Platform security
This section describes the security measures relative to JobTeaser platform (JobTeaser.com website, Career Centers, Cockpit, and Explore)
Access Control
Access Control Policy
Access to data within JobTeaser platform is governed by access rights. JobTeaser has various permission levels for users (student, recruiter, administrators, super-administrators, JobTeaser staff, etc.).
JobTeaser's approach for defining access privileges and roles is to provide pre-defined roles with the appropriate permissions covering the most common use cases and best practices. As so, it keeps it simple to understand for super-administrators (either customers, partners or JobTeaser's staff) that are responsible for giving access privileges to other users. This ensures that the appropriate roles are given to users, fitting their needs, enabling to follow the least-privilege principle. Defining too many roles or enabling too much granularity to define privileges and roles will generally lead into a lower security level because administrators tend to give broader privileges than necessary due to the complexity of the roles configuration.
Roles and permissions differ depending on the application. The main roles are described below.
JobTeaser and Career Centers
Student
- Authorized to navigate for his.her own account on the front-office side of the platform to use its features (access content, register to events or apply for jobs, manage its account and preferences...).
- Not authorized to access the back-office side of the platform.
Company administrators
Several roles exist for administrator, providing different set of privileges based on the role of the company's collaborator:
- Recruiters are authorized to manage job applications and access the candidates' information.
- Company administrators can edit the company details.
- Super-administrators are allowed to create new accounts for company administrators.
School or university administrators
- Several roles exist for administrators, depending on their role in the school or university staff. Privileges, in particular access to student data, depends on the role.
- Super-administrators are also authorized to create school/university administrator users.
Cockpit/Explore
Several user roles are built in the application to enforce permissions on operations that may be performed on application data. University administrators are given a specific role allowing them to access and manipulate data through specific features of the platform.
This role enables University administrators to access students’ personal data through application features, as mentioned in the first section of this document. At the moment, no features enable modifying or deleting personal data, only the user herself/himself can modify or delete her/his data.
User registration and de-registration
User registration and de-registration is up to the users and Career Center administrators. Upon registration, the user sets his/her password through a link sent to his/her email address. Upon de-resistration, the user loses access to all the resources previously available.
JobTeaser platform and applications all enforce the following password security policy:
- Minimal length is 8 characters;
- At least 1 character of 2 of the 4 following types must be included: lowercase letters, digits, uppercase letters, symbols.
In case of failed login attempts, different measures are applied to prevent password brute-forcing: an exponential backoff delay is inserted before enabling the user to try again to login after failed attempts.
Single sign-on (SSO) allows schools and universities partners to provide their users (students and staff) with a login solution that does not require them to enter additional credentials on the Career Center. In this case, the security of the user's credentials is managed by the partner instead of JobTeaser.
CAS and SAML are currently supported. The IDP will also support OpenID Connect.
User access provisioning
The administration interface for Career Center administrators allows administrators to provision users according to roles they need to attribute to others.
User authentication
For Career Centers, JobTeaser enables its schools and universities partners to setup an SSO integration for end-user (students and administrators). Other types of users (e.g. company recruiters) are provided with JobTeaser login (email and password credentials are managed by JobTeaser).
For JobTeaser website and other applications (e.g. Cockpit/Explore), users are only provided with the JobTeaser login authentication solution.
JobTeaser uses a central authentication solution (JobTeaser IDP - IDentity Provider) on its platform and applications. It supports the development of controls: connection attempts monitoring, 2-factor authentication, etc. JobTeaser is currently developing 2-factor authentication and rolling it out for the authentication of its staff on the platform and applications.
Two-factor authentication (2FA)
Multi-factor authentication will be supported on the JobTeaser IDP during the year.
API security & authentication
Authentification to the platform is processed through the JobTeaser dedicated OpenID module. This module can act as an Identity Provider as well as a Service Provider, depending on the partner's needs.
Privileged access rights
JobTeaser administrators handle user registration and de-registration. Access rights are detemined according to the user functional role in the company.
Administration Interfaces access
Access to administration interfaces are encrypted via industry best-practices HTTPS and TLS over public networks.
Information access restriction
All partner information is segregated from other partners information in the application.
Cryptography
Data
Data in transit
Communications between the platform users (students, customer or partner users and administrators or JobTeaser administrators) are encrypted via industry best-practices HTTPS and TLS over public networks. Every three months, JobTeaser checks the relevance of its encryption through the SSL Labs API, any grade lower than "A" is handled as a security incident.
A few communications are sent through email and are inherently less protected. Only public information transits via this method of communication.
