Versions Compared

Version Old Version 27 New Version Current
Changes made by

Roxy Sanchez

Benjy Meyer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
titleAre all ingress and egress points for traffic through your network or cloud environment protected by firewalls?

leAre all ingress and egress points for traffic through your network or cloud environment protected by firewalls?

Yes. The Commonplace platform is accessible via the internet for customer and respondent users over https connections. We utilise a range of AWS provided services to assist in securing this access point including Firewalls, Load Balancers and VPC.

Regular penetration testing is undertaken to ensure that exposed interfaces remain secure.

More information: https://commonplace.atlassian.net/l/cp/4ARsdztu

Expand
Does your organisation have web application firewalls (WAFs) implemented to protect web applications?
title Does your organisation have web application firewalls (WAFs) implemented to protect web applications?

Yes, we use AWS WAF. We review the rules as required, at lease annually, and tailor them to Commonplace’s needs.

More information: https://commonplace.atlassian.net/l/cp/16HZsusv

Does your organisation secure and encrypt remote connections to its network or environment (for example, by using VPNs (virtual private networks) or SSH connections)?

Yes. Connecting to the Commonplace application, all connections use HTTPS at a minimum of TLS v1.2.
Expand
titleDoes your organisation secure and encrypt remote connections to its network or environment (for example, by using VPNs or SSH connections)?

More information: https://commonplace.atlassian.net/l/cp/VurA6Lg2

Expand
titleDoes your organisation secure remote access to its network or cloud environment using multi-factor authentication?

Does your organisation secure remote access to its network or cloud environment using multi-factor authentication (MFA)?

Yes, via multi-factor authentication or SSH key pairing via VPN.

More information: https://commonplace.atlassian.net/l/cp/XBZNHq9f

Expand
Has your organisation implemented any network or cloud monitoring controls such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Security Information and Event Management (SIEM) systems?
titleHas your organisation implemented any network or cloud monitoring controls such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Security Information and Event Management (SIEM) systems?

AWS hosting comes with built in IPS and IDS. We utilise a range of additional tools here including AWS Cloudwatch, AWS Guarduty, Sentry, Snyk and others.

More information: https://commonplace.atlassian.net/l/cp/Uf7k3An5

Yes. Alerting is routed to relevant Slack channels. History of all alerts is maintained in a dedicated inbox.
Expand
Does your organisation have defined processes in place to ensure that all security alerts from logging and monitoring solutions are reviewed and actioned as necessary?
title Does your organisation have defined processes in place to ensure that all security alerts from logging and monitoring solutions are reviewed and actioned as necessary?

More information: https://commonplace.atlassian.net/l/cp/ZzWrKAz3

Has your organisation implemented segmentation or segregation in your networks and/or cloud environments?

Yes.

We implement segregation on the user role level, preventing users from accessing features and pages that are out of their provisioned access.

We implement segregation between customer accounts. The product is one system shared between customers with security policies in place to only enable access to customer relevant data. Data is segregated from other customers through the use of dedicated subdomains, user credentials authentication, and organisational identifiers within the product.
Expand
titleHas your organisation implemented segmentation or segregation in your networks and/or cloud environments?

More information: https://commonplace.atlassian.net/l/cp/EQk0vYN6

Yes.

Within Commonplace: Data in transit within the Commonplace environment is all within a Virtual Private Cloud (VPC).
Expand
Does your organisation secure and encrypt all data transfers using an appropriate control/protocol (for example, SFTP, HTTPS), and are all data transfers subject to review and authorisation?
titleDoes your organisation secure and encrypt all data transfers using an appropriate control/protocol (for example, SFTP, HTTPS), and are all data transfers subject to review and authorisation?

APIs: Data in transit between Commonplace services and External APIs is protected using HTTPS at a minimum of TLS v1.2.

More information: https://commonplace.atlassian.net/l/cp/sgAi9fua

Expand
Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service) attacks?Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service DDOS) attacks?
titleDoes your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service) attacks?Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service DDOS) attacks?

Yes, we use AWS Route53 inbuilt DDOS mitigation and protection tools in combination with AWS WAF.

More information: https://commonplace.atlassian.net/l/cp/Tcz9zLEX

Does your organisation conduct regular external automated vulnerability scans of its public facing IT infrastructure and remediate any findings?

