Convivio Cookbook
  • Introduction
  • Our Business
    • The Convivio brand
    • What do we do?
    • Our work for clients
    • Our Purpose
    • Our Pulse
      • Big Rocks
      • Problems
    • Company Policies
      • Environmental Policy
      • Anti-Bribery Policy
      • Fair Tax Policy
        • Dividends policy
        • 2020 Results and Tax
        • 2019 Results and Tax
        • 2018 Results and Tax
        • 2017 Results and Tax
  • Our Team
    • Help! I'm new. How do I get started?
    • Starting at Convivio
    • Staff Benefits
    • Being a buddy
    • Having a buddy
    • Free-Range Working
    • Convivio Fridays
    • Notes: give & receive feedback
    • Security Screening
    • Submit Expenses
    • Purchases
    • Your home working environment
    • People Analytics
    • Recruitment
      • Help Card: Writing a Person Profile
      • Help Card: Writing a Job Description and Advert
      • Help Card: Publishing a Job Advert
      • Help Card: Reviewing CVs
      • Help Card: Preparing and Conducting Structured Interviews
      • Help Card: Preparing and Conducting Remote Working Interviews
    • Team Policies
      • Security Policy
        • Acceptable Use Policy
        • Business Continuity Management
        • Data Usage Policy
        • Document Access Policy
        • Mobile Equipment Policy
        • Two-Factor Authentication (2FA)
        • VPN Guide
      • Equal Opportunities
      • Grievance Procedure
      • Disciplinary Procedure
    • Taking time off work
      • Holiday
      • Sickness
    • Peer reviews
    • Mental Health
      • Mental Health Training
      • Mental Health First Aid
      • Returning to work
      • Resources
    • Continuing Professional Development
      • CPD Annual Planning
      • CPD Sprints & Scrums
      • CPD Annual Review
      • CPD Annual Retrospective
  • Our Clients
    • Principles For Building New Client Relationships
    • Researching
    • Connecting
    • Nurturing
    • Assessing
    • Learning and Thinking
    • Pre-qualification questionnaires
    • Proposing
    • Agreeing
    • Beginning
    • Inspiration
  • Our Marketing
    • Content Publishing
      • Git Repository Conventions
      • Help Card: Writing a Case Study
    • Brand Guidelines
      • Content Guidelines
      • Branded Documents and Reports
  • Our Tools
    • Infrastructure
      • External Firewalls
  • Internal Projects
    • How we improve our business
  • Client Projects
    • Delivery Launch
    • Delivery Team
      • Convivio People
      • The Coach
      • User Researcher
      • Other Team Members
    • Digital Strategy
    • Discovery
      • Discovery Briefing
      • Discovery Planning
      • Discovery Modules
      • Discovery Findings
      • Discovery Principles
      • Prepare for prototyping
    • Prototyping
      • Inputs to Prototyping
      • Prototyping Objectives
      • Prototyping Inception
      • Prototyping Sprints
      • Prototyping Outputs
    • Build
      • Inputs to Build
      • Build Kickoff
      • User Stories
      • Backlog Management
      • Backlog Scouting
      • Sprint Planning
      • Sprinting
        • Daily Standup
        • Story Lifecycle
        • Design in Sprints
        • User Testing in Sprints
        • Quality Control in Sprints
      • Sprint Review
      • Sprint Retrospective
    • Service Management
    • Digital Service Standards
      • Delivery Methodologies
        • Scrum
        • Kanban
        • Lean
          • Technical Standards
        • Code Quality
        • Testing
        • Automation
          • Security Standards
          • Quality Standards
          • Risk Standards
    • Delivery Governance
      • Steering Group
      • Risk Management
        • Risk Attitude
        • Assessing Risks
    • Delivery Help Cards
      • Help Card - Sprint Planning
      • Help Card - Sprint Review
      • Help Card - Sprint Retrospective
      • Help Card - Product Owner Feedback
      • Help Card - Common Issues
      • Help Card - Slack
      • Help Card - Github
      • Help Card - Trello
  • Our Recipes
    • Convivio Classic Cocktails
      • Ingredients
      • Tips and Techniques
      • Martini
      • Negroni
      • Manhattan
      • Old Fashioned
    • Potage Dubarry (or, creamy cauliflower soup) with spiced green pepper
    • Roasted Sweet Potato in a Herb and Nut Salad, with Maple Chilli Dressing
    • Aubergine Curry
    • Vegetarian Paella
    • Easy Ice Cream
Powered by GitBook
On this page
  • Security Essentials
  • Data Security
  • Cross-site scripting
  • Encrypted database
  • Restricted access
  • Access logging
  • Clean database dumps of personal info
  1. Client Projects
  2. Digital Service Standards
  3. Delivery Methodologies
  4. Automation