Data at rest
The AWS infrastructure ensures encryption at rest of all data-stores containing non-public information.
Secrets and keys
Secure credential storage
JobTeaser follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash. The current hash algorithm used for passwords is BCrypt.
Secrets Management
JobTeaser follows secure secrets management best practices during all the key management phases:
- Key generation
- Key storage
- Key use
- Key destruction
Physical and Environmental Security
Physical Perimeters and Location
Our platform is hosted in Amazon Web Services facilities, in the European Union region. All AWS Datacenters are anonymous locations, secured through all best practices in the field.
Production servers, networked devices, physical security, power, and internet connectivity are monitored by the facilities providers.
Physical access control
The AWS data center facilities feature a secured perimeter with multi-level security zones, 24/7 manned security, CCTV video surveillance, multifactor identification, physical locks, and security breach alarms.
AWS Certifications
In Europe, AWS is compliant with the following certifications:
- CSA
- ISO 9001
- ISO 27001
- ISO 27017
- ISO 27018
- PCI DSS Level 1
- SOC 1
- SOC 2
- SOC 3
- C5 (Germany)
- Cyber Essentials Plus (UK)
- ENS High (Spain)
- G-Cloud (UK)
- IT-Grundschutz (Germany)
Our platform benefits from most of those certifications by being hosted in AWS facilities.
Protecting against external and environmental threats
JobTeaser servers are hosted at secured data-centers facilities. All facilities apply the industry-standard security measures, including:
- fire detection and suppression;
- redundant power (including UPS and backup generators);
- climate and temperature control.
Operations Security
Operations Organisation
Operational procedures and responsibilities
Policies are in the process of being formalized. They record responsibilities associated with each domain. For now, only the following procedures are validated:
- Backup Policy
- Vulnerability Management Policy
No technical procedure will be written, they are all automated.
Technical-operational Measures
Environment segregation
Development, testing and pre-production environments are separated physically and logically from the production environment. Service data is used after anonymization to provision the pre-production environment, enabling realistic anonymous data to be used for a more robust manual testing of changes. For development and testing environments, service data may be used after anonymisation and subsetting (reduction of the dataset to a representative subset).
Backup
Our backup policy ensures our platform data is replicated in several geographical locations. The replication instances are configured and reliant.
Log Management
Logging and Monitoring
JobTeaser uses application server logs which contain all user actions triggering an HTTP request to the application (e.g. loading a page, submitting a form, triggering background HTTP requests, …), as well as some associated data.
These logs include actions performed by administrative accounts.
Clocks synchronisation
The platform servers are currently synchronized internally. We intend to switch to the Time Sync Service from AWS, which will allow us to be synchronized through NTP and smooth out leap seconds.
Technical Vulnerability Management
Dynamic vulnerability scanning
An automated Web Scanning appliance (by Qualys) is deployed on the JobTeaser preproduction. It alerts the CISO on vulnerabilities found before the platform is deployed. Ths CISO then ensures that the vulnerabilities are corrected.
Static code analysis
Static code analysis is used for each change to the source code through our Continuous Integration (CI) pipeline to identify and notify potential security vulnerabilities.
Security penetration testing
JobTeaser regularly sollicits a security-specialist third-party to perform external penetration tests on different scopes of our platform and applications. The full scope of our public-facing products will be reviewed at least every 2 years.
Communications Security
Network Security Organisation
Architecture
Our network security architecture is built upon multiple security zones. Sensitive systems, like database servers, are protected in the most trusted zones, where only traffic coming from the internal network is authorized. Traffic between different zones is filtered using firewalls.
Segregation in networks
Our AWS infrastructure utilizes several AWS network security features to isolate our infrastructure from external traffic and filter any unauthorized traffic (AWS VPC - Virtual Private Cloud - and Security Groups - virtual stateful firewalls).
Logical access
Access to the JobTeaser production infrastructure restricts access to production to specific members of the Tech Team, following the least-privilege principle. By default, members of the tech team don't have access and have to ask to gain access during a certain time frame. Employees accessing the production infrastructure are required to do it through the company VPN and use multiple factors of authentication.
System acquisition, development and maintenance
Secure Development Policy
Secure development awareness
JobTeaser strongly encourages security awareness in its Technical Team through regular communications and staff awareness programs. A community of interest regroups membres of the Tech Team twice every month to discuss and share good practices, information and resources, and identify security actions to be lead. Security articles and presentations are regularly shared within the team through internal communication channels and the bi-monthly Tech Sharing afternoons.