Yes. We utilise a number of security and vulnerability monitoring tools as part of our development process. These tools check things like the code we have written, third-party software and libraries in use and provide real-time feedback when any issues are detected.
Expand
titleDoes your organisation conduct regular external automated vulnerability scans or testing of its public facing IT infrastructure and remediate any findings?

In addition to this we also run tools such as Dependabot that continuously reviews source code for dependencies requiring patches or updates.

More information: https://commonplace.atlassian.net/l/cp/D1kyCKhp

Expand
Does your organisation conduct regular penetration tests of its public facing IT infrastructure?
titleDoes your organisation conduct regular penetration tests of its public facing IT infrastructure?

Annual penetration testing is completed via a third party provider. Any identified issues are assessed to understand severity within the context of the Commonplace platform and then fixes incorporated into our development lifecycle as required.

More information: https://commonplace.atlassian.net/l/cp/bTBxZX9K

Does your organisation conduct regular penetration tests (or red teams) of its internal systems (that assumes a compromise of perimeter controls)?

We run tools such as Dependabot that continuously reviews source code for dependencies requiring patches or updates along with automated unit tests and other measures to identify internal vulnerabilities.
Expand
titleDoes your organisation conduct regular penetration tests (or red teams) of its internal systems (that assumes a compromise of perimeter controls)?

More information: https://commonplace.atlassian.net/l/cp/m3HC3Sm9

Expand
titleDoes your organisation have processes in place to triage and remediate identified vulnerabilities by inputting them into the relevant workflows?

Does your organisation have processes in place to triage and remediate identified vulnerabilities by inputting them into the relevant workflows?

Yes. XXXXX

More information: https://commonplace.atlassian.net/l/cp/03Wv3WMg

Yes, where logging is available, it is stored for the maximum storage period offered by the service provider and / or stored indefinitely in our own database.
Expand
Does your organisation record and store user activity logs for all cloud environments, networks and associated services?
titleDoes your organisation record and store user activity logs for all cloud environments, networks and associated services?

More information: https://commonplace.atlassian.net/l/cp/1czdtH1x

Does your organisation record and store the logs of root/super user/ administrator actions for all cloud environments, networks and associated services?

Yes, where logging is available, it is stored for the maximum storage period offered by the service provider and / or stored indefinitely in our own database.
Expand
titleDoes your organisation record and store the logs of root/super user/ administrator actions for all cloud environments, networks and associated services?

More information: https://commonplace.atlassian.net/l/cp/Pdp5zza5

Not necessarily "servers" but for example, AWS holds logs on activities separate to the actual platform, GitHub also retains logs. We also port log information out to separate platforms such as papertrail or internal databases.
Expand
Are all logs stored on a secure/hardened server that is logically separate from the systems being logged?
titleAre all logs stored on a secure/hardened server that is logically separate from the systems being logged?

More information: https://commonplace.atlassian.net/l/cp/2juZouPF

Expand
Does your organisation have a testing process to test business critical applications before they are deployed, to ensure there is no adverse impact on operations or security?
titleDoes your organisation have a testing process to test business critical applications before they are deployed, to ensure there is no adverse impact on operations or security?

Snyk is run with each deployment, automated end-to-end, integration and unit testing on each deployment, manual code review and QA on each deployment.

More information: https://commonplace.atlassian.net/l/cp/MA7p0RGm

Expand
titleDoes your organisation segregate its production environment from any testing or development environments?

Does your organisation segregate its production environment from any testing or development environments?

Yes, we operate separate environments for development, staging, pre-production and production. Engineers are only granted access as required to perform their duties.https://commonplace.atlassian.net/l/cp/KZj451B2

Expand
titleDoes your organisation monitor the capacity of its systems processing client information to make sure they are able to cope with load?

Does your organisation monitor the capacity of its systems processing client information to make sure they are able to cope with load?

Yes, we utilise a range of tools to assist here including AWS controls and Kubernetes for auto scaling, plus auto-scaling with Mongo Atlas.https://commonplace.atlassian.net/l/cp/AZYJZhGW

Expand
titleDoes your organisation manage and control the use of, and access to, any cryptographic keys?

Does your organisation manage and control the use of, and access to, any cryptographic keys?

Yes, our Cryptographic Controls Policy is available on request from customers@commonplace.ishttps://commonplace.atlassian.net/l/cp/3ZJet0uM