Discovery tool security
The discovery tool is part of the building digital capability service provided by Jisc. Jisc contracts with Potential.ly to provide the underlying discovery tool platform, and with Overt Software for authentication.
Our approach to product and service development
Jisc's approach is to develop products and services collaboratively with our members, develop common terms and conditions, and publish information and guidance that satisfies the requirements of most customers. This documentation is intended to answer the most common questions we are asked.
We cannot promise to answer all your questions, or agree specific amendments to our standard terms and conditions. Instead we shall continue to develop this document based on any provided feedback or questions received. If you do have any further questions, please make sure that you are satisfied with this document and any response before signing up to this service.
There are a set of policies and procedures in place to ensure the systematic management of sensitive data. The discovery tool follows common OWASP (The Open Web Application Security Project) guidelines and is registered and compliant with Information Commissioner’s Office with respect to data protection, use of and freedom of Information. Potential.ly is working towards ISO 27001:2013 certification.
Where is my discovery tool data stored?
All question set results data is stored within Amazon Web Services (AWS), within the Republic of Ireland. Amazon Web Services, the hosting provider for the discovery tool is certified to the international standard for information security, ISO 27001:2013 for United Kingdom data centres (view the certificate). This standard provides a framework for managing a business’s security responsibilities and provides external assurance for customers as to the scope and scale of the secure environment.
Potential.ly's information systems and technical infrastructure are hosted within AWS’ world-class, SOC 2 (Service Organization Control) accredited data centers. The information security of AWS is managed in conformance with the requirements of ISO 27001:2013, providing assurances of the security of the data centre and virtualisation aspects of the service. The security of the operating system and application stack is managed by Potential.ly.
Any transfer of data between Potential.ly and AWS are conducted over secure, encrypted, connections. Development and platform updates are fully documented and logged using a variety of tools with multiple backups to ensure continuity.
All staff involved with the discovery tool are either provided information security training or are subject to an "Information Security Policy" that communicates their responsibilities towards information security, as well as providing advice and guidance on common security threats. All development staff involved with providing the discovery tool service are trained in secure web application development practices and provided with data security training. This team also employs secure coding techniques and best practices, aligned with OWASP guidelines.
The system is regularly scanned for vulnerabilities by automated systems, and is subject to periodic penetration testing of both the network environment, operating system, and application. All issues discovered are prioritised and accordingly addressed. Vulnerability and patch management is carried out on a regular schedule accordance with vulnerability management processes. Jisc's approach to vulnerability management involves four key strands:
- A secure development policy followed by Jisc and our contractors, establishing security as a key requirement of system. This is intended to ensure that systems are secure through design and that common vulnerabilities, such as those in the OWASP Top 10, are avoided.
- Vulnerability and patch management carried out on a regular schedule. Occasionally, critical security patches may mean that the service needs to be taken offline at short notice. Where possible we will work with customers to minimise any disruption.
- Encouraging third parties to work with us to resolve any security vulnerabilities discovered – see Jisc's vulnerability disclosure policy. We commit to working with security researchers to address these vulnerabilities and improve the security of Jisc and our member’s data.
- Periodic penetration testing upon major changes or additions to the system.
Irrespective of how vulnerabilities are discovered the findings are prioritised according to risk and addressed and monitored through our vulnerability management processes and ISMS. Any significant findings that cannot be resolved in a timely fashion are escalated to our Senior Information Risk Owner and corporate risk register as appropriate. Jisc does not share penetration test reports or individual findings.
The discovery tool is protected from DDoS (Distributed Denial of Service) attacks by services provided by Amazon, including AWS Shield and Amazon CloudFront. Physical, logical, application and network access-control of personal data are managed on a least-privilege, need-to-know, basis.
Access to data stored within the discovery tool is strictly limited to the discovery tool support and technical teams. Access is only permitted to deliver anonymous data visualisations to subscribing organisations, or when it is at the request of the client concerned, or necessary for the investigation of operational issues, or when required by law.
The discovery tool servers and backups are accessible only by members of the discovery tool technical team within Potential.ly and other authorised members of staff at Jisc (such as systems administrators, or those responsible for delivering the anonymous data visualisations or digital badges).
Incidents and Breaches
There are established processes for handling information security incidents including data breaches. Should an incident occur, it will be handled according to these processes and in line with current data protection legislation. If an incident has an impact on the security of information secured in the discovery tool then Jisc’s senior information risk owner (SIRO), will make decisions as to whether and how customers and the Information Commissioner’s Office are notified.
Communications related to breaches will arrive through Jisc’s normal communications channels.
New users will either log on via their organisations Identity Provider (IdP) or choose their own passwords and will need to enter this username (email address) and password each time they log in if their organisation is not part of the access management federation. The discovery tool issues a cookie to store session information when registered users log in. The session cookie does not include user information.
All survey responses are collected over encrypted Secure Sockets Layer (SSL) (Transport Layer Security/TLS) connections. SSL is the standard technology for establishing an encrypted link between a web server and a browser. It ensures that sensitive information can be transmitted securely. Data is not encrypted whilst at rest within the discovery tool. Potential.ly is responsible for the management of all cryptographic keys and material involved with the discovery tool, and manages these in line with their "Cryptographic Control Policy" and related guidance.
All data is securely erased and any media securely destroyed once it is no longer required for the operation of the system. Due to the complex nature of a cloud based environment, we may be dependent on third parties to ensure this occurs. Where this is the case there will be a contract in place with that third party.
Some data may persist in backups. For more information see the section on backups below.
The discovery tool service runs over two availability zones in AWS (within the Republic of Ireland) in an active-active high availability configuration using AWS Elastic load balancing. In the event of multiple availability failures the discovery tool service will be restored.
The performance of the service depends on the use of the system and AWS. Potential.ly monitor the system's performance routinely and have automated alerts. In the event of high traffic, AWS allows us to increase resources quickly to meet demand.
Discovery tool data stores are backed up daily.
The discovery tool has a data retention policy that means that backups are replaced every 30 days. Daily, weekly and 30 day backups are also stored in AWS S3 storage (within the Republic of Ireland) for fast restore. The discovery tool enables all users to export their individual question set report(s) as a pdf file. Additionally, staff in organisations that have been given the appropriate permission level (only available to subscribing organisations) can export their anonymous organisational data visualisations as a pdf or image file so that this can be stored elsewhere.
Users must not share accounts. You must not allow other people to use your username and password and multiple users must not log in using a single set of shared credentials.
Where relevant, users' passwords should be sufficiently complicated, stored securely (if stored at all) and not be the same as used on any other system. Your institution is responsible for ensuring that access to accounts is well-managed and that access to accounts is revoked when users change role or leave the organisation by informing the Jisc building digital capability team. Your institution should ensure that you have appropriate levels of security on your own systems should you choose to export sensitive data.
We have created a table (Word) of the information gathered for the Jisc building digital capability service so you can see how it is used.