AdminiTrack Security Statement

Transcription

1 Issue and Defect Tracking Fr prfessinal develpment teams AdminiTrack Security Statement Last updated n January 30, , all rights reserved. Unauthrized use is prhibited.

2 AdminiTrack Issue and Defect Tracking fr Prfessinal Sftware Develpment Teams By., Atlanta, GA USA AdminiTrack is a web-based,hsted applicatin fr sftware develpment teams that permits develpers, quality assurance testers, prject managers, business spnsrs and ther staff t share vital prject infrmatin quickly and easily frm anywhere in the wrld. Lcal applicatins installed n yur netwrk are t limiting when yur team members, users and custmers may be in multiple lcatins and need infrmatin nw, nt later. The applicatin is hsted by AdminiTrack.cm in a state-f-the-art data center s all f the implementatin, database design, internet access, maintenance and security have been taken care f fr yu. All yu have t d is setup yur users and prjects and start sharing vital infrmatin abut yur prject. AdminiTrack was designed t be fast and easy t use, yet prvide all the features yu wuld expect in a premier applicatin. Find ut what thers already have knwn frm small cnsulting cmpanies t Frtune 500 cmpanies arund the wrld. AdminiTrack is the cst effective slutin that n sftware develpment prject shuld be withut.

3 , all rights reserved. All rights reserved. N parts f this wrk may be reprduced in any frm r by any means - graphic, electrnic, r mechanical, including phtcpying, recrding, taping, r infrmatin strage and retrieval systems - withut the written permissin f the publisher. Prducts that are referred t in this dcument may be either trademarks and/r registered trademarks f the respective wners. The publisher and the authr make n claim t these trademarks. While every precautin has been taken in the preparatin f this dcument, the publisher and the authr assume n respnsibility fr errrs r missins, r fr damages resulting frm the use f infrmatin cntained in this dcument r frm the use f prgrams and surce cde that may accmpany it. In n event shall the publisher and the authr be liable fr any lss f prfit r any ther cmmercial damage caused r alleged t have been caused directly r indirectly by this dcument.

4 Table f Cntents 1.1 Purpse Cmpany Backgrund Data Center Security Crprate Security Systems Security Netwrk, Anti-Intrusin and Virus Scanning Delineatin f Custmer Data acrss Accunts Custmer Data Backups Uptime and Availability Custmer Respnsibility Sample Passcde Plicy Cntrlling Applicatin Sessins ,., all rights reserved i

5 1.1 Purpse This dcument is intended t prvide basic security infrmatin fr current and prspective custmers/subscribers f the AdminiTrack Issue and Defect Tracking applicatin. Sme details cannt be prvided fr security reasns. Cntact AdminiTrack at [email protected] if yu have specific questins r cncerns nt addressed in this dcument. 1.2 Cmpany Backgrund AdminiTrack is privately held cmpany which was c-funded in 2000 by technlgy industry experts (Dn Draper and Krishen Kta) wh have a cmbined 35+ years f experience in infrmatin technlgy and enterprise cmputing within the crprate and gvernment agency envirnments. Develpment n AdminiTrack started in The cmpany was incrprated in 2000 (Atlanta, Gergia, USA - Gergia Secretary f State cntrl#: ), and the AdminiTrack Issue Tracking system went live in mid AdminiTrack is a privately held and prfitable crpratin that has cnsistently grwn its custmer base since the system went live. The cmpany's success has been based n prviding a pwerful, yet easy-t-learn web-based applicatin backed by respnsive custmer supprt. AdminiTrack currently serves custmers in ver 20 different cuntries. AdminiTrack takes security very seriusly and emplys industry standard prcesses and practices t ensure custmers' data are safe. AdminiTrack hsts the issue and defect tracking system fr Glbal 1000 cmpanies arund the wrld. Unlike its cmpetitrs, AdminiTrack des nt advertise r disclse its custmers identities in rder t prvide an additinal layer f prtectin. We feel that while advertising ur mre prminent custmers wuld bring us mre business, it culd als make us a target fr adversarial persns r grups seeking t gain access t ur custmer s knwledge base. Select custmer references can be prvided upn request and are available nly thrugh the express written cnsent f thse custmers. While n system is cmpletely safe frm attack, AdminiTrack emplys all industry standard techniques t safeguard ur systems and yur data. 1.3 Data Center Security AdminiTrack perates in a state-f-the-art data center ( frmerly lcated in Atlanta, GA. This is a 376,000 sq. ft. unmarked facility emplying arund-the-clck security and technlgy persnnel. Security features fr this data center include but are nt limited t: The building is unmarked with n signage ,., all rights reserved 1

