Network & Cloud Security

leAre all ingress and egress points for traffic through your network or cloud environment protected by firewalls?

Yes. The Commonplace platform is accessible via the internet for customer and respondent users over https connections. We utilise a range of AWS provided services to assist in securing this access point including Firewalls, Load Balancers and VPC.

Regular penetration testing is undertaken to ensure that exposed interfaces remain secure.

More information: https://commonplace.atlassian.net/l/cp/4ARsdztu

Does your organisation have web application firewalls (WAFs) implemented to protect web applications?

Yes, we use AWS WAF. We review the rules as required, at lease annually, and tailor them to Commonplace’s needs.

More information: https://commonplace.atlassian.net/l/cp/16HZsusv

Does your organisation secure and encrypt remote connections to its network or environment (for example, by using VPNs (virtual private networks) or SSH connections)?

Yes. Connecting to the Commonplace application, all connections use HTTPS at a minimum of TLS v1.2.

More information: https://commonplace.atlassian.net/l/cp/VurA6Lg2

Does your organisation secure remote access to its network or cloud environment using multi-factor authentication (MFA)?

Yes, via multi-factor authentication or SSH key pairing via VPN.

More information: https://commonplace.atlassian.net/l/cp/XBZNHq9f

Has your organisation implemented any network or cloud monitoring controls such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Security Information and Event Management (SIEM) systems?

AWS hosting comes with built in IPS and IDS. We utilise a range of additional tools here including AWS Cloudwatch, AWS Guarduty, Sentry, Snyk and others.

More information: https://commonplace.atlassian.net/l/cp/Uf7k3An5

Does your organisation have defined processes in place to ensure that all security alerts from logging and monitoring solutions are reviewed and actioned as necessary?

Yes. Alerting is routed to relevant Slack channels. History of all alerts is maintained in a dedicated inbox.

More information: https://commonplace.atlassian.net/l/cp/ZzWrKAz3

Has your organisation implemented segmentation or segregation in your networks and/or cloud environments?

Yes.

We implement segregation on the user role level, preventing users from accessing features and pages that are out of their provisioned access.

We implement segregation between customer accounts. The product is one system shared between customers with security policies in place to only enable access to customer relevant data. Data is segregated from other customers through the use of dedicated subdomains, user credentials authentication, and organisational identifiers within the product.

More information: https://commonplace.atlassian.net/l/cp/EQk0vYN6

Does your organisation secure and encrypt all data transfers using an appropriate control/protocol (for example, SFTP, HTTPS), and are all data transfers subject to review and authorisation?

Yes.

Within Commonplace: Data in transit within the Commonplace environment is all within a Virtual Private Cloud (VPC).

APIs: Data in transit between Commonplace services and External APIs is protected using HTTPS at a minimum of TLS v1.2.

More information: https://commonplace.atlassian.net/l/cp/sgAi9fua

Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service) attacks?Does your organisation have any controls implemented to protect it against Denial of Service (and Distributed Denial of Service DDOS) attacks?

Yes, we use AWS Route53 inbuilt DDOS mitigation and protection tools in combination with AWS WAF.

More information: https://commonplace.atlassian.net/l/cp/Tcz9zLEX

Does your organisation conduct regular external automated vulnerability scans of its public facing IT infrastructure and remediate any findings?

Yes. We utilise a number of security and vulnerability monitoring tools as part of our development process. These tools check things like the code we have written, third-party software and libraries in use and provide real-time feedback when any issues are detected.

In addition to this we also run tools such as Dependabot that continuously reviews source code for dependencies requiring patches or updates.

More information: https://commonplace.atlassian.net/l/cp/D1kyCKhp

Does your organisation conduct regular penetration tests of its public facing IT infrastructure?

Annual penetration testing is completed via a third party provider. Any identified issues are assessed to understand severity within the context of the Commonplace platform and then fixes incorporated into our development lifecycle as required.

More information: https://commonplace.atlassian.net/l/cp/bTBxZX9K

Does your organisation conduct regular penetration tests (or red teams) of its internal systems (that assumes a compromise of perimeter controls)?

We run tools such as Dependabot that continuously reviews source code for dependencies requiring patches or updates along with automated unit tests and other measures to identify internal vulnerabilities.

More information: https://commonplace.atlassian.net/l/cp/m3HC3Sm9

Does your organisation have processes in place to triage and remediate identified vulnerabilities by inputting them into the relevant workflows?

Yes. XXXXX

More information: https://commonplace.atlassian.net/l/cp/03Wv3WMg

Does your organisation record and store user activity logs for all cloud environments, networks and associated services?

Yes, where logging is available, it is stored for the maximum storage period offered by the service provider and / or stored indefinitely in our own database.

More information: https://commonplace.atlassian.net/l/cp/1czdtH1x

Does your organisation record and store the logs of root/super user/ administrator actions for all cloud environments, networks and associated services?

Yes, where logging is available, it is stored for the maximum storage period offered by the service provider and / or stored indefinitely in our own database.

More information: https://commonplace.atlassian.net/l/cp/Pdp5zza5

Are all logs stored on a secure/hardened server that is logically separate from the systems being logged?

Not necessarily "servers" but for example, AWS holds logs on activities separate to the actual platform, GitHub also retains logs. We also port log information out to separate platforms such as papertrail or internal databases.

More information: https://commonplace.atlassian.net/l/cp/2juZouPF

Does your organisation have a testing process to test business critical applications before they are deployed, to ensure there is no adverse impact on operations or security?

Snyk is run with each deployment, automated end-to-end, integration and unit testing on each deployment, manual code review and QA on each deployment.

More information: https://commonplace.atlassian.net/l/cp/MA7p0RGm

Does your organisation segregate its production environment from any testing or development environments?

Yes, we operate separate environments for development, staging, pre-production and production. Engineers are only granted access as required to perform their duties.

More information: https://commonplace.atlassian.net/l/cp/KZj451B2

Does your organisation monitor the capacity of its systems processing client information to make sure they are able to cope with load?

Yes, we utilise a range of tools to assist here including AWS controls and Kubernetes for auto scaling, plus auto-scaling with Mongo Atlas.

More information: https://commonplace.atlassian.net/l/cp/AZYJZhGW

Does your organisation manage and control the use of, and access to, any cryptographic keys?

Yes, our Cryptographic Controls Policy is available on request from customers@commonplace.is

More information: https://commonplace.atlassian.net/l/cp/3ZJet0uM