Platform security

This section describes the security measures relative to JobTeaser platform (JobTeaser.com website and Career Centers)

Toegangscontrole

Access Control Policy

Access to data within JobTeaser platform is governed by access rights. JobTeaser has various permission levels for users (student, recruiter, administrators, super-administrators, JobTeaser staff, etc.).

JobTeaser's approach for defining access privileges and roles is to provide pre-defined roles with the appropriate permissions covering the most common use cases and best practices. As so, it keeps it simple to understand for super-administrators (either customers, partners or JobTeaser's staff) that are responsible for giving access privileges to other users. This ensures that the appropriate roles are given to users, fitting their needs, enabling to follow the least-privilege principle. Defining too many roles or enabling too much granularity to define privileges and roles will generally lead into a lower security level because administrators tend to give broader privileges than necessary due to the complexity of the roles configuration.

Roles and permissions differ depending on the application. The main roles are described below.

JobTeaser en de Career Centers

Students

  • Authorized to navigate for his/her own account on the front-office side of the platform to use its features (access content, register to events or apply for jobs, manage its account and preferences...).
  • Not authorized to access the back-office side of the platform.

Company administrators

Several roles exist for administrator, providing different set of privileges based on the role of the company's collaborator:

  • Recruiters are authorized to manage job applications and access the candidates' information.
  • Administrators can edit the company details.
  • Super-administrators are allowed to create new members within the company.

School or university administrators

Several roles exist for administrators, depending on their role in the school or university staff. Privileges, in particular access to student data, depend on the role.

  • Super-administrators can create school/university administrator users
  • Administrators can access all modules in the school/university back-office
  • Content managers have access to Companies, Offers, Events, Newsletter and resources modules
  • Company content managers have access to Events, Newsletter and Resources modules
  • School content managers have access to Events, Newsletter and Ressources modules
  • Career advisers have access to Users and Appointments modules
  • Company relationship officiers have access to Company, Offers, Events and Talent Banks modules

User registration and de-registration

User registration and de-registration is up to the users and Career Center administrators. Upon registration, the user sets his/her password through a link sent to his/her email address. Upon de-resistration, the user loses access to all the resources previously available.

JobTeaser platform and applications all enforce the following password security policy:

  • Minimal length is 8 characters;
  • At least 1 character of 2 of the 4 following types must be included: lowercase letters, digits, uppercase letters, symbols.

In case of failed login attempts, an exponential backoff delay is inserted before enabling the user to try again to login after failed attempts.

Single sign-on (SSO) allows schools and universities partners to provide their users (students and staff) with a login solution that does not require them to enter additional credentials on the Career Center. In this case, the security of the user's credentials is managed by the partner instead of JobTeaser.
CAS and SAMLv2 are currently supported. The IDP will also support OpenID Connect.

User Access Provisioning

The administration interface for Career Center administrators allows administrators to provision users according to roles they need to attribute to others.

Review of user access rights

User access rights are reviewed regularly.

User Authentication

For Career Centers, JobTeaser enables its schools and universities partners to setup an SSO integration for end-user (students and administrators). Other types of users (e.g. company recruiters) are provided with JobTeaser login (email and password credentials are managed by JobTeaser).

JobTeaser uses a central authentication solution (JobTeaser IDP - IDentity Provider) on its platform and applications. It supports the development of controls: connection attempts monitoring, 2-factor authentication, etc.

Two-factor authentication (2FA)

JobTeaser is currently developing 2-factor authentication and rolling it out for the authentication of its staff on the platform and applications. It will be supported on the JobTeaser IDP during the year for the other users.

API Security & Authentication

Authentification to the platform is processed through the JobTeaser dedicated OpenID module. This module can act as an Identity Provider as well as a Service Provider, depending on the partner's needs.

Privileged Access Rights

JobTeaser administrators handle user registration and de-registration. Access rights are detemined according to the user functional role in the company.

Administration Interfaces access

Access to administration interfaces are encrypted via industry best-practices HTTPS and TLS over public networks.

Information access restriction

All partner information is segregated from other partners information in the application.

Cryptography

Data

Data in transtit

Communications between the platform users (students, customer or partner users and administrators or JobTeaser administrators) are encrypted via industry best-practices HTTPS and TLS over public networks. Every three months, JobTeaser checks the relevance of its encryption through the SSL Labs API, any grade lower than "A" is handled as a security incident.

A few communications are sent through email and are inherently less protected. Only public information transits via this method of communication.