6 Hidden physical barriers prvide physical prtectin t the building. Physical check-in by security persnnel 24 hurs per day required t reach data center flr. Electrnic badge access is required t access the data center flr. Three bimetrically prtected check pints utilizing bth finger-print and retinal scan technlgy must be passed t reach data center flr. Emplys multiple, redundant Internet access feeds frm multiple prviders. Emplys dual pwer feeds frm Gergia Pwer with the ability t keep pwer t ur systems up fr weeks in the unlikely event f a massive pwer lss. This is dne using undergrund flywheel pwer generatin and advanced pwer-systems technlgy. Many ther well-knwn cmpanies have hsted systems at this same facility including Ggle.cm. 1.4 Crprate Security Due t AdminiTrack s tightly fcused, high-quality ffering, all staff members are rigrusly screened and backgrund verified. In additin, each staff member signs a nn-disclsure agreement (NDA) in regards t crprate and custmer data. All AdminiTrack technical staff members are cnsidered amng the best and mst talented in their respective areas f expertise. AdminiTrack als fllws and implements the security standards f the Payment Card Industry (PCI) Data Security Standards. While these standards are targeted tward nline payment systems, the security recmmendatins are excellent cvering a brad spectrum f best practices. These standards are supprted by many respected industry leaders including Symantec, Verisign, and Authrize.net. AdminiTrack is Verisign Secured site and an Authrize.net Verified merchant. 1.5 Systems Security AdminiTrack emplys industry standard security sftware and hardware at varius levels thrughut ur netwrk Netwrk, Anti-Intrusin and Virus Scanning Fr netwrk security, we run behind advanced firewalls alng with hardware and sftware based anti-intrusin detectin systems t mnitr and pr-actively prtect ur systems that must cmmunicate directly with the Internet. All f ur systems stay updated n current security patches and security audits are rutinely run t ensure n gaps have pened up ,., all rights reserved 2

7 Bth anti-intrusin and virus scanning are deplyed at ur netwrk edge (security appliances), in ur servers and again at each server. This apprach prvides us with multiple layers f prtectin and added intrusin detectin capability. AdminiTrack utilizes Virtual Private Netwrking (VPN) fr all access t ur systems by crprate persnnel. This is an industry standard technique utilizing high-levels f encryptin and data security t prtect against data packet sniffing and ther public wire techniques t btain data. All access using ur VPN requires internal sftware, is passcde prtected and fully lgged by user identity. Secure data access t the AdminiTrack applicatin is prvided but nt enfrced by default. Traffic between yur clients and ur servers may be encrypted by tw ptins: If yu prefix yur requests with HTTPS, the cnnectin between client and servers will use 128-bit secure sckets (SSL), an industry standard frm f encryptin security. Upn request, we can enable enfrced SSL fr yur accunt. This ptin will frce all access t yur accunt t use SSL by prefixing the request with HTTPS. The system administratr fr yu accunt may cntact [email protected] and request this ptin. All custmer data is stred in an enterprise SQL server database including attachments which are upladed as dcuments either t a prject r t an issue. N data is accessible frm the file system which prvides anther level f prtectin. Access t the AdminiTrack applicatin is lgged at multiple levels including web servers, database servers, anti-intrusin systems, systems, and public facing firewalls including VPN access. Applicatin user lgins are lgged including surce lgin credentials, surce IP, User Agent and mre. Lgs are peridically reviewed fr any signs f inapprpriate use and any suspicius users may be blcked at the firewalls and servers by IP address r by user accunt r bth. AdminiTrack reserves the right t blck any knwn entities that we feel may be inapprpriately using the system. Our systems are mnitred arund the clck frm bth nsite and ffsite lcatins with manned and autmated ntificatins t engineers shuld a prblem ccur. Physical access t ur systems is limited t a small number f engineers wh mnitr and maintain them Delineatin f Custmer Data acrss Accunts Custmer accunt data is delineated frm each ther by an accunt number that is assigned t each custmer accunt. This number is stred inside a ckie t ppulate the lgin frm and assist users when lgging int the system but is never passed t the applicatin except while lgging int the applicatin where all credentials including passcde are required. Once a user has successfully lgged int the applicatin with prper credentials (three items are required), the accunt number is maintained nly in sessin state n the server. This technique makes it impssible fr smene t pass a knwn accunt number in an attempt t gain access t anther accunt. This is an industry standard technique emplyed by nearly all nline systems including banking, cmmerce and mre ,., all rights reserved 3

