ETISCOPE ARx SECURITY OVERVIEW
© JointAction Group Pty Ltd 2024
Version 2.2 May 2024
Forward
This Policy applies to all aspect of data security with Joint Action including, but not limited to, Etiscope APP, Etiscope Dashboard, Move-Time and internal management systems.
Joint Action is not responsible for data collected by employers, contractors or service providers about persons whom have taken part in workplace assessments, this is the responsibility of those organisations to meet the standards for data privacy and protection in line with the security measures offered by Joint Action.
Interoperability projects can only be realised when you have managed your information and data risks. All information and data is subject to legislation, policies and standards. Interoperability projects need specific attention to data compliance and security requirements relating to:
data exchange mechanisms
privacy and de-identification
licensing for mixed, reused or derived datasets.
Data security is put in place to prevent unauthorised access to information. It is a fundamental theme for enabling interoperability and should be addressed as an enterprise wide initiative with an agency-wide security strategy. Data security requirements must consider include the:
Protective Security Policy Framework (PSPF) which includes requirements for sensitive and classified information
Australian Government Information Security Manual (ISM) which is the standard that governs the security of ICT systems and includes information on access controls.
Policy Brief and Purpose
JointAction Group Company Data Protection Policy refers to our commitment to treat information of employees, customers, stakeholders, end users and other interested parties to maintain privacy and confidentiality.
With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.
Joint Action aligns with policies defined the Australian Government Protective Security Policy Framework for Security governance, Information security and
Scope
This policy refers to all parties (employees, job candidates, customers, suppliers, end users and end user employees etc.) who provide any amount of information to us.
Who is covered under the Company Data Protection Policy?
Officers and employees of our company and its subsidiaries must follow this policy. Contractors, consultants, partners and any other external entity are also covered. Generally, our policy refers to anyone we collaborate with or acts on our behalf and has access to the data managed by our company.
Policy Elements
As part of our operations, we need to obtain, store and process information. This information includes any offline or online data that makes a person or company identifiable such as names, addresses, usernames and passwords, digital footprints, photographs, financial data, task assessments etc.
Our company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply.
Our data will be:
Accurate and kept up-to-date
Collected fairly and for lawful purposes only
Processed by the company within its legal and moral boundaries by region.
Protected against any unauthorised or illegal access by internal or external parties.
Our data will not be:
Communicated informally
Transferred to organization’s, states or countries that do not have adequate data protection policies
Distributed to any party other than the ones agreed upon by the data's owner (exempting legitimate requests from law enforcement authorities)
In addition to ways of handling the data the company has direct obligations towards people to whom the data belongs. Specifically, we must:
Let people know which of their data is collected and gather informed consent either verbal or written.
Inform people about how we will process their data
Inform people about who has access to their information
Have provisions in cases of lost, corrupted or compromised data
Allow people to request that we modify, erase, reduce or correct data contained in our databases
Actions
To exercise data protection, we are committed to:
Restrict and monitor access to sensitive data
Develop transparent data collection procedures
Train employees in online privacy and security measures
Build secure networks to protect online data from cyberattacks
Establish clear procedures for reporting privacy breaches or data misuse
Include contract clauses or communicate statements on how we handle data
Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorisation etc.)
Our data protection provisions will appear on the etiscope.com website under the https:// help.etiscope.com
Disciplinary Consequences
All principles described in this policy must be strictly followed. A breach of data protection guidelines will invoke disciplinary and possibly legal action.
Data Hosting & Specifications
JointAction Group are committed to ensuring the highest security of customer and end user data and utilise the following services to deliver this security;
SaaS Cloud Computing Security Architecture
The services are provided by google cloud services, with the default multi-region option having a SLA of >= 99.999% uptime or the specific region options having an SLA of >= 99.99% uptime.
Google Cloud Services, shared – Firestore and Firebase Storage, for the storage of data and
video. Refer to the following links for privacy and firestore policies for these cloud based programs
Data Ownership
Ownership of all data entered generated by end users & clients will be retained by them.
Data stored will be the end user email address and name for login and role purposes. No other data is stored for employees. The name and email address of a customer secured by the end user may be stored only upon creation as a sub-client.
No storage of sensitive data is required such as medical records, criminal convictions, trade union association or sexual orientation, further as Joint Action Solutions assesses tasks information of individuals is not required.
