so that all users and their actions can be uniquely identified.
- Asset Management and Disposal Policy – Sitepass is committed to protecting its information assets from the loss of confidentiality, integrity and availability. The purpose of this policy is to define the mechanisms for the identification and management of these assets
- Communication Security Policy – The purpose of this policy is to ensure electronic communications involving Sitepass information assets are suitably protected.
- Cryptography Policy – The purpose of this policy is to ensure that appropriate level of encryption control measures is implemented to protect its sensitive and critical information resources against accidental or malicious destruction, damage, modification or disclosure, and to maintain appropriate level of confidentiality, integrity and availability of such resources.
- Information Classification and Handling Policy – The purpose of this policy is to ensure that Sitepass has a mechanism for classifying information to ensure that it is produced, stored, distributed and destroyed in accordance with the risks related to that information.
- Mobile Device Policy – The purpose of this policy is to provide high level directives on the use, deployment and maintenance of mobile computing devices.
- Operations Security Policy – The purpose of this policy is to provide directives for the management of operational processes to ensure that information assets are appropriately protected.
- Physical and Environmental Policy – Sitepass maintains a significant investment in IT information assets used to support the business. The purpose of this policy is to provide direction to ensure that these assets are appropriately protected from physical and environmental threats.
- Remote Access Policy – The purpose of this policy is to provide directives for remote connections to Sitepass network from any host. These directives are designed to minimise the potential exposure from damages which may result from unauthorised remote use of Sitepass resources.
- Supplier Management Policy – Sitepass relies on suppliers, including contractors, business partners to provide some of its IT and business services. This requires suppliers to access Sitepass information to fulfil their service obligations. This policy establishes clear and consistent rules for governing all suppliers and supplier representative activities while conducting business with Sitepass. The policy also defines the framework for managing access to the suppliers and its representatives.
- Secure System Acquisition and Development Policy – This policy is designed to ensure that information systems are acquired and designed with security in mind in order to best protect Sitepass information assets.
- Teleworking Policy – The purpose of this policy is to provide high level directives on the use, deployment and maintenance of teleworking activities within Sitepass with the intention that it shall ensure that risks are reduced, and responsibilities known.
- Incident and actions – The purpose of this procedure is to describe the process of reporting, correcting or preventing security incidents or security weaknesses from internal and external sources. These procedures establish protocols for; all personnel to identify what constitutes a security incident and how to report it, the manner in which an investigation and risk analysis are to be conducted, and managers to assist staff and action recommendations.
- Internal Audit – The purpose of this procedure is to describe the responsibilities and requirements for planning, conducting and reporting results of ISMS internal audits.
- Risk Assessment – The purpose of this procedure is to describe the way risks are identified and managed within the Sitepass Information Security Management System (ISMS).
- Security fixes, hosting infrastructure configuration changes are introduced in line with the release management plan
- All changes introduced to implement security improvements or features are communicated through from the release notes
- All payment processing for purchase of the Sitepass including capture and storage of credit card information is performed by Stripe. For more information on Stripe’s security practices, and compliance please see https://stripe.com/docs/security/stripe.
- Managing your own user accounts and roles from within the Sitepass services.
- Compliance with the terms of your services agreement with Sitepass, including with respect to compliance with laws.
- Promptly notifying Sitepass if a user credential has been compromised or if you suspect possible suspicious activities that could negatively impact security of the Sitepass service or your account.
- You may not perform any security penetration tests or security assessment activities without the express advance written consent of Sitepass.
Application logging and monitoring
- On an application level, we produce audit logs for all activity where ever applicable.
- All access to Sitepass applications is logged and audited in the access logs.
- All actions taken on production consoles are logged.
Antivirus and malware
- All files (documents, images, zips etc.) uploaded are scanned for virus and malware.
- All file uploads use validations to limit the types of files uploaded into the platform.
Security partnerships and consultancy
Sitepass works with the following partners to provide security auditing, consultancy and information.
|ISACA||ISACA is an international professional association focused on IT governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only||As a member, we received updates on the latest security information|
|CQR||As Cyber Security specialists, CQR ensures your business, your people, your information and your technology are protected and empowered||Security consultancy regarding ISO 27001 certification, penetration testing|
|Pure Hacking||Pure Hacking can partner with you and your team to identify the IT security risks you face now and in the future||Penetration Testing|
Sitepass engages certain third parties that may process personal data submitted to Sitepass’s services. These third parties are listed below, with a description of the service and the location where data is hosted. These third-party service providers may have access to or process your personal information for the purpose of providing these services for us. We do not permit our third-party service providers to use the personal information that we share with them for their marketing purposes or for any other purpose than in connection with the services they provide to us. This list may be updated from time to time: