Access Control

Access Control Policy

Access to data within JobTeaser platform is governed by access rights. JobTeaser has various permission levels for users (student, recruiter, administrators, super-administrators, JobTeaser staff, etc.).

JobTeaser's approach for defining access privileges and roles is to provide pre-defined roles with the appropriate permissions covering the most common use cases and best practices. As so, it keeps it simple to understand for super-administrators (either customers, partners or JobTeaser's staff) that are responsible for giving access privileges to other users. This ensures that the appropriate roles are given to users, fitting their needs, enabling to follow the least-privilege principle. Defining too many roles or enabling too much granularity to define privileges and roles will generally lead into a lower security level because administrators tend to give broader privileges than necessary due to the complexity of the roles configuration.

Roles and permissions differ depending on the application. The main roles are described below.

JobTeaser and Career Centers

Student

Company administrators

Several roles exist for administrator, providing different set of privileges based on the role of the company's collaborator:

School or university administrators

Cockpit/Explore

Several user roles are built in the application to enforce permissions on operations that may be performed on application data. University administrators are given a specific role allowing them to access and manipulate data through specific features of the platform.

This role enables University administrators to access students’ personal data through application features, as mentioned in the first section of this document. At the moment, no features enable modifying or deleting personal data, only the user herself/himself can modify or delete her/his data.

User registration and de-registration

User registration and de-registration is up to the users and Career Center administrators. Upon registration, the user sets his/her password through a link sent to his/her email address. Upon de-resistration, the user loses access to all the resources previously available.

JobTeaser platform and applications all enforce the following password security policy:

In case of failed login attempts, different measures are applied to prevent password brute-forcing: an exponential backoff delay is inserted before enabling the user to try again to login after failed attempts.

Single sign-on (SSO) allows schools and universities partners to provide their users (students and staff) with a login solution that does not require them to enter additional credentials on the Career Center. In this case, the security of the user's credentials is managed by the partner instead of JobTeaser.

CAS and SAML are currently supported. The IDP will also support OpenID Connect.

User access provisioning

The administration interface for Career Center administrators allows administrators to provision users according to roles they need to attribute to others.

User authentication

For Career Centers, JobTeaser enables its schools and universities partners to setup an SSO integration for end-user (students and administrators). Other types of users (e.g. company recruiters) are provided with JobTeaser login (email and password credentials are managed by JobTeaser).

For JobTeaser website and other applications (e.g. Cockpit/Explore), users are only provided with the JobTeaser login authentication solution.

JobTeaser uses a central authentication solution (JobTeaser IDP - IDentity Provider) on its platform and applications. It supports the development of controls: connection attempts monitoring, 2-factor authentication, etc. JobTeaser is currently developing 2-factor authentication and rolling it out for the authentication of its staff on the platform and applications.

Two-factor authentication (2FA)

Multi-factor authentication will be supported on the JobTeaser IDP during the year.

API security & authentication

Authentification to the platform is processed through the JobTeaser dedicated OpenID module. This module can act as an Identity Provider as well as a Service Provider, depending on the partner's needs.

Privileged access rights

JobTeaser administrators handle user registration and de-registration. Access rights are detemined according to the user functional role in the company.

Administration Interfaces access

Access to administration interfaces are encrypted via industry best-practices HTTPS and TLS over public networks.

Information access restriction

All partner information is segregated from other partners information in the application.

Cryptography

Data

Data in transit

Communications between the platform users (students, customer or partner users and administrators or JobTeaser administrators) are encrypted via industry best-practices HTTPS and TLS over public networks. Every three months, JobTeaser checks the relevance of its encryption through the SSL Labs API, any grade lower than "A" is handled as a security incident.

A few communications are sent through email and are inherently less protected. Only public information transits via this method of communication.

Data at rest

The AWS infrastructure ensures encryption at rest of all data-stores containing non-public information.

Secrets and keys

Secure credential storage

JobTeaser follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash. The current hash algorithm used for passwords is BCrypt.

Secrets Management

JobTeaser follows secure secrets management best practices during all the key management phases:

Physical and Environmental Security

Physical Perimeters and Location

Our platform is hosted in Amazon Web Services facilities, in the European Union region. All AWS Datacenters are anonymous locations, secured through all best practices in the field.

Production servers, networked devices, physical security, power, and internet connectivity are monitored by the facilities providers.

Physical access control

The AWS data center facilities feature a secured perimeter with multi-level security zones, 24/7 manned security, CCTV video surveillance, multifactor identification, physical locks, and security breach alarms.

AWS Certifications

In Europe, AWS is compliant with the following certifications:

Our platform benefits from most of those certifications by being hosted in AWS facilities.

Protecting against external and environmental threats

JobTeaser servers are hosted at secured data-centers facilities. All facilities apply the industry-standard security measures, including:

Operations Security

Operations Organisation

Operational procedures and responsibilities

Policies are in the process of being formalized. They record responsibilities associated with each domain. For now, only the following procedures are validated:

No technical procedure will be written, they are all automated.

