Versions Compared

Old Version 4

changes.mady.by.user Colin Jansen (Unlicensed)

Saved on

compared with

New Version 5

changes.mady.by.user Colin Jansen (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Outline your information security framework, policies, standards and guidelines

All Workaware employees have signed standard NDAs.  All client information is uniquely password protected for the Workaware administrative account access.  All server database access is restricted to the development team and restricted to designated IP addresses.  VPN gateways and RSA certificates are in place.  Additional information can be supplied if required.  Workaware would additionally be amicable to signing any ancillary privacy agreements.

Supply a current threat and risk assessment for the service

Regular testing and review is conducted by Microsoft.  Reports can be shared at the clients request.

Supply a current privacy impact assessment for the service

 

Do you perform regular risk / security / penetration / vulnerability assessments on the service? If so, what is the frequency of audits?

Are you able to provide a copy of a recent audit? If you do not conduct testing, are you willing to submit to a penetration test commissioned by the City? If not, why not?

Our solution security has been fully vetted by entities such as the Government of Alberta, Sony Picture Entertainment, and Netflix to name a few.  Additional information can be supplied if required.

Do you have appropriate privacy and information security policies, procedures, and governance in place?  Please provide.

Our policy can be accessed at: https://workaware.atlassian.net/wiki/spaces/WOR/pages/319586305/Privacy+Policy

How do you address security escalation and notification process for addressing concerns and incidents, physical security, physical access controls, firewalls and intrusion detection, maintenance activity logging, secure data disposal?

Notifications and metrics are derived and disseminated via AWS.  Logs can be integrated with their SIEM.

Where (geographically) will the City’s data be hosted?

Canada (Central)

Do you use other cloud services to support / operate your service? To what standards are they held? How is this assured?

We utilize Amazon Web Services for IaaS.

What is your security patch management process and timeline?

Security patches are released immediately and cumulative software updates are released on a bi-weekly basis.

...