Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Security and Risk

Policy and Standards

Outline your information security framework, policies, standards and guidelines

All Workaware employees have signed standard NDAs.  All client information is uniquely password protected for the Workaware administrative account access.  All server database access is restricted to the development team and restricted to designated IP addresses.  VPN gateways and RSA certificates are in place.  Additional information can be supplied if required.  Workaware would additionally be amicable to signing any ancillary privacy agreements.

Supply a current threat and risk assessment for the service

Regular testing and review is conducted by MicrosoftAmazon.  Reports can be shared at the clients request.

Supply a current privacy impact assessment for the service

 

Do you perform regular risk / security / penetration / vulnerability assessments on the service? If so, what is the frequency of audits?

Are you able to provide a copy of a recent audit? If you do not conduct testing, are you willing to submit to a penetration test commissioned by the Citycustomer? If not, why not?

Our solution security has been fully vetted by entities such as the Government of Alberta, Sony Picture Entertainment, and Netflix to name a few.  Additional information can be supplied if required.

Do you have appropriate privacy and information security policies, procedures, and governance in place?  Please provide.

Our policy can be accessed at: https://workaware.atlassian.net/wiki/spaces/WOR/pages/319586305/Privacy+Policy

How do you address security escalation and notification process for addressing concerns and incidents, physical security, physical access controls, firewalls and intrusion detection, maintenance activity logging, secure data disposal?

Notifications and metrics are derived and disseminated via Microsoft AzureAWS.  Logs can be integrated with their SIEM.

Where (geographically) will the City’s data be hosted?

Canada (Central)

Do you use other cloud services to support / operate your service? To what standards are they held? How is this assured?

Microsoft AzureWe utilize Amazon Web Services for IaaS.

What is your security patch management process and timeline?

Security patches are released immediately and cumulative software updates are released on a bi-weekly basis.

Compliance and Certification

Are you PIPEDA Standards Compliant?

yes

Do you have an identified privacy officer?

Not specifically.

Do you or a third party run the data centre facility in which your solution resides? Please identify any third-party providers.

Microsoft Azure Data CentersThe data is housed in various services of AWS.

Does the facility in which your solution runs maintain security compliance certifications (e.g. SSAE 16 SOC1 and AT-101 SOC2 Type II Reports, ISO 27001)?

https://azureaws.microsoftamazon.com/en-ca/overview/trusted-cloud/compliancecompliance/programs/

Security History

Have you experienced any security breaches? Please describe the breach and your response.

No

Providers are required to notify the City customer of any breaches or incidents of unauthorized access or disclosure. What is your established incident/breach protocol?

Notification would be immediate upon discovery.  At that point all authentication tokens would be revoked and all server access further restricted.  All public APIs would be shut down.

Authentication

Does the service require authentication?

Yes

What are the service’s password rules?

Min 12 letters, or minimum 5 word passphrase.

Are passwords stored in non-reversible format?

Yes

Is two-factor authentication available?

Yes

Does the solution support single sign on? What forms of SSO are supported?

Yes - Our Oauth2 service allows for custom external providers

Encryption

Is data encrypted at rest?

Yes

Are backups encrypted?

Yes

Who controls the encryption keys?

Senior Development

Is data encrypted in transit (is transport based security / encryption offered)?

all communication is encrypted with TLS

Data Ownership and Management

Does the City customer retain ownership of all data that is entered in the system? Is this clearly stated in the contract / terms of service / user agreement?

Yes. As outlined in our privacy policy.

Is it clear that you have no claim against the data and cannot use for data for your own purposes (e.g. re-selling data, advertising against data)?

Yes. As outlined in our privacy policy.

Do your staff have access to the City’s customer’s data and metadata?

Only staff that require access to our databases. Networking, devops, security.

Do you have appropriate controls to audit, track and prevent data theft, loss, unauthorized use, copying, use, modification, disclosure or disposal? Please provide details.

Yes, Access restrictions and authorizations including but not limited to secure VPN gateways, IP whitelisting and partitioning

Can data access and transfers (by your staff and City customer staff and administrators) be audited within the application? Can City customer administrators access the audit trail?

modifications and data writes are auditable from the azure AWS portal but are not accessible from within the app.

Can the City’s customer’s data be exported from your system on-demand and on a regular schedule if required? What format is the data provided in? Is the format non-proprietary?

Yes.

Excel or CSV for data. Forms can be extracted as PDFs.

Yes.

