1 / 13

SITS:Vision Annual Conference

SITS:Vision Annual Conference. @ the Hilton Deansgate Hotel, Manchester. Security and Hosting 12-13 July 2011. Mike Fisher – Technical Services Team Leader. Introduction. We have undertaken a review of all our software with specific reference to security As a result we have:

vaughn
Download Presentation

SITS:Vision Annual Conference

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SITS:VisionAnnual Conference @ the Hilton Deansgate Hotel, Manchester Security and Hosting 12-13 July 2011 Mike Fisher – Technical Services Team Leader

  2. Introduction • We have undertaken a review of all our software with specific reference to security • As a result we have: • Made changes to the applications to enhance security • published security recommendations for all Maytas and eTrack configurations, some of these are things we have always setup as standard • Made general infrastructure recommendations around the applications and associated servers

  3. Security Recommendations • We have published a document (sent with each release) outlining our recommendations for: • Database Servers • Maytas 3 • Maytas 5 • eTrack Online • eTrack Offline • Web and Application Servers • General Network Setup

  4. Database Server • The Maytas 3 user account • Configured with a default password • Can be changed to conform with local IT policies on passwords • Each application must be told of the password change • Database Server location • Should sit secured within a LAN • Must not public face • Database Encryption • Certain contracts specify that databases must be encrypted • Tribal practice database disk level encryption

  5. Maytas 3 • Application directory security • Can be locked down to stop users accessing the application files • Some permissions are required and are documented • Extra important when Maytas 3 is run over a terminal server • Maytas 3 User Editor • Ensure permissions set are as required • The ‘stever’ account… • Password Policies

  6. Maytas 5 • M5 Data Services • When using a file store switch the user to a domain account with appropriate permissions • Services Access Groups • Restricts who can run a ‘First Time Setup’ against the service • Client Machine Encryption • To encrypt any data local to the machine • Password Policies

  7. eTrack General • The eTrack evidence file store • Location and user access • web.config encryption • System Configurations • Blocked File Types • Account Lockouts • SSL Server Settings

  8. eTrack • eTrack Online • The IIS user • Application Directory Security • Configurable Session Timeouts • Password Policies • eTrack Offline • Local Data and Evidence files • Laptop encryption • Password Policies

  9. General (Applicable to All) • Password Policies can be set in the database which then apply to all user accounts • Password expiration times • Options for • Password length • # of CAPITAL letters • # of lowercase letters • # of numeric • # of Special Characters (!@#$%^&*()_+|~-=\`{}[]:";'<>?,./)

  10. Network Diagram

  11. Tribal Data Policies When transmitting data to Tribal: The local Tribal office will inform customers of a Tribal FTP site to which they can electronically submit data. A username and password will be issued to each customer as required. It is the responsibility of the customer to install and manage the necessary software to transmit and receive data to Tribal. Files sent to Tribal must be encrypted to at least the FIPS140-2 standard. This standard is not met by Winzip or 7-Zip; two widely used commercial compression/encryption packages. Tribal use an encryption product, SecureZip** for the secure encryption of files, which meets the FIPS140-2 standard when used correctly.

  12. Hosting • As part of our hosted service we manage all application upgrades as standard • The environment and our hosting team conform to ISO27001 standards on security • We can supply a hosted service from 1 user upwards hosting any combination of M3, M5 and eTrack • We build dedicated farms for larger setups • Currently we run: • The MAYTAS shared service for smaller customers (< 20 users) • 10 designated farms for larger organisations • A separate DWP security cleared farm • Currently our largest environment has upwards of 2500 users

  13. SITS:VisionAnnual Conference @ the Hilton Deansgate Hotel, Manchester

More Related