8 1.5.3 Custmer Data Backups Data is maintained n redundant servers utilizing RAID drives and backed up t ht backup servers in real-time. Drive Redundancy with RAID The RAID cncept (Redundant Array f Inexpensive Disks) permits data t be written t multiple, physical hard-disks platters at the same time. This redundancy prvides prtectin in the event that a hard-disk failure ccurs. The mment a hard-disk fails inside the array, anther hard-disk drive knwn as a ht-spare immediately gets a cpy f the data frm the remaining gd drive. Once the ht-spare has been created, the redundancy is restred and the engineers are alerted that the ht-spare drive needs t be replaced. Server Redundancy with Ht-Backup Servers AdminiTrack maintains a ht-backup server fr each prductin server. The htbackup server is a mirrr image f the prductin server in mst respects. Custmer data is peridically shipped (cpied) frm the prductin server t the ht-backup server s that the ht-backup server is never mre than a few minutes behind. In the advent f a catastrphic failure f a prductin server, the ht-backup server can be brught nline and used t replace the failed server. This is anther way that AdminiTrack prvides redundancy f custmer data and prvides fr minimal dwntime in the advent f serius server failure. Off-site Data Strage All custmer data is peridically backed up and mved ff-site by AdminiTrack persnnel at regular intervals. Several days wrth f backups fr issue data is maintained nsite and this data is peridically remved ffsite t prevent a ttal lss f data shuld the data center be cmprmised. 1.6 Uptime and Availability AdminiTrack des nt require cntracts as accunts may be canceled at any time. AdminiTrack can ffer a Service Level Agreement (SLA) fr custmers that require ne and purchase 6 mnths r 1 year f service in advance. Cntact supprt@adminitrack fr further infrmatin regarding this subject. AdminiTrack guarantees a level f uptime and availability t the subscribers. Uptime is defined as the ability f an active user in the Subscriber s accunt t lgin int the AdminiTrack applicatin and access accunt data.. guarantees an uptime f 99% ver the perid f any calendar mnth excluding scheduled dwntime fr maintenance r upgrades. AdminiTrack has nt been ff-line fr mre than tw hurs (excluding scheduled maintenance) since ging nline in ,., all rights reserved 4

9 While n system can guarantee cmplete prtectin, AdminiTrack takes security seriusly and emplys every pssible slutin t ensure data prtectin, redundancy and availability. 1.7 Custmer Respnsibility The fllwing are recmmended security prcedures fr ur custmers t fllw. Since the majrity f data security breaches ccur frm within an rganizatin, the custmer shares the respnsibility in keeping their data safe. Use the term passcde rather than passwrd t remind users that wrds shuld never be used. Create a passcde plicy if ne is nt already in place. (see belw) Use the Generate Passcde buttn when creating new users fr yur AdminiTrack accunt. This generates a randm passcde f bth letters and numbers and the user may change this later if needed. Cntact AdminiTrack immediately if yu feel yur accunt has been cmprmised in any way Sample Passcde Plicy The fllwing items are examples plicy rules that culd serve in a crprate plicy statement cncerning the creatin and use f passcdes. Use f bth upper-case and lwer-case letters (case sensitivity). Use acrnyms r the first letter f wrds in a phrase as part f yur passcde. Inclusin f ne r mre numerical digits r nn-alphanumeric characters. Inclusin f special characters in a passcde. Prhibit the inclusin f wrds fund in a dictinary r crackers list. Prhibit passcdes that are valid calendar dates r license plate numbers. Never share a cmputer accunt with anther user. Never use the same passcde fr mre than ne accunt. Never tell a passcde t anyne, including peple wh claim t be frm custmer service r security. Never write dwn a passcde; if yu cannt remember, d nt use it. Be careful t lg ff befre leaving a cmputer unattended. Change passcdes whenever there is suspicin they may have been cmprmised Cntrlling Applicatin Sessins AdminiTrack is the type f applicatin where several minutes t hurs may pass between accesses during a nrmal wrk day. Because sessin states n mst servers will expire after a few minutes withut activity, mst web-based applicatins frce ,., all rights reserved 5

10 the user t lgin again and again thrughut the day which can becme quite annying and time-cnsuming. The AdminiTrack applicatin has a special feature that allws users t maintain their sessin state as lng as they are lgged int the applicatin and the brwser has nt been clsed. This allws users t wrk in the applicatin withut being frced t repeatedly lg int the applicatin if a perid f time has lapsed. Regardless f whether this feature is enabled r nt, lgging ut f the applicatin r clsing the brwser will frce a user t re-lgin again t access the applicatin. Because f this, AdminiTrack encurages users t always lgut f the applicatin anytime they leave their desk. Fr added security, the brwser shuld be clsed as well. Nte: This feature may be disabled by un-checking the Disable Aut Lgff checkbx n the applicatin lgin frm ,., all rights reserved 6