Can the City customer maintain a local backup of their data?

You could backup data dumps from exports if you would like. Backups of the databases are not accessible to non-senior staff.

Can the City’s customer’s data be safe-harboured (that is a 3rd party stores the data separately from the cloud provider to guard against data loss / or business failure)

same as B.7

Is the data in the systems accessible by City customer administrators for back-end updates or modifications? Is it possible to make back-end system wide data modifications?

We have a set of REST and OData APIs that can be used for automated tasks.

At termination of contract (either initiated by the customer or the provider) can the full data can be extracted? What is the method for extraction? Are any costs associated with this?

Yes, it can. The data would need to be extracted by the development team. Any incurred costs would depend on any agreements outlined in the service contract and the nature of the contract termination.

How long will it take for the City customer to get their data at contract termination? For how long will the data be available post termination?

Data can be gathered up and delivered in under 24 hours. Post termination, the data will reside on our servers for the remainder of the billing cycle.

In what format can the data be extracted?

see B.6

At contract termination, will the City’s customer’s data be deleted? Within what timeframe? How is the deletion confirmed?

The data will remain on our server for the remainder of the billing cycle.

Product Management

Do you have a regular release cycle? If so, please outline the general cycle and schedule. Explain the types of changes released in major and minor releases?

Hotfixes and security patches are released immediately. General cumulative releases are bi-weekly.

Can clients opt in/out of upgrades? Are some upgrades mandatory?

Updates* are mandatory

Performance, Reliability and Disaster Recovery

What operating systems does your solution support?

We have clients for Windows, iPhone and Android as well as an online version to cover Mac and *nix users.

Does the solution support all required browsers? (Chrome, Firefox, Edge, IE and Safari browser support is required for customer facing solutions)

The online client supports all modern, standards compliant, browsers.

What mobile browsers are supported (currently and in future)?

Any modern, standards-compliant browser is supported. The online client is built to be responsive.

What are bandwidth requirements for good client performance?

The online client requires a constant, decent internet connection. The Windows and Mobile clients will use caching queues if they lose their connectivity.

Can performance of the system be tested (in a realistic scenario) before purchasing?

We offer demo accounts.

What is the availability of the service (e.g. 24x7x52).

We strive for 100% uptime.

How can GP monitor service performance?

With access to our API endpoints you can set up any metrics you like.  For example, you can use the basic ‘timestamp’ endpoint to create a ‘heartbeat’ monitoring service.

Please describe the incident management process. What are SLA targets for performance and resolution of incidents?

Incidents resulting in support tickets are addressed, during business hours, in < 1 hour. Incidents resulting in unexpected downtime have yet to occur. Our processes have a lot of oversite to mitigate the chances of such an event occuringoccurring. We target 99.9% uptime.

What logs are kept? Who can access them? Can they be accessed by GP to analyze an incident?

Various metrics, exceptions and insight data are kept to analyze, debug and track usage scaling. senior staff have access to them.

Can you share historical performance metrics? What is the longest time that your service has been down for?

Historical data is not available without some formal request to the development department. The service has yet to be unavailable for any significant length of time.

How is City customer data backed up? Where and how are the backups stored? What is the frequency of backups? What are the restore capabilities? What is the restore procedure?

We back up documents as a ‘blob’ which is redundantly stored and versioned. The ‘data’ is stored in a SQL server which is backed up to a remote store once a day. The query log allows us to backup to any point in time down to the minute.

Do you have a documented disaster recovery plan?

Yes

What is the DR plan’s Recovery Time Objective? What is its Recovery Point Objective?

We can spin up a new infrastructure and be back on line in under 24 hours in the event of a disaster. DR recovery would be to the last logical backup time. The server can be deployed to Azure, AWS, or other alternative cloud services in the event of catastrophic failure of one provider.

Do you have a documented change management procedure?

Yes

Do you have specific planned windows when system maintenance will occur? When are they? What services are impacted?

System maintenance does not require any down time.

What notification do you provide for maintenance work?

We try to notify as far in advance as reasonably possible.

Do you provide protection, or receive protection from a third party for denial-of-service attacks against your solutions?

We have some HA best practices implemented in our Azure AWS backend.

Do you provide customers with a secondary non-production environment? If so what types of environments? Are there any limitations on their use? Can data / changes be synchronized between environments?

Demo accounts are available. The demo account has no limitations compared to a regular  account.

Generally data is not synchronized between accounts though custom process development is possible.

...