Security Policy

DevApp Pty Ltd ABN 94 608 983 384 (“We/Us/Our”), conducts significant portions of its operations via computer networks. The confidentiality, integrity, and availability of information systems, applications, and data stored and transmitted over these networks are vital to our reputation and success. We have adopted baseline practices (as detailed below) and implemented them according to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This framework helps us improve our practices over time, evolving and maturing to the constantly changing security threats. The framework is based on industry standards, guidelines, and practices with the purpose of reducing cyber risks to critical infrastructure.

Baseline Practices

Australian Based Servers

1. We host, and backup, your System on dedicated servers located within multiple Australian data centres. Servers are physically located in an access-controlled environment. We limit disclosure of data and access to our server to overseas recipients inline with our Privacy Policy.
2. We store our customers’ billing data, client portal and our documents within Australia.

Change Management

1. Changes we make to your website will be tracked using a Service Request in our Client Portal. This ensures traceability and stability in your production environment and all changes we make must be authorised by your organisation (in writing).

Credit Cards

1. We do not store credit card details in our billing system(s).
2. If you have chosen credit card payments for re-billing purposes, our payment gateway will securely store your credit card details. Our payment gateway provider has been PCI-certified to Level 1 (the most stringent level of certification available). The payment gateway provides our billing system with a special token to use for re-billing purposes, which links your credit card and billing details to the token, made available to us by the payment gateway.

1. We routinely perform vulnerability scanning of our servers and files uploaded to it. A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. All vulnerabilities identified are risk assessed, prioritised and actioned according to our risk management process (risk register).
2. Uploaded files are scanned automatically by our security software for known exploits and are automatically removed. Our team will be notified if this occurs.

Server Updates

1. Our server software is automatically patched daily, with the latest available patches, from our vendor(s).

System Updates

1. Using open source software ensures your web site can be regularly updated with the latest functionality and security releases. We require that all customers hosted on our servers regularly update their systems to the latest security release of their respective software. For our customers on a Hosting and Support agreement, we will patch your system when a security update/upgrade becomes available and the reported security threat(s) are applicable to your web site. We will assess the requirements of each security upgrade and test the compatibility of the release internally before scheduling upgrades for client web sites.

Application Firewall

1. We run a network and application firewall, which helps protects your website from common vulnerabilities at the network and application level, such as threats included in the OWASP Top 10.

Account Isolation

1. Each website account is isolated from other accounts on our server(s). This protects your files from being viewable by other accounts on the server, even if the other account is compromised.
2. We use account virtualisation technology which prevents a client website from using all server resources, and sandboxes each account from each other.
3. Administrator access to our servers is only allowed through encrypted keys (No passwords are permitted). All access is logged and triggers an alert on successful login.

Encryption

1. We provide a free SSL certificate, which our clients can use to encrypt their website traffic between our servers and your web browser. This ensures that if the data is intercepted during transit, a third party could not easily read it. Alternatively, a customer may use their own SSL certificate inline with our Hosting and Support Agreement..

Two Factor Authentication

1. We use two factor authentication for most of our staff internal systems (where supported) and we encourage use on our client websites.

Access Control Levels

1. As a rule, we will grant the lowest permissions to perform a function, where possible.

Incident Response Process

1. Initial Assessment

   1. Collect forensic data and copies of affected files, database and logs for auditing and analysis.
   2. Determine severity, scope, intent and type of attack.
   3. Document findings.

2. Communication

   1. Create Service Request in the Client portal to track the incident response and provide an interim report to your primary organisational contact.

3. Investigate

   1. Perform auditing and analysis of forensic data.
   2. Initiate recover process (obtain backups, etc).
   3. Assess impact, damage and cost.
   4. Compare compromised website to the most recent backup to identify change timeline, if required.
   5. Document findings for final report.

4. Rectify

   1. Restrict website access to DevApp.
   2. Temporarily take website offline and restore from the most recent backup.
   3. Resolve or patch vulnerability or vulnerabilities.
   4. Take action to prevent a reoccurrence.
   5. Re-enable public access to website.

5. Final Report and Improve

   1. We will provide you with a final report detailing: the type and intent of attack; loss or damage caused; remediation actions taken; areas for improvement and steps that should be taken to prevent reoccurrence.
   2. Update our security policies and risk register, as required.