Data at rest

The AWS infrastructure ensures encryption at rest of all data-stores containing non-public information.

Secrets and Keys

Secrets Storage

All the keys and other secrets used within the application are stored securely following industry best-practices.

JobTeaser follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash. The current hash algorithm used for passwords is BCrypt.

Secrets Management

JobTeaser follows secure secrets management best practices during all the key management phases:

  • Key generation
  • Key storage
  • Key use
  • Key destruction

Physical and Environmental Security

Physical Perimeters and Location

Our platform is hosted in Amazon Web Services facilities, in the European Union region. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Physical access control

The AWS data center facilities feature a secured perimeter with multi-level security zones, 24/7 manned security, CCTV video surveillance, multifactor identification, physical locks, and security breach alarms.

AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.

Protecting against external and environmental threats

Fire Detection and Suppression

Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.

Power

The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.

Climate and Temperature

Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

Management

AWS monitors electrical, mechanical, and life support systems and equipment so that any issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.

Storage Device Decommissioning

When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in NIST 800-88 (“Guidelines for Media Sanitization”) as part of the decommissioning process.

Operations Security

Operations Organisation

Operational procedures and responsibilities

Policies are in the process of being formalized. They record responsibilities associated with each domain. For now, only the following procedures are validated:

  • Backup Policy
  • Vulnerability Management Policy

No technical procedure will be written, they are all automated.

Change Management

JobTeaser's development cycle is based on the scrum framework, specifically Agile. Agile is a project management approach that works by breaking projects into short, iterative cycles called “sprints”. At its core, Agile is based on the assumption that circumstances change as a project develops. That’s why, in an Agile project, the planning, design, development, and testing cycles are never done. They continue to change as the project takes form. Change management is diretly intergrated within the process.

Technical-operational Measures

Environment separation

Development, testing and pre-production environments are separated physically and logically from the production environment. Service data is used after anonymization to provision the pre-production environment, enabling realistic anonymous data to be used for a more robust manual testing of changes. For development and testing environments, service data may be used after anonymisation and subsetting (reduction of the dataset to a representative subset).

Protection from malware

Servers are protected from malware.

Opslaan

Our backup policy ensures our platform data is replicated in several geographical locations (in the West-Europe region). The replication instances are configured and reliant. Our production databases are backed-up every day. Those backups are kept for 7 days.

Log Management

Logging and Monitoring

JobTeaser uses application server logs which contain all user actions triggering an HTTP request to the application (e.g. loading a page, submitting a form, triggering background HTTP requests, …), as well as some associated data.

These logs include actions performed by administrative accounts.

Logs protection

Access to the logs is restricted to certain members of the technical team.

Clocks synchronisation

The platform servers are currently synchronized internally. We intend to switch to the Time Sync Service from AWS, which will allow us to be synchronized through NTP and smooth out leap seconds.

Analysis and log correlation

Annalysis and correlation of our logs is done through Kibana and scripts. It can also be done manually for specific issues.

Technical Vulnerability Management

Vulnerability scanning

An automated Web Scanning appliance (by Qualys) is deployed on the JobTeaser preproduction. It alerts the CISO on vulnerabilities found before the platform is deployed. Ths CISO then ensures that the vulnerabilities are corrected. The scan is launched every day.

An automated vulnerability scanner (Dependabot) also runs every day to discover vulnerabilities in the dependencies of the JobTeaser code.

Static code analysis

Ops Vuln Coder

Ops Vuln Pen Titler

JobTeaser regularly sollicits a security-specialist third-party to perform external penetration tests on different scopes of our platform and applications. The full scope of our public-facing products is reviewed at least every 2 years.

Responsible disclosure

Any responsible disclosure of a vulnerability found on the platform will be handled within a reasonnable time-period. Either for CVEs or for original vulnerabilities, its classification will be based on the CVSS.

The vulnerability classification is categorized as follows:

  • Under 5: Low vulnerability
  • Between 5 and 8: Medium vulnerability
  • Between 8 and 9: High vulnerability
  • 9 or above: Critical vulnerability

The allotted time to fix a vulnerability will be determined according to its classification.

Communications Security

Network Security Organisation

Architecture

Our network security architecture is built upon multiple security zones. Sensitive systems, like database servers, are protected in the most trusted zones, where only traffic coming from the internal network is authorized. Traffic between different zones is filtered using firewalls.

