Home

Website Security Standards Policy

This document outlines the website security policies and procedures of ComputerMinds Ltd.

Introduction

ComputerMinds

ComputerMinds is a Drupal-only development house with offices in Bristol and Coventry. We have gained a reputation within the Drupal community for delivering high-quality Drupal websites, training and consultancy to a wide variety of clients.

We feel that Drupal offers us as developers an ideal framework on which to build complex content driven websites. We have extensive experience in working with a variety of clients from membership organisations through to large corporates. At the heart of how we work are the requirements of our clients; as such we prefer to take an agile approach to development so we can be better positioned to react to any changes in our clients’ original requirements without having to unduly inflate the budget or extend our time estimates.

We are active members of the Drupal community and regularly contribute back to the Drupal project. We have given a number of seminars and training sessions at Drupal conferences around the world on a variety of topics and sponsored the DrupalCon London 2011 conference. We believe that Drupal provides the best platform for any complex web-based development project; its modular model means it can be extended without affecting the core codebase. This in turn provides us with the robustness and security that makes Drupal such a good solution for the high expectations our clients place on their websites.

Many of our websites contain extremely sensitive information and/or are developed for risk-averse clients, including the public sector and large corporates.

Website Security Protocols

All websites are developed to meet or exceed the level of security required by the client. Where no requirements have been formulated, we are able to advise on security protocols.

Website Security Levels

Standard ComputerMinds web security practices are outlined below. These are accompanied by a traffic-light system, in which:

  1. Green indicates the standard website security protocols applied to all websites developed by ComputerMinds.
  2. Amber indicates an intermediate level of security, used mainly by SMEs and low-risk Government agencies.
  3. Red indicates the highest security levels offered, used by larger corporates, political parties and high-risk Government departments.

Managing Risk

ComputerMinds Ltd takes risk management very seriously and will always follow best practice. For full details, please see our separate document ‘Risk Management Policy’.

This document provides us with internal processes to follow to prevent anything from going wrong and with a safety net should something happen beyond our control. As a final contingent we also hold Professional Indemnity Insurance to cover any damages occurring as a result of error on our part.

Support

We offer a range of support options and maintenance agreements as well as client training to implement best practice.

We cannot, however, support the use of external sites, including social media, email programs, third party Application Programming Interfaces (APIs) and other applications, nor guarantee their security.

Website Security Policy

This policy details our internal approach toward website security comprising of our approach to website security and internal processes therein.

Policy ownership and awareness

ComputerMinds Limited operates a website security policy that is drawn-up and reviewed quarterly at board level. Strict procedures are in place to ensure that the policy is implemented.

All employees are made aware of security procedures and a training programme is in place to ensure that staff can and do comply with these procedures.

ComputerMinds Limited is working towards the ISO 27001 standard for information security.

Objectives

ComputerMinds Limited (“the Company”) is committed to implementing a proactive approach to website security that is based on the following key principles:

  • Website security procedures will be aligned to corporate and business-plan aims, objectives and priorities. They encompass all security risks that may prevent the Company from fulfilling its objectives.
  • Website security meets or exceeds the requirements agreed with the client.
  • Website security is implemented and agreed prior to any website development work commencing. Procedures can be identified concurrently with offline / design phases of a website/platform build.
  • Procedures are aligned to the company’s Risk Management Policy and Strategy.
  • Data is stored, entered and shared according to client security requirements. Server specification and management is defined according to these requirements and user account handling and permissions are tailored to suit the use-case.
  • The highest security protocols are employed within network and physical (building) security, password and user management and that these protocols are reviewed on a regular basis.
  • This policy requires the data manager to take responsibility for access to data.
  • This policy requires project managers and individual developers to take responsibility for website security.

Website Security Strategy

Website security is the responsibility of ComputerMinds and the client. Fundamentally, the level of security must be in response to a client-side risk assessment. This must be influential in determining budget, since high server specification and security options are generally more costly to implement and maintain. This strategy replaces any earlier Website Security Strategies.

Introduction

Standard procedures for website security are outlined below. These are accompanied by ComputerMinds’ traffic light system of security management.