At the discretion of the customer/end user individual information may be entered and stored such as name, contact information, although this is discouraged.
Notes may be stored initiated by the end user within job tasks.
Personal Data is usually not stored at all, however all data is considered confidential.
Data will never be shared without authorisation of the customer/third parties
Joint Action Solutions access to any data is restricted by default, with access granted only when required by the customer with authorisation
The customer can export the database data to CSV file as required, or use the Joint Action Solutions API to access it directly.
Storage data can be downloaded at any time and consists of standard video, image and pdf formats.
Normally data is trashed (removed but not deleted) instead of being deleted from the system (and thus can be restored by users), however users with sufficient privileges can delete the data permanently from the portal interface.
Identity and Access Management of Hosted Information
User login and password procedure is as follows;
Authentication is via email/password login or email/email link.
Login authentication attempts are hard capped at 10 per minute per user, with alerts generated for more than that or continuous login attempts.
Admin user role password length is required to be at least 24 characters with multi-factor authentication.
Responsibility of Security and Data Protection
Inhouse Cyber Security Officer, Constance Beckett advises the Director of Technology, Roscoe McCord,who is responsible for all data security and protection processes.
Data Protection Security measures in place
Unusual activity is monitored and alerted.
Security rules are reviewed on all updates to the system.
Authentication rule-based restrictions are applied at the base level of Firebase.
The customer ID is a claim encrypted into the authentication token and is validated for every database and storage operation to the backend.
For storage, each customer has a separate storage bucket that has storage rules configured to allow access only to authorised users.
For database each customer has a separate path with access rules configured to allow access to only authorised users.
For database, access rules are configured to only allow the level of access defined by the authorised user's role, including restrictions on updating and deleting.
Monitoring of user activity
1. User authentication, creation and deletion events are logged, with notification alerts generated for unusual activity.
2. Database change events are logged with notification alerts generated for unusual activity. Geographic region
Data is encrypted at rest in the cloud platform, and secured with SSL in transit.
The entirety of the database is backed up daily and stored in a separate google cloud services storage bucket with no user access, and multi-region located for durability. Database backups are kept for six months.
To address the risk of XML External Entities (XXE) Joint Action Solutions does not use XXE.
In relation to Cross-site Scripting XSS a positive XSS prevention model is employed, with the Cross Site Scripting Prevention Cheat Sheet followed.
Insecure Deserialisation is not of risk when using Joint Action Solutions as communication with the database is via the Firebase API.
Access controls are to be frequently tested and reviewed by Joint Action Solutions developers and Frontline Technical Support staff
To combat security misconfiguration from a preventative standpoint, a no-access-by-default approach is employed and reviewed frequently
Components are checked for vulnerabilities when adding and compiling, using automated tools
Login and monitoring is enabled for all authentication, database and storage operations, and is reviewed frequently
Region Specific Data Management
Joint Action Solutions region specific data storage and data processing is available. The default is multi-region US based, however customers can elect to be region specific (US, EU, AUS) if desired. Replication and availability is slightly decreased for specific regions rather than the multi-region.
Bibliography:
Google cloud services (USA)
https://firebase.google.com/support/privacy
https://cloud.google.com/firestore/sla
Algolia search (USA)
https://www.algolia.com/policies/legal/
https://www.algolia.com/policies/privacy/
https://www.algolia.com/policies/sla/
Australian Government Protective Security Policy Framework
https://www.naa.gov.au/information-management/building-interoperability/interoperability-development-phases/data-governance-and-management/data-compliance-and-security
POLICY REVISION HISTORY
This policy document was created in October 2022. It is reviewed bi-annually and is updated when changes to processes or policy occur.
No policy changes have occurred since the policy was formulated. There have been subsequent PenTests and Remedial Action undertaken and in June 2023 the company changed the product brand from Joint Action Solutions to Etiscope.
The current PenTest was completed by independant CTRL Cybersecurity in April 2023. Remidal action was identified and put into action within 7 days. There were no critical errors, simply policy recommendations.
This current version V2.2 was creaated by our in-house Cyber Security qualified agent, Constance Beckett, reviewed by CEO Garry Gosling and approved by Technical Director Roscoe McCord.