Segregation in networks

Our AWS infrastructure utilizes several AWS network security features to isolate our infrastructure from external traffic and filter any unauthorized traffic (AWS VPC - Virtual Private Cloud - and Security Groups - virtual stateful firewalls).

Logical access

Access to the JobTeaser production infrastructure is restricted to specific members of the Tech Team, following the least-privilege principle. By default, members of the tech team don't have access and have to ask to gain access during a certain time frame. Employees accessing the production infrastructure are required to do it through the company VPN and use multiple factors of authentication.

Network monitoring

Network monitoring on our AWS infrastructure is handled through our global infrastructure monitoring.

Technical Network Security

Network vulnerability scanning

No network vulnerability scanner is put in place yet.

Intrusion detection and prevention

Intrusion detection and prevention appliances are installed on the infrastructure.

Threat intelligence program

No threat intelligence program has been designed on the platform.

DDoS mitigation

A DDoS mitigation infrastructure will be put in place on the platform in a few months.

System acquisition, development and maintenance

Secure Development

Secure development awareness

JobTeaser strongly encourages security awareness in its Technical Team through regular communications and staff awareness programs. A community of interest regroups membres of the Tech Team twice every month to discuss and share good practices, information and resources, and identify security actions to be lead. Security articles and presentations are regularly shared within the team through internal communication channels and the bi-monthly Tech Sharing afternoons.

Secure Development Training

JobTeaser is currently evaluating options for a secure code training provided by third-party experts, covering the OWASP Top 10 security flaws and other common attack vectors.

Secure development environment

Platform development is undertaken on the local developer machines, with a Git versionning system. This system is hosted by GitHub, in private repositories. GitHub garantees an appropriate level of confidentiality, availability, integrity and traceability.

Outsourced development

JobTeaser subcontractors have secure development training. Externalized developer have limited access rights to JobTeaser Git repositories, according to the least-privilege principle.

System change control procedures

Web frameworks security controls

JobTeaser utilizes modern web framework (e.g. Ruby on Rails, Phoenix) and makes use of its security controls to limit exposure to OWASP Top 10 security flaws. These include inherent controls that reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others.

Web application firewalls

Web application firewalls (WAF) are used to protect most JobTeaser's public-facing applications or platform components. Here is the current status for the different components:

  • JobTeaser website and Career Centers: protected with an advanced WAF integrated at application-level
  • JobTeaser IDP (Identity Provider): protected with AWS WAF

Technical review of applications after platform changes

Each source code change goes through several reviews:

  • code review by two other members of the development team;
  • functional review and/or non-regression testing by the product manager or QA engineers.

Test-data protection

For development and testing environments, an anonymised subset of production data is automatically created every day.

Third-Party relationships

Information Security in third-party relationships

Third-party identification

All third-parties used for the JobTeaser service are:

Third-PartyDescription
AlgoliaSearch engine
Amazon Web ServicesCloud hosting
SendGridEmail delivery service
SqreenWeb Application Firewall within the source code
ZendeskCustomer service software
BugSnagSoftware Error Management service
New RelicSoftware Error Management service
Google AnalyticsWeb tracking
Google Tag ManagerWeb tracking
YoutubeVideo player
JWPlayerVideo player
PubbleLive chats service

Addressing security within third-party agreements

The third-parties used for the JobTeaser service have been vetted by JobTeaser's CISO and CTO. They all comply with JobTeaser's security level. JobTeaser is allowed to audit all its third-parties' services.

Addressing security within third-party agreements

Monitoring and review of third-party services

Third-party services are reviewed before contractualization.

Managing changes to third-party services

If a change on a third-party service used by JobTeaser platform affects the security, JobTeaser will notify partners within a reasonable timeframe.

Confidentiality agreements

Regularly, a lawyer firm (ATIPIC) revises the confidentiality agreements of all third-parties involved in the JobTeaser service. The last audit was performed in june 2018.

Information security incident management

Responsibilities and procedures

Security incident management is the responsibility of the Chief Information Security Officer. Crisis management is the responsibility of the Chief Technical Officer. From a practical viewpoint, a security incient is handled way as a production incident: a task force is assigned to fix the problem and regular status reports are publicly available on status.jobteaser.com.

Reporting information security events

If a security incident occurs on the platform, JobTeaser will notify the competent authorities and its impacted clients within a reasonable timeframe.

Assessment of and decision on information security events

Classification of an incident is done by the task force assigned to the incident. Major decisions are approved either by the CISO or the CTO.

Response to information security incidents

In case of a system alert, events are escalated to our 24/7 operations and security monitoring third-party. Their employees are trained on security incident response processes, including communication channels and escalation paths.

Learning from information security incidents

All security incidents are recorded and analysed by the CISO. Action plans can result from this analysis.

Collection of evidence

If a collection of evidence is necessary for judicial reasons, JobTeaser will hire a specialized third-party to do it.

Business Continuity

Business Continuity Plan

A Business Continuity Plan (BCP) is in the process of being formalized and will be reviewed every three years.

JobTeaser's continuity plan hinges on the availability garanteed by AWS: All data centers are online and serving customers; no data center is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be loadbalanced to the remaining sites automatically.

Implementing information security continuity

Redundancy

Critical components of the infrastructure, such as web servers, application servers and data-stores use clustered and redundancy ensures availability in case of a system failure. Our backup policy ensures our platform data is replicated in several geographical locations. Our replicated instances are configured according to our policy and their reliance is assured by AWS.

Disaster recovery

JobTeaser focuses on an infrastructure-as-code approach to infrastructure management, enabling a faster recovery in the event of a major disaster necessiting re-building the whole infrastructure.

Disaster Recovery Testing

The configuration for the whole and all applications is scripted. In the event of a disaster, the operations team is able to restore the platform by deploying running configuration scripts. Databases are restored automatically from their snapshots to a point in time between 0 and 5 minutes from the time of the disaster. Configurations being used every day, they are tested all the time.

Availability of services

JobTeaser is committed to a 99.8% uptime of the platform's core features. The uptime is measured through the platform's monitoring system. An internal system-status service is used to trace incidents and provide an additional uptime measure. History about these uptimes can be shared with customers and partners on demand.

Compliance

Security compliance

ISO 27001

For now, JobTeaser is not ISO 27001 certified. However, JobTeaser follows ISO 27002 guidelines in implementing its security.

AWS Certifications

AWS beschikt over de volgende Europese certificeringen:

  • CSA
  • ISO 9001
  • ISO 27001
  • ISO 27017
  • ISO 27018
  • PCI DSS Level 1
  • SOC 1
  • SOC 2
  • SOC 3
  • C5 (Duitsland)
  • Cyber Essentials Plus (Engeland)
  • ENS High (Spanje)
  • G-Cloud (Engeland)
  • IT-Grundschutz (Duitsland)

Deze certificeringen zijn van toepassing op dit platform, omdat deze wordt gehost in AWS-loacties.

Privacy compliance

GDPR

JobTeaser offices are in France and therefore must comply with the GDPR. For more information on privacy, do check our privacy policy (https://www.jobteaser.com/fr/about/privacy-policy).

Memberships

AFCDP

The JobTeaser French DPO is a member of the French Association for correspondants to the protection of personnal data (AFCDP).

Other security measures

Destruction of data storage mediums

Physical destruction of data storage mediums is handled by our hosting provider: AWS.

Patch management

Patch management is handled through our infrastructure upgrade policy. Our goal is to never have to patch anything by being permanently up-to-date on our infrastructure systems.

Data Protection

This section describes the security measures relative to data protection at JobTeaser.

Data Privacy

Logical access

Some members of the technical team are given logical access to the platform's systems (servers and administration interfaces). The list of persons who are given this level of access is reviewed every 3 months. Theses accesses are given through the infrastructure-as-code system in place at JobTeaser. Revocation can be done at any moment if necessary, through a change in the code dedicated to this access.

The leader of the infrastructure team is responsible for giving and removing access to members of the technical team. The CISO is responsible of the auditing of those accesses.

IP restrictions

Privileged accesses are only available throuh certain source IP addresses.

File uploads

All uploaded files are only accessible to allowed users.

Transmission security

All communications with JobTeaser servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between you and JobTeaser applications is secure during transit.

Personal data will not be transmitted on physical data carriers.

Personal data is only accessible to university administrators and partner recruiters through the application which is accessed on the internet, over an HTTPS secured connection.

Email signing (DKIM/DMARC)

Emails sent and recieved by JobTeaser are secure.

Device monitoring

Employee devices (smartphones and laptops) are monitored and handled through a mobile device manager.

Automated sensible information discovery

Discovery of sensible information is not yet automated.

Content moderation, spam filtering

Content is moderated on the platform.

Internal and Operational Security

This section describes the security measures put in place internally in JobTeaser's company organization and processes. They apply to all employees, unless specified otherwise.