Security training
JobTeaser is currently evaluating options for a secure code training provided by third-party experts, covering the OWASP Top 10 security flaws and other common attack vectors.
System change control procedures
Web frameworks security controls
JobTeaser utilizes modern web framework (e.g. Ruby on Rails, Phoenix) and makes use of its security controls to limit exposure to OWASP Top 10 security flaws. These include inherent controls that reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others.
Web application firewalls
Web application firewalls (WAF) are used to protect most JobTeaser's public-facing applications or platform components. Here is the current status for the different components:
- JobTeaser website and Career Centers: protected with an advanced WAF integrated at application-level
- JobTeaser IDP (Identity Provider): protected with AWS WAF
- Cockpit/Explore: not protected
Technical review of applications after platform changes
Each source code change goes through several reviews:
- code review by another member of the development team;
- functional review and/or non-regression testing by the product manager or QA engineers.
Securing Development
Secure development environment
Platform development is undertaken on the local developer machines, with a Git versionning system. This system is hosted by GitHub, in private repositories. GitHub garantees an appropriate level of confidentiality, availability, integrity and traceability.
Testing
Test-data protection
For development and testing environments, an anonymised subset of production data is automatically created every day.
Third-Party relationships
Information Security in third-party relationships
Third-party identification
All third-parties used for the JobTeaser service are:
Third-Party | Description |
---|---|
Algolia | Search engine |
Amazon Web Services | Cloud hosting |
SendGrid | Email delivery service |
Sqreen | Web Application Firewall within the source code |
Zendesk | Customer service software |
BugSnag | Software Error Management service |
Addressing security within third-party agreements
The third-parties used for the JobTeaser service have been vetted by JobTeaser's CISO and CTO. They all comply with JobTeaser's security level.
JobTeaser is allowed to audit all its third-parties' services.
Third-party service delivery management
Managing changes to third-party services
If a change on a third-party service used by JobTeaser platform affects the security, JobTeaser will notify partners within a reasonable timeframe.
Confidentiality agreements
Regularly, a lawyer firm (ATIPIC) revises the confidentiality agreements of all third-parties involved in the JobTeaser service. The last audit was performed in june 2018.
Information security incident management
Reporting information security events
If a security incident occurs on the platform, JobTeaser will notify the competent authorities and its clients within a reasonable timeframe.
Response to information security incidents
In case of a system alert, events are escalated to our 24/7 operations and security monitoring third-party. Their employees are trained on security incident response processes, including communication channels and escalation paths.
Learning from information security incidents
All security incidents are recorded and analysed by the CISO. Action plans can result from this analysis.
Business Continuity
Planning information security continuity
A Business Continuity Plan is in the process of being formalized and will be reviewed every three years.
Implementing information security continuity
Redundancy
Critical components of the infrastructure, such as web servers, application servers and data-stores use clustered and redundancy ensures availability in case of a system failure. Our backup policy ensures our platform data is replicated in several geographical locations. Our replicated instances are configured according to our policy and their reliance is assured by AWS.
Disaster recovery
JobTeaser focuses on an infrastructure-as-code approach to infrastructure management, enabling a faster recovery in the event of a major disaster necessiting re-building the whole infrastructure.
Disaster Recovery Testing
All the platform and applications configuration is scripted. In the event of a disaster the operations team is able to restore the platform by deploying running configuration scripts.
Databases are restored automatically from their snapshots to a point in time at least 5 min from current time.
Availability of services
JobTeaser is committed to a 99.8% uptime of the platform's core features. The uptime is measured through the platform's monitoring system. An internal system-status service is used to trace incidents and provide an additional uptime measure. History about these uptimes can be shared with customers and partners on demand.
Data Protection
This section describes the security measures relative to data protection at JobTeaser
Data Privacy
Logical access
Some members of the technical team are given logical access to the platform's systems (servers and administration interfaces). The list of persons who are given this level of access is reviewed every 3 months. Accesses are revoked 48 business hours after the employee leaves the company, or earlier if necessary. Revocation can be done at any moment if necessary.
The Chief Technical Officer (CTO) is responsible for giving access to members of the technical team. He is responsible of the auditing and revocation of credentials as indicated before.
Transmission security
All communications with JobTeaser servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between you and JobTeaser applications is secure during transit.
Personal data of the students will not be transmitted on physical data carriers.
Personal data is only accessible to university administrators and partner recruiters through the application which is accessed on the internet, over an HTTPS secured connection.