Technical-operational Measures

Environment segregation

Development, testing and pre-production environments are separated physically and logically from the production environment. Service data is used after anonymization to provision the pre-production environment, enabling realistic anonymous data to be used for a more robust manual testing of changes. For development and testing environments, service data may be used after anonymisation and subsetting (reduction of the dataset to a representative subset).

Backup

Our backup policy ensures our platform data is replicated in several geographical locations. The replication instances are configured and reliant.

Log Management

Logging and Monitoring

JobTeaser uses application server logs which contain all user actions triggering an HTTP request to the application (e.g. loading a page, submitting a form, triggering background HTTP requests, …), as well as some associated data.

These logs include actions performed by administrative accounts.

Clocks synchronisation

The platform servers are currently synchronized internally. We intend to switch to the Time Sync Service from AWS, which will allow us to be synchronized through NTP and smooth out leap seconds.

Technical Vulnerability Management

Dynamic vulnerability scanning

An automated Web Scanning appliance (by Qualys) is deployed on the JobTeaser preproduction. It alerts the CISO on vulnerabilities found before the platform is deployed. Ths CISO then ensures that the vulnerabilities are corrected.

Static code analysis

Static code analysis is used for each change to the source code through our Continuous Integration (CI) pipeline to identify and notify potential security vulnerabilities.

Security penetration testing

JobTeaser regularly sollicits a security-specialist third-party to perform external penetration tests on different scopes of our platform and applications. The full scope of our public-facing products will be reviewed at least every 2 years.

Communications Security

Network Security Organisation

Architecture

Our network security architecture is built upon multiple security zones. Sensitive systems, like database servers, are protected in the most trusted zones, where only traffic coming from the internal network is authorized. Traffic between different zones is filtered using firewalls.

Segregation in networks

Our AWS infrastructure utilizes several AWS network security features to isolate our infrastructure from external traffic and filter any unauthorized traffic (AWS VPC - Virtual Private Cloud - and Security Groups - virtual stateful firewalls).

Logical access

Access to the JobTeaser production infrastructure restricts access to production to specific members of the Tech Team, following the least-privilege principle. By default, members of the tech team don't have access and have to ask to gain access during a certain time frame. Employees accessing the production infrastructure are required to do it through the company VPN and use multiple factors of authentication.

System acquisition, development and maintenance

Secure Development Policy

Secure development awareness

JobTeaser strongly encourages security awareness in its Technical Team through regular communications and staff awareness programs. A community of interest regroups membres of the Tech Team twice every month to discuss and share good practices, information and resources, and identify security actions to be lead. Security articles and presentations are regularly shared within the team through internal communication channels and the bi-monthly Tech Sharing afternoons.

Security training

JobTeaser is currently evaluating options for a secure code training provided by third-party experts, covering the OWASP Top 10 security flaws and other common attack vectors.

System change control procedures

Web frameworks security controls

JobTeaser utilizes modern web framework (e.g. Ruby on Rails, Phoenix) and makes use of its security controls to limit exposure to OWASP Top 10 security flaws. These include inherent controls that reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others.

Web application firewalls

Web application firewalls (WAF) are used to protect most JobTeaser's public-facing applications or platform components. Here is the current status for the different components:

Technical review of applications after platform changes

Each source code change goes through several reviews:

Securing Development

Secure development environment

Platform development is undertaken on the local developer machines, with a Git versionning system. This system is hosted by GitHub, in private repositories. GitHub garantees an appropriate level of confidentiality, availability, integrity and traceability.

Testing

Test-data protection

For development and testing environments, an anonymised subset of production data is automatically created every day.

Third-Party relationships

Information Security in third-party relationships

Third-party identification

All third-parties used for the JobTeaser service are:

Addressing security within third-party agreements

The third-parties used for the JobTeaser service have been vetted by JobTeaser's CISO and CTO. They all comply with JobTeaser's security level.

JobTeaser is allowed to audit all its third-parties' services.

Third-party service delivery management

Managing changes to third-party services

If a change on a third-party service used by JobTeaser platform affects the security, JobTeaser will notify partners within a reasonable timeframe.

Confidentiality agreements

Regularly, a lawyer firm (ATIPIC) revises the confidentiality agreements of all third-parties involved in the JobTeaser service. The last audit was performed in june 2018.

Information security incident management

Reporting information security events

If a security incident occurs on the platform, JobTeaser will notify the competent authorities and its clients within a reasonable timeframe.

Response to information security incidents

In case of a system alert, events are escalated to our 24/7 operations and security monitoring third-party. Their employees are trained on security incident response processes, including communication channels and escalation paths.

Learning from information security incidents

All security incidents are recorded and analysed by the CISO. Action plans can result from this analysis.

