Professional Documents
Culture Documents
Information Security Policy
Information Security Policy
1.0 Purpose
The purpose of this policy is to define information security policy within Jobvite.
2.0 Scope
This policy covers all security policies currently in place at Jobvite and performed by
any individual, group or department for the purposes of maintaining the security
posture, compliance, risk management, and change control of technologies in use at
Jobvite.
All security assessments and tasks are performed by delegated security personnel
either employed or contracted by Jobvite. All findings are considered confidential
and are to be distributed to persons on a need to know basis. Distribution of any
findings outside of Jobvite is strictly prohibited unless approved by the Chief
Technology Officer.
3.0 Policy
Architecture and Infrastructure
Jobvite has a multitenant architecture that logically separate customers data
through access control that is based on company, users and roles. Data is logically
isolated and segregated. Access to data is only available through the application.
Application has extensive ACL, RBAC, authentication and authorization mechanism
that allows access to data to only authorized users.
Jobvites architecture is distributed multi-tiered architecture based on Java and .Net
technology stacks. The first tier is the web server running on Apache and Microsoft
IIS. The middle tier runs on Open source Java Stack and the data store tier is a mix of
MSSQL, MySQL and No-SQL databases such as MongoDB. In addition to these tiers,
Jobvite architecture relies on a host of distributed services for processing of data,
analytics, APIs and integration.
The Jobvite production databases are on a trusted network (DMZ), separate from
the web servers.
Vulnerability Assessments
Every Quarter we run infrastructure vulnerability assessment tool to ensure that we
have a secure infrastructure that is not vulnerable to various attack vectors.
Our Managed Service Provider Amazon AWS takes responsibility for maintaining
the operating system and third party applications that form the base of our
platform. Amazon regularly reviews vendor and third party security bulletins and
patch updates to identify and recommend patches necessary for the system and
feeds those patches into the change control process.
For OS, MySQL, and MSSQL patching, Jobvite Operations team performs monthly
reviews and present the patches to update to Jobvite for your approval. For critical
updates, Jobvite Information Security team regularly reviews these patches and if
deemed urgent will notify the support team with their recommendations to apply
the critical updates.
In addition there are scanning and vulnerability detection services included with the
(subscribed by Jobvite) as outlined below:
Organizational Security
Jobvite performs background checks on all employees and contractors.
Antivirus
Jobvite has two antivirus layers. All inbound emails are filtered before they arrive at
Jobvites servers. Also, all of Jobvites Windows server have Symantec Endpoint
Protection antivirus installed.
Maintenance Window
Jobvites scheduled maintenance Window is Saturday night from 10 PM to 1 AM
PST.
Production Access
Production access is limited to key individuals. Their remote access to the
production environment is over a Juniper SSL VPN, so all management traffic is
encrypted. Developers who need access to production systems for troubleshooting
purposes are granted access for a definite period (usually 12 hours). After this
period the password is expired and they no longer have the access.
Password Policy
Password Complexity - - Upper and lower case, special character and a number.
Minimum Length - - 8 Characters
Account Lockout duration - - Once locked, can only be unlocked through password
reset.
Account Lockout Threshold - - 3 invalid logon attempts
Patching Schedule
1st weekend of the month Patch half of production
2nd weekend of the month Patch half of production
3rd weekend of the month Patch staging environment
SSAE--16
SSAE SOC 1/2/3 compliance is maintained though our hosting provider
Amazon Web Services. http://aws.amazon.com/compliance/
4.0 Risk
Security issues that are discovered during assessments is mitigated based upon the
following risk levels. Risk rating is based on the OWASP Risk Rating Methodology
High Any high risk issue must be fixed immediately or other mitigation
strategies must be put in place to limit exposure before deployment.
Applications with high risk issues are subject to being taken off-line or
denied release into the live environment.
Medium Medium risk issues are reviewed to determine what is required to
mitigate and scheduled accordingly. Applications with medium risk issues
may be taken off-line or denied release into the live environment based on
the number of issues and if multiple issues increase the risk to an
unacceptable level. Issues should be fixed in a patch/point release unless
other mitigation strategies will limit exposure.
Low Issue should be reviewed to determine what is required to correct the issue
and scheduled accordingly. Remediation validation testing will be required
5.0 Responsibilities
Jobvite Security Engineering team is responsible for web application scoping,
assessment, determination of discovered issue risk, and reporting to Project
Management and application stakeholders.
Project Management and application stakeholders are responsible for the
appropriate assessment scheduling and remediation efforts based upon assessment
findings and Security Engineering recommendations.
6.0 Enforcement
Web application assessments are a requirement of the change control process and
are required to adhere to this policy unless found to be exempt. All application
releases must pass through the change control process. Any web applications that
do not adhere to this policy may be taken offline until such time that a formal
assessment can be performed at the discretion of the Chief Technology Officer.
9.0 SSO
Jobvite supports the following SSO methods: Google, SAML 2,0, Oauth