Security policy and infrastructure
The WorkRite system is implemented to be fully compliant to the requirements of ISO 27001:2013 and the Data Protection Act 2018.
Password policy
User passwords are autogenerated when the account is first created. Passwords also:
- must contain 8 or more characters, and have a least one of each of the following: Lowercase letters, Upper case letters, and numbers
- can be set to expire after a period of days
- cannot be the same as username
- can have a restriction on reuse of previous passwords
Data storage
All data is encrypted at rest using AES-256. Backup data is encrypted using AES-256.
Infrastructure & connectivity
The system is housed on Microsoft’s Azure platform in the UK-SOUTH Data Centre which meets the requirements of TIA-942/Tier-3. This allows WorkRite a UK geographic redundancy in operation, (UK-SOUTH and UK-WEST).
Data transfer & security
WorkRite application is accessible only via HTTPS connection supporting TLS 1.2 only, and optionally authentication can be restricted to specified IP address ranges.
A SOAP based web service API is available, secured using multi factor authentication encrypted via HTTPS. WorkRite is also SAML 2.0 compliant.
FTP connection is either via FTPS or SFTP using multi factor authentication.
Access control
WorkRite employs role based access control and data is logically separated between tenants.
User sessions expire after 60 minutes.
Auditing & logging of activity
All user actions are logged within the application and able to be filtered, exported and automated.
SLA
We (WorkRite) will provide a WorkRite application availability uptime of at least 99.5% measured over each calendar month. The availability uptime calculations will not include
(1) WorkRite pre-planned maintenance periods which are one weekend per month between a Friday starting at 18:00 and the following Sunday at 22:00. The dates for these periods are published up to a year in advance.
(2) WorkRite unplanned emergency maintenance periods where we have notified you at least 24 hours in advance of such an occurrence.
(3) Unplanned communications failures due to external providers who are not under our direct control. Failure by us to meet the availability target will result in that month’s maintenance fees being credited back to you. Availability statistics will be published at http://status.workrite.co.uk along with any planned and unplanned maintenance periods.
Application architecture
WorkRite is a HTML5 compatible, ASP.NET v4.6 application hosted on Microsoft Azure infrastructure. It is served by an application gateway (combined Web Application Firewall and load balancer) backed by Web Servers. Data is stored on MS SQL Databases operating in High Availability configuration. Automation and FTP services are separate to the main application. Content is served using Azure CDN.
Monitoring
Monitoring is performed at the application level using Microsoft Application Insights. Low level infrastructure monitoring is provided by Pingdom and Microsoft Azure has a variety of monitoring tools and status indicators.
Backup & DR
Database backups are performed using SQL Managed backup to Azure Blob Storage, minimum frequency of 2 hours and retention is 30 days. All application specific course code is managed by Visual Studio Team Services. A Business Continuity Plan (BCP) is demanded by ISO 27001. The RPO is about 15 mins within standard UK business hours with an RTO of 12 hours. Outside standard business hours the RTO is 48 hours.
External certification & approvals
Posturite Limited’s internal systems are audited to ISO 9001, 14001, 18001 and 27001:2013 and have been awarded the Cyber Essentials certification. Microsoft AZURE services are fully DPA 2018 compliant in addition to being ISO 9001, 22301, 27001:2013, 27017, 27018:2014, SOC 1, 2, 3, SSAE 16, NIST 800-53A in addition to FedRAMP and DFARS certified.