Information Security Management

Governance

Information Systems Security Policy (ISSP)

JobTeaser has developed, with the help of security management experts, an Information Systems Security Policy. It follows the structure and principles of the ISO-27001 information security standard. This policy has been shared, and made available to all employees and contractors with access to JobTeaser information assets.

The Information Systems Security Policy is reviewed and updated at least every 2 years to take account of changes in:

  • the regulatory, organizational or technical context;
  • the expectations of JobTeaser's users, customers and partners;
  • internal security requirements;
  • new threats and vulnerabilities that may apply to JobTeaser's information systems.

General management commitment

JobTeaser’s Information System (IS) is a critical resource enabling JobTeaser to pursue its activities and provide its service to its customers. Ensuring the security of the Information System is a vital step in meeting a number of crucial objectives for JobTeaser:

  • Guarantee the confidentiality and integrity of the data users, customers and partners entrust JobTeaser with, and particularly their personal data;
  • Ensure the continuity of the services offered to its customers and partners, in particular, the JobTeaser.com website, the Career Center platforms as well as all the other web applications provided by JobTeaser;
  • Establish and maintain strong trust between JobTeaser and its partners and customers, by communicating and respecting its commitments regarding the protection of their data;
  • Guarantee the confidentiality and the integrity of its collaborators' personal data;
  • Respond to regulatory and legal requirements and constraints, in France and internationally;
  • Ensure the continuity of JobTeaser’s activities.

For this purpose, the General Management of JobTeaser commits to allocating the means and resources in relation.

Roles and responsibilities

JobTeaser has defined the roles and organization for the management of Information Security.

  • The Chief Information Security Officer is responsible for defining and updating the policy and control its implementation;
  • The Information Security Commitee reviews the security policy and its implementation at a strategic level;
  • The Technical Team actively contributes to the implementation of security measures through technical means;
  • The Security Guild is an internal community of interest focused on security and supporting transversal security actions throughout JobTeaser.

Human resources

Hiring process controls

Skills and education are controlled for all hires during the hiring process. Past employment verifications are done for sensitive positions.

Employee responsibility

All employees agree to the internal rules and chart of usage of information systems including security guidelines and mandatory practices.

Confidentiality agreements

JobTeaser's employment contracts contain a Confidentiality and Non-Disclosure Agreement clause. All contractors sign a confidentiality agreement.

Awareness and training

Regular awareness and training actions are addressed to all JobTeaser employees. These actions cover a large range of subjects, for example:

  • general security good practices;
  • workstation security;
  • management of sensible information;
  • awareness of attack vectors (phishing, malwares, etc.).

The on-boarding process includes an information security awareness training session.

Assets security

Assets security

Premises

JobTeaser premises are protected by individual identification badges and CCTV video-surveillance. Office gates are closed before 7am and after 10pm, and during weekends.

Network security

Protection

The internal network provided by JobTeaser to its employees is protected by an industry-standard firewall solution. All incoming traffic is forbidden by default.

Architecture

Several network areas have been defined to isolate the different roles of JobTeaser staff and networked devices. In particular, printers and personal devices are associated to different network areas which are isolated from employee workstations.

Low-risk internal network strategy

Since most of JobTeaser employees should be able to work in mobility or remotely, the internal network used in JobTeaser office is limited to connectivity of workstations to internet and local utility devices (e.g. printers). No critical equipment is hosted on the local network.

This limits the risks related to network intrusions and reduce the corresponding security requirements.

Workstation security

Malware protection

All workstations are protected using an industry-standard malware protection solution.

Encryption

All workstation hard-drives are fully encrypted.

Internal information systems security

Internal applications

Access Management

New employees are given access to internal applications on their arrival on a need-to-know basis. Accesses are revoked when the employee leaves the company.

Accesses to sensitive applications are regularly audited.

Password security

Awareness about password security has been risen among employees. The Information Security Policy defines the following password policy:

  • Minimum 8-character long;
  • At least 3 of the following types of characters: digits, uppercase letters, or symbols.

Whenever possible, the internal applications are configured to enforce these requirements. Moreover, the multifactor-authentication is enforced on sensitive applications.

JobTeaser collaborators are provided with a password management solution to improve password security. The solution enables the generation of complex passwords, limits the reuse of existing passwords, and enables secured sharing of passwords when needed.

Secured transport

All communications between JobTeaser's collaborators and internal application are encrypted via industry best-practices HTTPS and TLS over public networks.