Business Continuity

Planning information security continuity

A Business Continuity Plan is in the process of being formalized and will be reviewed every three years.

Implementing information security continuity

Redundancy

Critical components of the infrastructure, such as web servers, application servers and data-stores use clustered and redundancy ensures availability in case of a system failure. Our backup policy ensures our platform data is replicated in several geographical locations. Our replicated instances are configured according to our policy and their reliance is assured by AWS.

Disaster recovery

JobTeaser focuses on an infrastructure-as-code approach to infrastructure management, enabling a faster recovery in the event of a major disaster necessiting re-building the whole infrastructure.

Disaster Recovery Testing

All the platform and applications configuration is scripted. In the event of a disaster the operations team is able to restore the platform by deploying running configuration scripts.

Databases are restored automatically from their snapshots to a point in time at least 5 min from current time.

Availability of services

JobTeaser is committed to a 99.8% uptime of the platform's core features. The uptime is measured through the platform's monitoring system. An internal system-status service is used to trace incidents and provide an additional uptime measure. History about these uptimes can be shared with customers and partners on demand.

Data Privacy

Logical access

Some members of the technical team are given logical access to the platform's systems (servers and administration interfaces). The list of persons who are given this level of access is reviewed every 3 months. Accesses are revoked 48 business hours after the employee leaves the company, or earlier if necessary. Revocation can be done at any moment if necessary.

The Chief Technical Officer (CTO) is responsible for giving access to members of the technical team. He is responsible of the auditing and revocation of credentials as indicated before.

Transmission security

All communications with JobTeaser servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between you and JobTeaser applications is secure during transit.

Personal data of the students will not be transmitted on physical data carriers.

Personal data is only accessible to university administrators and partner recruiters through the application which is accessed on the internet, over an HTTPS secured connection.

Information Security Management

Governance

Information Security Policy (ISP)

JobTeaser has developed, with the help of security management experts, an Information Security Policy. It follows the structure and principles of the ISO-27001 information security standard. This policy has been shared, and made available to, all employees and contractors with access to JobTeaser information assets.

The Information Security Policy is reviewed and updated at least every 2 years to take account of changes in:

General management commitment

JobTeaser’s Information System (IS) is a critical resource enabling JobTeaser to pursue its activities and provide its service to its customers. Ensuring the security of the Information System is a vital step in meeting a number of crucial objectives for JobTeaser:

For this purpose, the General Management of JobTeaser commits to allocating the means and

resources in relation.

Security roles and organization

JobTeaser has defined the roles and organization for the management of Information Security.

Human resources

Hiring process controls

Skills and education are controlled for all hires during the hiring process. Past employment verifications are done for sensible positions.

Employee responsibility

All employees agree to the internal rules and chart of usage of information systems including security guidelines and mandatory practices.

Confidentiality agreements

JobTeaser's employment contract contain a Confidentiality and Non-Disclosure Agreement article.

Awareness and training

Regular awareness and training actions are addressed to all JobTeaser employees. These actions cover a large range of subjects, for example:

The on-boarding process includes an information security awareness training session.

Assets security

Physical security

Premises

JobTeaser premises are protected by individual identification badges and CCTV video-surveillance. Office gates are closed before 7am and after 10pm, and during weekends.

Network security

Protection

The internal network provided by JobTeaser to its employees is protected by an industry-standard firewall solution. All incoming traffic is forbidden by default.

Architecture

Several network areas have been defined to isolate the different roles of JobTeaser staff and networked devices. In particular, non-personal devices (such as printers) and BYOD personal devices are associated to a network area that is isolated from employee workstations.

Low-risk internal network strategy

Since most of JobTeaser employees should be able to work in mobility or remotely, the internal network used in JobTeaser office is limited to connectivity of workstations to internet and local utility devices (e.g. printers). No critical equipment is hosted on the local network.

This limits the risks related to network intrusions and reduce the corresponding security requirements.

Workstation security

Malware protection

All workstations are protected using an industry-standard malware protection solution.

Workstation encryption

All workstation hard-drives are fully encrypted.

Data protection

Mobile storage devices

Sensible data is encrypted when stored on mobile storage devices (e.g. USB keys).

Internal information systems security

Internal applications

Management of access privileges

New employees are given access to internal applications on their arrival on a need-to-know basis. Accesses are revoked when the employee leaves the company.

Accesses to sensible applications are regularly audited.

Password security

Awareness about password security has been risen among employees. The Information Security Policy defines the following password policy:

Whenever possible, the internal applications are configured to enforce these requirements.

JobTeaser collaborators are provided with a password management solution to improve password security. The solution enables the generation of complex passwords, limits the reuse of existing passwords, and enables secured sharing of passwords when needed.

Secured transport

All communications between JobTeaser's collaborators and internal application are encrypted via industry best-practices HTTPS and TLS over public networks.