Security Standards

PreviousAutomationNextQuality Standards

Last updated 7 years ago

Managing your digital security is all about understanding the risks you face and determining the levels of risk that are tolerable with the data for which you are responsible. The security profile of a personal blog is very different from an e-commerce site, and is different again from a central government portal service.

Security Essentials

There's some basic steps to take for digital security of your website or application.

Secure installation

Open source software usually has comprehensive documentation on securing your installation. As a bare minimum, follow these.

Strong passwords

XKCD: Password strength (https://xkcd.com/936/)

Password management

Administrator passwords (firewalls, Google, GitHub) and laptop passwords are required to be changed regularly, at least every 60 days. See "strong passwords" above for guidance on strong passwords.

Update all the things

Open source software projects regularly release security updates for the core sofware and for modules within it. Some OSS will include an update status that will specifically identify any available or pending security updates. Always ensure you install security updates.

Drupal security updates are reported weekly and are reviewed by our technical team. Priority updates are installed within a maximum of 48 hours.

Software running on mobile devices must be set to automatically update to take advantage of updates as soon as they're available.

SSL encrypt your site

Post-Snowden, for technical and social reasons, encrypt your site with SSL. That's it.

Not just the obvious bits, like logins and checkouts. All of it. With the technical innovations of recent years, there are lots of ways to make a secure site run fast, so there's no need to worry about

Data Security

Cross-site scripting

We use open-source software that has a thorough understanding of site's vulnerabilities to cross-site scripting attacks and which thoroughly check user input. We're very careful with the extensions we include and custom code we write to keep project sites and applicaitons safe from cross-site scripting attacks.

Encrypted database

Where appropriate, we will encrypt an application's production database to keep vulnerable personal data safe. In this case, encryption keys will be held securely, and that may warrant placing it in a separate location to the application itself.

Restricted access

If the security profile of the system warrants it, we may opt to further restrict the application's access to the data in the database to only the data made available by an API layer in front of the database. That API itself will have strong boundary security and access limitations, via firewalls and other methods, to restrict and control access to it.

We also manage access to the application's hosting platform. If the project's security profile warrants it, we may include a number of elevated access control tools or systems.

Access to all of our systems is managed only by a limited number of senior members of staff.

Access logging

For security and audit purposes all activity in our systems is logged.

All code updates via GitHub are automatically posted in a private Slack channel alerting all staff to the updates. GitHub records a log of all changes to code (date, user, details of the change). GitHub provides audit and access logs detailing user logins, password resets and full logs for access to repository data.

Similarly, Google Drive provides details of changes (date, user, details of the change, approved by). In both of these, there is the option to view changes and roll back if necessary.

Slack provides detailed access logs to us. Administrators are able to remotely terminate connections and sign out all devices authenticated to our account at any time.

Contactually is hosted by Amazon and monitored 24/7/365 with all data stored in Amazon Web Services data centers.

We recommend to clients and hosting companies that server logs are enabled and monitored.

Clean database dumps of personal info

It almost goes without saying, but whenever we need to take a dump from a live database – for local development, debugging, support or whatever – we ensure that any personal and identifying data is cleaned out before the data touches any unsanctioned computers (including servers within your hosting platform that have not been specifically accredited or authorised to host that personal data).

Ensure you have a strong password for the administrative or root user. There is much discussion online about what constitutes a strong password (; ; ). We rcommend using a pass phrase rather than a password, ensuring it is at least 16 characters long and preferably longer than 24 characters.

Google
Wikipedia
Correct Horse Battery Staple