ETISCOPE ARx SECURITY OVERVIEW 

© JointAction Group Pty Ltd 2024
Version 2.2 May 2024

Forward 

This Policy applies to all aspect of data security with Joint Action including, but not limited to, Etiscope APP, Etiscope Dashboard, Move-Time and internal management systems. 

Joint Action is not responsible for data collected by employers, contractors or service providers about persons whom have taken part in workplace assessments, this is the responsibility of those organisations to meet the standards for data privacy and protection in line with the security measures offered by Joint Action. 

Interoperability projects can only be realised when you have managed your information and data risks. All information and data is subject to legislation, policies and standards. Interoperability projects need specific attention to data compliance and security requirements relating to: 

  • data exchange mechanisms 

  • privacy and de-identification 

  • licensing for mixed, reused or derived datasets. 

Data security is put in place to prevent unauthorised access to information. It is a fundamental theme for enabling interoperability and should be addressed as an enterprise wide initiative with an agency-wide security strategy. Data security requirements must consider include the: 

Protective Security Policy Framework (PSPF) which includes requirements for sensitive and classified information 

Australian Government Information Security Manual (ISM) which is the standard that governs the security of ICT systems and includes information on access controls. 

Policy Brief and Purpose 

JointAction Group Company Data Protection Policy refers to our commitment to treat information of employees, customers, stakeholders, end users and other interested parties to maintain privacy and confidentiality. 

With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights. 

Joint Action aligns with policies defined the Australian Government Protective Security Policy Framework for Security governance, Information security and 

Scope 

This policy refers to all parties (employees, job candidates, customers, suppliers, end users and end user employees etc.) who provide any amount of information to us. 

Who is covered under the Company Data Protection Policy? 

Officers and employees of our company and its subsidiaries must follow this policy. Contractors, consultants, partners and any other external entity are also covered. Generally, our policy refers to anyone we collaborate with or acts on our behalf and has access to the data managed by our company.

Policy Elements 

As part of our operations, we need to obtain, store and process information. This information includes any offline or online data that makes a person or company identifiable such as names, addresses, usernames and passwords, digital footprints, photographs, financial data, task assessments etc. 

Our company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply. 

Our data will be: 

  • Accurate and kept up-to-date 

  • Collected fairly and for lawful purposes only 

  • Processed by the company within its legal and moral boundaries by region. 

  • Protected against any unauthorised or illegal access by internal or external parties.

Our data will not be: 

  • Communicated informally 

  • Transferred to organization’s, states or countries that do not have adequate data protection policies 

  • Distributed to any party other than the ones agreed upon by the data's owner (exempting legitimate requests from law enforcement authorities) 

In addition to ways of handling the data the company has direct obligations towards people to whom the data belongs. Specifically, we must: 

  • Let people know which of their data is collected and gather informed consent either verbal or written. 

  • Inform people about how we will process their data 

  • Inform people about who has access to their information 

  • Have provisions in cases of lost, corrupted or compromised data 

  • Allow people to request that we modify, erase, reduce or correct data contained in our databases

Actions 

To exercise data protection, we are committed to: 

  • Restrict and monitor access to sensitive data 

  • Develop transparent data collection procedures 

  • Train employees in online privacy and security measures 

  • Build secure networks to protect online data from cyberattacks 

  • Establish clear procedures for reporting privacy breaches or data misuse 

  • Include contract clauses or communicate statements on how we handle data 

  • Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorisation etc.) 

Our data protection provisions will appear on the etiscope.com website under the https:// help.etiscope.com 

Disciplinary Consequences 

All principles described in this policy must be strictly followed. A breach of data protection guidelines will invoke disciplinary and possibly legal action. 

Data Hosting & Specifications 

JointAction Group are committed to ensuring the highest security of customer and end user data and utilise the following services to deliver this security; 

  • SaaS Cloud Computing Security Architecture 

  • The services are provided by google cloud services, with the default multi-region option having a SLA of >= 99.999% uptime or the specific region options having an SLA of >= 99.99% uptime. 

  • Google Cloud Services, shared – Firestore and Firebase Storage, for the storage of data and
    video. Refer to the following links for privacy and firestore policies for these cloud based programs

Data Ownership 

  • Ownership of all data entered generated by end users & clients will be retained by them. 

  • Data stored will be the end user email address and name for login and role purposes. No other data is stored for employees. The name and email address of a customer secured by the end user may be stored only upon creation as a sub-client. 

  • No storage of sensitive data is required such as medical records, criminal convictions, trade union association or sexual orientation, further as Joint Action Solutions assesses tasks information of individuals is not required. 

