PHRED Security Information

Transcription

1 PHRED Security Information This document is intended to answer typical security concerns. If a particular scenario is not addressed, please contact PHRED Solutions for more information. Table of Contents Registration 2 Registration Status Updates 3 Internal Security 5 Hosting Security 6 Data Center Security 7 Typical Network Architecture 8 PHRED Security April 2, 2018 Page 1

2 Registration New users need to register and then be personally approved BEFORE they can access PHRED 8D. The User defaults to Read Only status, which means they can only access the Library, Reports and Charts. They cannot open or be a part of a problem team. Full Access allows adding and modifying problems. PHRED Security April 2, 2018 Page 2

3 Registration Status Updates The Registration Administrators are responsible for activating new users and changing the status of a user. When a new user registers into the system an automatic is sent to the registration administrator(s) so that the new user can be approved before they are allowed to access the system. Upon receiving the , the Registration Administrator has to activate the new user. The Administrator must enter the address of the new user in the login field shown below. Then click Next. For a new user to be registered, click Add User on the next page. On Hold means that the user is waiting to be approved Disabled means that the user is inactive and cannot access the system Active means that the user can login to the system and use it Once this is filled out click Save/Next. If you just want to change the status of an existing user, do so on this page and save your changes when you are finished. PHRED Security April 2, 2018 Page 3

4 When the administrator changes the status of the user to Active and clicks on save/next the Administrator is directed to a confirmation page where the Registration Status is changed to Active and an automatic is sent to the new user informing them about their activated status. Special Qualifications: Administrator: check this box to allow them to access the Administration section SuperUser: check this box to give them access to all problems, whether or not they are a team member Both of these user options should be granted only to a select, trained few. Note: The company needs to identify a primary and secondary Registration Administrator. When new users register, they are automatically ed the user s name and that they are awaiting approval. PHRED Security April 2, 2018 Page 4

5 Internal Security Web Vulnerability testing is done regularly with a number of inspection tools. A particular focus is on Buffer Overflow, Cross Site Scripting and SQL Injection. We use a centralized validation process which runs on every page. When new vulnerabilities evolve only a single file is updated and provides protection for the entire application. Every input field has htmledit validation which automatically removes any html code. The user is notified that it is not allowed before it is removed (nothing just disappears) Passwords are encrypted with SHA-512. They are stored in the database in a 128 character field. This is a one way encryption. No one can view an unencrypted password. Information passed via the URL is encrypted when it could be sensitive. Problem ID numbers are encoded and decoded every page ensuring that the page cannot be intercepted and accessed by an unvalidated / uninvited user. Q: What type of change control procedures exist in the production / operations area? We use Surround SCM for change control and configuration management. Surround SCM is an RDBMS-based configuration management solution that controls access to files and tracks changes over time. It combines advanced source code management features, such as workflows and virtual branching. Whether your source code management needs include working with multiple operating systems, remotely accessing files, or managing changes to multiple product versions, SurroundSCM keeps source files and other digital assets organized and protected while tracking change across your organization. PHRED Security April 2, 2018 Page 5

6 Hosting Security All applications are hosted in a protected data center, hosting.com. Hosting.com operates six world-class data centers strategically located across the United States. Built to scale to the needs of our domestic and international clientele, each data center leverages an ITIL-based control environment validated for compliance against HIPAA, PCI DSS and SOC (formerly SAS 70) frameworks. Our data centers are also 100% compliant against OCR and PCI Audit Protocols. Data Centers are located: Denver, Newark, Louisville, Dallas, Irvine or San Francisco. PHRED Solutions uses Gateway Anti-Virus, Anti-Spyware, Intrusion Prevention, and Application Intelligence and Control Service to deliver intelligent, real-time network security protection against the latest blended threats, including viruses, spyware, worms, Trojans, software vulnerabilities and other malicious code. Application Intelligence and Control provides granular control and real-time visualization of applications to guarantee bandwidth prioritization and ensure maximum network security and productivity. All application code and databases are backed up internally AND transferred to a data center every evening. The master code and databases are maintained in in Colorado, databases are maintained in Utah and Texas. Nightly backups are kept for 30 days unless otherwise specified. All sites are hosted on PHRED Solutions applies all Microsoft security patches as soon as practical on their web servers. Other than planned outages, uptime is generally greater than 99%. PHRED Security April 2, 2018 Page 6

7 Data Center Security Independently validated for compliance against PCI DSS and SOC frameworks to ensure policies and procedures are in line with technology and business changes. Redundant UPS systems and back-up generators ensure we never lose power. Tier one connectivity from multiple providers provides the speed and connectivity our customers expect for mission-critical applications. Our Green Design Standards allow stable temperature, humidity and airflow management for data protection and energy efficiency. Physical Access Data center personnel on site 24/7. Security cameras throughout building and surrounding area. Keycard and biometric hand scans. Security corridor with tailgating prevention Facility Design 24/7 fully staffed Network Operations Center (NOC) Redundant network carriers include Qwest, Comcast, XO, Time Warner, Internap and MHO Pre-action sprinkler fire suppression with PhotoElectric and VESDA detection systems Redundant Liebert environmental controls Raised flooring controls air flow for steady temperature PHRED Security April 2, 2018 Page 7

8 Typical Network Architecture General Architecture PHRED is accessed via an Internet Browser. No other software is required from the end user. Hosted Solutions Use: The web application server uses both Adobe s ColdFusion version 11 and version The database server is MS SQL Server 2014 PHRED Security April 2, 2018 Page 8