The purpose of this policy is to define informat iio on securit y policy within Jobvite.
2.0 Scope This policy covers all security policies currently in place at Jobvite and performed by any individual, group or department for the purposes of maintaining the security posture, compliance, risk management, and change control of technologies in use at Jobvit e. e. All security assessments and tasks are performed by delegated security personnel either employed or contracted by Jobvite. All findings are considered confidential and are to be distributed on a “need unless to know” basis. Distribution findings outside of Jobvitetoispersons strictly prohibited approved by the Chiefof any Technology Officer.
3.0 Policy Architecture and Infrastructure Jobvite has a multitenant architecture that logically separate customers data through access control that is based on company, users and roles. Data is logically isolated and segregated. Access to data is only available through the application. Application has extensive ACL, RBAC, authentication and authorization mechanism that allows access to data t o only authorized users. Jobvit e’s ecture is dist ri ribut e ed d mult i---tiered architecture based on Java and .Net e’s archit ectu technology stacks. The first tier is the web server running on Apache and Microsoft IIS. The middle tier runs on Open source Java Stack and the data store tier is a mix of MSSQL, MySQL and No---SQL databases such as MongoDB. In addition to these tiers, Jobvite architecture relies on a host of distributed services for processing of data, analyt ics ics, APIs and int egrat iio on.
The Jobvite production databases are on a trusted network (DMZ), separate separate from the web servers.
Vulnerability Assessments Every Quarter we run infrastructure vulnerability assessment tool to ensure that we have a secure infrastructure that is not vulnerable to various attack vectors. Our Managed Service Provider Amazon AWS takes responsibility for maintaining the operating system and third party applications that form the base of our platform. Amazon regularly reviews vendor and third party security bulletins and patch updates to identify and recommend patches patches necessary for the system and feeds those patches into the change control process. For OS, MySQL, and MSSQL patching, Jobvite Operations team performs monthly reviews and present the patches to update to Jobvite for your approval. For critical updates, Jobvite Information Security team regularly reviews these patches and if deemed urgent will notify the support team with their recommendations to apply the critical updates. In addition there are scanning and vulnerability detection services included with the (subscribed by Jobvite) as outlined below: •
Penetration Testing Host ---based Intrusion Detection System (HIDS) o o o o o o
Log analysis analysis Integrity checking (file integrity checking) Windows registry monitoring Rootkit detection Real---t ime ime alerting Active response
Conducted annually. Net work ---layer penetration testing is performed once a year and after any significant infrastructure modif modification. ication. Vulnerability Scanning Internal & External performed quarterly o o
•
Application Security, Code Reviews and Releases All new product launch, major, minor and emergency e mergency patch releases are subject to full static and dynamic code analyzer before they are released. If any a ny security issues are detected, the code is modified to address identified issues and the code is pushed to production only after clearance is received from the security team. All code changes and new development are also analyzed and reviewed by Subject Matter Experts (SME). Once the SMEs give clearance, code goes through rigorous QA test cycles before it is released.
Organizational Security Jobvite performs background checks on all employees and contractors.
Data Retention and Backup Jobvite hosts its production environment in Amazon Web Services (AWS) in their US-East Region, and our servers are spread across multiple availabili availability ty zones (AZ) with the region to address disaster recovery scenarios. Availability Zones equate to separate stand alone data centers within the region, and there are four (4) availability zones in US-East. Jobvite leverages all four AZs for disaster recovery, and can recover with little to no down time if a maximum of two of the four availability zones fails
Disaster Recovery and Business Continuity
Redundancy Jobvite has a redundant infrastructure. infrastructure. All servers, firewalls, switches, switches, load balancers routers are redundant. redundant. If one fails, another server is available to handle theand load.
Antivirus Jobvite has two antivirus layers. All inbound emails are filtered before they arrive at Jobvite’s serv servers. ers. Also, all of Jobvite’s Windows server have Symantec Endpoint Protection antivirus installed.
Maintenance Window Jobvite’s scheduled maintenance Window is Saturday night from 10 PM to 1 AM PST.
Production Access Production access is limited to key individuals. Their remote access to the production environment environment is over a Juniper SSL VPN, so all management traffic is encrypted. Developers who need access to production production systems for troubleshootin troubleshooting g
purposes are granted access for a definite period (usually 12 hours). After this period the password is expired and they no longer have the access.
Password Policy Password Complexity --- --- Upper and lower case, special character and a number. Minimum Length --- --- 8 Characters Account Lockout duration --- --- Once locked, can only be unlocked through password reset. Account Lockout Threshold --- --- 3 invalid logon attempts
Patching Schedule 1st weekend of the month – Patch half of production 2nd weekend of the month – Patch half of production 3rd weekend of the month – Patch staging environment
-‐ - ‐
SSAE 16 SSAE SOC 1/2/3 compliance is maintained though o ur hosting provider Amazon Web Services. Services. http://aws.amazon.com/compliance/ http://aws.amazon.com/compliance/
4.0 Risk Security issues that are discovered during assessments is mitigated based upon the following risk levels. Risk rating is based on the OWASP Risk Rating Methodology High Any high risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure before deployment. Applications with high risk issues are subject to being taken off ---line or denied release into the live environment. •
–
• Medium – Medium risk issues are reviewed to determine what is required to mitigate and scheduled accordingly. Applications with medium risk issues may be taken off ---line or denied release into the live environment based on the number of issues and if multiple issues increase the risk to an unacceptable level. Issues should be fixed in a patch/point release unless other mitigation strategies will limit exposure.
Low – Issue should be reviewed to determine what is required to correct the issue
•
and scheduled accordingly. Remediation validation testing will be required
to validate fix and/or mitigation strategies for any discovered issues of Medium risk level or greater.
5.0 Responsibilities Jobvite Security Engineering team team is respon responsible sible for web application scoping, assessment, of discovered issue risk, and reporting to Project Managementdetermination and application stakeholders. Project Management and application stakeholders are responsible for the t he appropriate assessment scheduling and remediation efforts based upon assessment asse ssment findings and Security Engineering recommendations.
6.0 Enforcement Web application assessments are a requirement of the change control process and are required to adhere to this policy unless found to be exempt. All application ap plication releases must pass through the change cha nge control process. Any web applications that do not adhere this policy may be taken offline untilChief such Technology time that a formal assessment cantobe performed at the discretion of the Officer.
7.0 Breach Notification In case of a breach, Jobvite will notify the affected customers through email and immediately work on a system response to the breach.
8.0 Data Base Encryption. Some Data at the Database level is encrypted at REST. Jobvite uses Single Key Encryption. Encryption of Data in Transit SHA 256 + Salt
9.0 SSO Jobvite supports the following SSO methods: Google, SAML 2,0, Oauth