  • At the discretion of the customer/end user individual information may be entered and stored such as name, contact information, although this is discouraged. 

  • Notes may be stored initiated by the end user within job tasks. 

  • Personal Data is usually not stored at all, however all data is considered confidential. 

  • Data will never be shared without authorisation of the customer/third parties 

  • Joint Action Solutions access to any data is restricted by default, with access granted only when required by the customer with authorisation 

  • The customer can export the database data to CSV file as required, or use the Joint Action Solutions API to access it directly. 

  • Storage data can be downloaded at any time and consists of standard video, image and pdf formats. 

  • Normally data is trashed (removed but not deleted) instead of being deleted from the system (and thus can be restored by users), however users with sufficient privileges can delete the data permanently from the portal interface. 

Identity and Access Management of Hosted Information 

User login and password procedure is as follows; 

  • Authentication is via email/password login or email/email link. 

  • Login authentication attempts are hard capped at 10 per minute per user, with alerts generated for more than that or continuous login attempts. 

  • Admin user role password length is required to be at least 24 characters with multi-factor authentication. 

Responsibility of Security and Data Protection 

Inhouse Cyber Security Officer, Constance Beckett advises the Director of Technology, Roscoe McCord,who is responsible for all data security and protection processes.

Data Protection Security measures in place 

  • Unusual activity is monitored and alerted. 

  • Security rules are reviewed on all updates to the system. 

  • Authentication rule-based restrictions are applied at the base level of Firebase. 

  • The customer ID is a claim encrypted into the authentication token and is validated for every database and storage operation to the backend. 

  • For storage, each customer has a separate storage bucket that has storage rules configured to allow access only to authorised users. 

  • For database each customer has a separate path with access rules configured to allow access to only authorised users. 

  • For database, access rules are configured to only allow the level of access defined by the authorised user's role, including restrictions on updating and deleting. 

  • Monitoring of user activity

    • 1. User authentication, creation and deletion events are logged, with notification alerts generated for unusual activity. 

    • 2. Database change events are logged with notification alerts generated for unusual activity. Geographic region 

  • Data is encrypted at rest in the cloud platform, and secured with SSL in transit. 

  • The entirety of the database is backed up daily and stored in a separate google cloud services storage bucket with no user access, and multi-region located for durability. Database backups are kept for six months. 

  • To address the risk of XML External Entities (XXE) Joint Action Solutions does not use XXE. 

  • In relation to Cross-site Scripting XSS a positive XSS prevention model is employed, with the Cross Site Scripting Prevention Cheat Sheet followed. 

  • Insecure Deserialisation is not of risk when using Joint Action Solutions as communication with the database is via the Firebase API. 

  • Access controls are to be frequently tested and reviewed by Joint Action Solutions developers and Frontline Technical Support staff 

  • To combat security misconfiguration from a preventative standpoint, a no-access-by-default approach is employed and reviewed frequently 

  • Components are checked for vulnerabilities when adding and compiling, using automated tools 

  • Login and monitoring is enabled for all authentication, database and storage operations, and is reviewed frequently 

Region Specific Data Management 

Joint Action Solutions region specific data storage and data processing is available. The default is multi-region US based, however customers can elect to be region specific (US, EU, AUS) if desired. Replication and availability is slightly decreased for specific regions rather than the multi-region.

Bibliography: 

Google cloud services (USA) 
https://firebase.google.com/support/privacy 
https://cloud.google.com/firestore/sla 

Algolia search (USA) 
https://www.algolia.com/policies/legal/ 
https://www.algolia.com/policies/privacy/ 
https://www.algolia.com/policies/sla/ 

Australian Government Protective Security Policy Framework 
https://www.naa.gov.au/information-management/building-interoperability/interoperability-development-phases/data-governance-and-management/data-compliance-and-security 

POLICY REVISION HISTORY 

This policy document was created in October 2022. It is reviewed bi-annually and is updated when changes to processes or policy occur. 

No policy changes have occurred since the policy was formulated. There have been subsequent PenTests and Remedial Action undertaken and in June 2023 the company changed the product brand from Joint Action Solutions to Etiscope. 

The current PenTest was completed by independant CTRL Cybersecurity in April 2023. Remidal action was identified and put into action within 7 days. There were no critical errors, simply policy recommendations. 

This current version V2.2 was creaated by our in-house Cyber Security qualified agent, Constance Beckett, reviewed by CEO Garry Gosling and approved by Technical Director Roscoe McCord.