Availability, Security and Support
WebSurvey is hosted in Amazon Web Services Sydney (AWS Sydney). AWS Cloud services have been assessed against the Australian government Information Security Manual (ISM) by an independent IRAP assessor (see https://aws.amazon.com/compliance/irap/ for more information) and is recognised as a robust, secure cloud hosting service.
Using the services of AWS Sydney enables us to take advantage of the benefits offered by cloud-based hosting infrastructure, while ensuring data continues to be hosted in Australia, not offshore. These benefits include being able to flexibly increase and decrease capacity to better manage fluctuations in demand as well as facilitating uninterrupted service provision during upgrade and patching processes essential for the reliable and secure operation of our systems.
The reliability and security needs of the data collection projects we undertake are critical features of WebSurvey.
Availability of infrastructure
We guarantee 99.5% ‘up-time’ for data collections, based on five days per week, 8am – 5pm AEST. To manage ongoing preventative maintenance of these servers, we occasionally plan scheduled down-time during low-use time slots. You will be notified of any scheduled maintenance in advance.
All of WebSurvey’s production services are monitored for performance and breakages by automated systems. Where issues arise these are raised to the appropriate technical and managerial staff for severity assessment and resolution.
All issues requiring attention are recorded in our issue tracking system. Issues impacting system availability also result in an automated email and SMS notification to appropriate staff and are addressed immediately. Staff are on call 24/7 for such events. Less severe issues are triaged and addressed during business hours.
There are three availability zones (geographically separated AWS sites) in AWS Sydney. WebSurvey utilises all three, ensuring redundancy for all services and protecting against outages at up to two of the three sites at a time.
As part of WebSurvey’s core business planning we have a business continuity plan addressing a wide range of potential risks to the business. Potential threats are regularly reviewed and assessed in both our Business Continuity Plan and Disaster Recovery Plan.
AWS services provides reliability, backup, scaling, and maintenance as well as the rapid application of security patches.
WebSurvey invests significant resources to ensure our systems are secure and robust. We are highly conscious of the potential threats and actively consider the consequences of such threats. We routinely assess risks and utilise specialist advisors to help with these assessments, as well as devising means to mitigate the risks. These considerations extend beyond the technical infrastructure (platforms, connectivity, environment, access control and so on) to the associated human processes such as how data can be stored and transferred and who can authorise and allow access. At all times, we aim to maintain appropriate (external) security standards.
It’s important to note that, should your project require compliance against a specific quality or security standard, it may be necessary to implement additional measures to the management of your project beyond the hosting environment. For example:
- Vulnerability scanning and penetration testing of the system by external consultants.
- Testing against the OWASP Top 10.
- IRAP assessment.
- Other activities as required.
Please contact us regarding any specific requirements you have.
To ensure encrypted transmission of data in both directions, web-accessible functionality is hosted under a secure certificate.
Office physical security
Our office is equipped with fingerprint activated access control and an alarm system that is monitored at all times. We also have secure storage capacity that is locked with an isolated alarm zone and video- monitored access for physical documents and media.
Office electronic security
Our office IT infrastructure is set up with dedicated and redundant ASD-approved firewalls, individual username/password access to files, a network of computers monitored by our IT Infrastructure team and the capacity to use secure certificates for encrypted transmission of data.
Procedures and Protocols
As always, in addition to ensuring the security of the infrastructure, we undertake a range of other security assurance practices, including, but not limited to:
- All system administrators follow the formal change management procedures applicable to our systems, as described in our change management procedures, when applying patches and when modifying the logical and physical design of the system and supporting infrastructure.
- Systematic patching of systems and software libraries.
- Our Security Team manages security within the ICT Environment.
- All employees sign confidentiality agreements when they join, emphasising the importance of protecting sensitive data. All employees undergo a police records check to provide greater assurance of integrity.
- User accounts are removed or disabled when a user becomes inactive assuring that users who have left the organisation do not continue to have access.
- Annual and ongoing security awareness and training via online training modules and awareness communications via email.
WebSurvey manages an online issue tracking system that allows users to lodge support requests 24/7.
As above, all issues requiring attention are recorded in our issue tracking system. Issues impacting system availability also result in an automated email and SMS notification to appropriate staff and are addressed immediately. Staff are on call 24/7 for such issues. Less severe issues are triaged and addressed during business hours.