Internal and Operational Security
This section describes the security measures put in place internally in JobTeaser's company organization and processes. They apply to all employees, unless specified otherwise.
Information Security Management
Governance
Information Security Policy (ISP)
JobTeaser has developed, with the help of security management experts, an Information Security Policy. It follows the structure and principles of the ISO-27001 information security standard. This policy has been shared, and made available to, all employees and contractors with access to JobTeaser information assets.
The Information Security Policy is reviewed and updated at least every 2 years to take account of changes in:
- the regulatory, organizational or technical context;
- the expectations of JobTeaser's users, customers and partners;
- internal security requirements;
- new threats and vulnerabilities that may apply to JobTeaser's information systems.
General management commitment
JobTeaser’s Information System (IS) is a critical resource enabling JobTeaser to pursue its activities and provide its service to its customers. Ensuring the security of the Information System is a vital step in meeting a number of crucial objectives for JobTeaser:
- Guarantee the confidentiality and integrity of the data users, customers and partners entrust JobTeaser with, and in particular their personal data;
- Ensure the continuity of the services offered to its customers and partners, in particular, the JobTeaser.com website, the Career Center platforms as well as all the other web applications provided by JobTeaser;
- Establish and maintain strong trust between JobTeaser and its partners and customers, by communicating and respecting its commitments regarding the protection of their data;
- Guarantee the confidentiality and the integrity of its collaborators' personal data;
- Respond to regulatory and legal requirements and constraints, in France and internationally;
- Ensure the continuity of JobTeaser’s activities.
For this purpose, the General Management of JobTeaser commits to allocating the means and
resources in relation.
Security roles and organization
JobTeaser has defined the roles and organization for the management of Information Security.
- The Chief Information Security Officer is responsible for defining and updating the policy and control its implementation;
- The Information Security Commitee reviews the security policy and its implementation at a strategic level every quarter;
- The Technical Team actively contributes to the implementation of security measures through technical means;
- The Security Guild is an internal community of interest focused on security and supporting transversal security actions throughout JobTeaser.
Human resources
Hiring process controls
Skills and education are controlled for all hires during the hiring process. Past employment verifications are done for sensible positions.
Employee responsibility
All employees agree to the internal rules and chart of usage of information systems including security guidelines and mandatory practices.
Confidentiality agreements
JobTeaser's employment contract contain a Confidentiality and Non-Disclosure Agreement article.
Awareness and training
Regular awareness and training actions are addressed to all JobTeaser employees. These actions cover a large range of subjects, for example:
- general security good practices (e.g. when browsing the web);
- workstation security;
- management of sensible information;
- awareness of attack vectors (phishing, malwares, etc.).
The on-boarding process includes an information security awareness training session.
Assets security
Physical security
Premises
JobTeaser premises are protected by individual identification badges and CCTV video-surveillance. Office gates are closed before 7am and after 10pm, and during weekends.
Network security
Protection
The internal network provided by JobTeaser to its employees is protected by an industry-standard firewall solution. All incoming traffic is forbidden by default.
Architecture
Several network areas have been defined to isolate the different roles of JobTeaser staff and networked devices. In particular, non-personal devices (such as printers) and BYOD personal devices are associated to a network area that is isolated from employee workstations.
Low-risk internal network strategy
Since most of JobTeaser employees should be able to work in mobility or remotely, the internal network used in JobTeaser office is limited to connectivity of workstations to internet and local utility devices (e.g. printers). No critical equipment is hosted on the local network.
This limits the risks related to network intrusions and reduce the corresponding security requirements.
Workstation security
Malware protection
All workstations are protected using an industry-standard malware protection solution.
Workstation encryption
All workstation hard-drives are fully encrypted.
Data protection
Mobile storage devices
Sensible data is encrypted when stored on mobile storage devices (e.g. USB keys).
Internal information systems security
Internal applications
Management of access privileges
New employees are given access to internal applications on their arrival on a need-to-know basis. Accesses are revoked when the employee leaves the company.
Accesses to sensible applications are regularly audited.
Password security
Awareness about password security has been risen among employees. The Information Security Policy defines the following password policy:
- Minimum 8-character long;
- At least 3 of the following types of characters: digits, uppercase letters, or symbols.
Whenever possible, the internal applications are configured to enforce these requirements.
JobTeaser collaborators are provided with a password management solution to improve password security. The solution enables the generation of complex passwords, limits the reuse of existing passwords, and enables secured sharing of passwords when needed.
Secured transport
All communications between JobTeaser's collaborators and internal application are encrypted via industry best-practices HTTPS and TLS over public networks.