Servers Security

  1. Technologies & updates
    1. Indicate technologies involved
    2. Describe your server and software update policy/frequency
    3. Do you commit to update servers and software less than a week after publication of security updates, and at no additional cost?
  2. Servers Security
    1. Describe how accounts are managed
    2. Describe how access to servers is secured
    3. Describe how generic accounts on servers are managed
    4. Describe teams having access to accounts and level of access provided
    5. Describe services exposed on the internet
    6. Describe services exposed on your intranet
  3. Backups
    1. Indicate backup frequency/method
    2. Indicate how archives are secured
    3. Indicate where archives are stored
  4. Incident management / Continuity
    1. Describe your business continuity and disaster recovery plan
    2. Indicate where servers used for continuity/recovery are situated
    3. Indicate frequency of data replication
  5. SLA
    1. Indicate your SLA/recovery time objective
    2. If data restoration is required, indicate how much data would be lost, at most

Indicate technologies involved

LAMP server. Linux, Apache, MySQL and PHP.

Describe your server and software update policy/frequency

All packages are installed via CentOs repositories and are being updated automatically with all the latest security patches.

Do you commit to update servers and software less than a week after publication of security updates, and at no additional cost?

Our server is a manager cloud server. Updates are managed promptly by rackspace technicians.

Describe how accounts are managed

It is just one server for StaffWise. Password questions are not applicable here as access to the server is by key. Access is revoked when a person no longer works for us.

Describe how access to servers is secured

By key, SSH, SFTP, HTTPS

Describe how generic accounts on servers are managed

Root login is disabled

Describe teams having access to accounts and level of access provided

Just Alex Chunyaev (head developer). Agencies will be given NO ACCESS to our server.

Describe services exposed on the internet

SSH, HTTPS

Describe services exposed on your intranet

There is no intranet

Indicate backup frequency/method

We use codegaurd.com for digital daily backups of all data.

Indicate how archives are secured

CodeGuard uses Amazon Web Service’s Simple Storage Service (S3) to house website and database backup data. This service was selected because it provides 99.999999999% durability by storing data redundantly across multiple physical locations. In addition to being able to withstand two simultaneous datacenter failures, all customer backup data is encrypted using an AES-256 bit key.

Indicate where archives are stored

Backups are stored on Amazon Web Services Simple Storage System, known as S3. S3 boasts object durability levels of 99.999999999%, achieved by storing redundant copies of data across multiple geographies and facilities. S3 is not the cheapest alternative for data storage, but it is one of the most reliable. Each backup is stored closest to where the user is, so it would actually be stored in Europe as they utilise this localisation from AWS -  https://aws.amazon.com/s3/faqs/

Describe your business continuity and disaster recovery plan

We have an exact mirror of the system using a different hosting company in a different country to the primary server with Rackspace in London.

The mirror is with Amazon Web Services in Ireland and we would switch over to it instantly in the event of a failure with the primary server with Rackspace.

In order to switch we would need to repoint DNS of domain name to AWS servers. It would take a maximum of 4 hours (generally a lot faster)

Indicate where servers used for continuity/recovery are situated

Dublin, Ireland

Indicate frequency of data replication

Real time replication.

Indicate your SLA/recovery time objective

4 - 6 hours

If data restoration is required, indicate how much data would be lost, at most

Data is sent to 2 different servers. If one goes down we can replace with the data stored on the other. Theoretically no data would be lost. (This is even before we have to use our backup service)