Where no traffic-light identification is given, a security procedure is applied to all websites. In other cases, traffic light colours represent the following:

  1. Green - the standard website security protocols applied to all websites.
  2. Amber - an intermediate level of security, recommended by ComputerMinds for SMEs and low-risk Government agencies. Amber includes and builds on all protocols within Green.
  3. Red – a high level of security is required, usually recommended to larger corporates, political parties and high-risk Government departments. Red includes and builds on all protocols within Green and Amber.

Please note that some elements of this security strategy are available only subject to a binding Non-Disclosure Agreement.

Server management and data storage

All of the code developed by ComputerMinds Ltd is stored in externally located, version-controlled repositories. These keep the code secure in the event of a disaster and make it possible to revert to a previous stable release should something go unexpectedly wrong. We don’t develop directly on the ‘live’ codebase.

Server Specification

Server specification is provided at the beginning of any project and discussed with the client. Security levels on servers vary with the package specified. This has a direct impact on cost.

As a rule of thumb, ComputerMinds Ltd uses Rackspace servers in the UK. This is because:

  1. Rackspace servers are a cost-effective way of providing a high level of security
  2. A number of security and support options are available
  3. Rackspace servers are quickly and easily scalable
  4. Network uptime is guaranteed at 100% (Data Centre – 100% HVAC/Power uptime guarantee)
  5. Backups are provided once daily, twice weekly or weekly
  6. Support is available 24/7 on most server packages.

We are able to recommend server packages based on security requirements and budget – usually, we will select the highest specification of security for the available budget (exceptions occur if alternative requirements, such as lifespan or extraordinary scalability, are more important factors than security).

ComputerMinds usually recommends Rackspace Cloud (Green) and Rackspace Managed Cloud (Amber), although some use-cases require managed physical servers (Red). However, ComputerMinds can not guarantee the security of any server beyond the terms of the contract signed with the server provider.

Various levels of support are offered by Rackspace, including their ‘Fanatical Support’ (Red).

We aim for 97.5% website uptime.

IP-specific access

If required, access to the servers can be provided to specific IP addresses only. This reduces the likelihood of an external attack to virtually zero (Red). By standard we would never give root access to any of our servers to anyone outside of ComputerMinds Ltd as a further precaution only the necessary ports will be opened on the server to allow it to successfully serve web content.

Server-side security

Our servers will maintain standard access and error logs to allow us to effectively pinpoint issues in the unlikely case of them occurring. Root access to our server will only be given to employees of ComputerMinds Ltd and in the majority of cases we prefer to use an automated provisioning tool to manage the deployment of code. This approach means that once the server has been correctly configured using our build scripts we no longer need direct command line level access to the server itself.

Power Usage

ComputerMinds has committed to ensuring that its web projects have a smallest carbon footprint and minimal environmental impact. In line with its Environmental Policy, ComputerMinds ensures that servers meet high power usage efficiencies.

Precise power usage figures are available subject to a binding Non-Disclosure Agreement

Domain management

ComputerMinds does not offer domain management services to most clients. This is to mitigate the client against the risks associated with not owning its own domains. If domain management is a requirement, it must be costed and specified separately

ComputerMinds recommends that domain management be handled through a secure environment from a leading supplier, such as LCN.

The following scenarios are possible:

  1. Access is required by ComputerMinds Ltd and the client – a specific domain management account is established via the client’s email account and access is subsequently provided to ComputerMinds. ComputerMinds stores and manages the username and password securely, according to the procedures outlined in this document. The client is advised to follow the procedures in this document and is responsible for any lapses in security or breaches on its behalf.
  2. Access is required by ComputerMinds only – a specific domain management account is established via ComputerMinds and login credentials are stored and managed according to the procedures in this document.
  3. Access is required by the client only – ComputerMinds recommends that the client’s internal procedures follow those in this document.
  4. Access is required by a third party – ComputerMinds recommends that the client applies the procedures in this document to the third party and reviews this access at least monthly.

Please note that ComputerMinds can provide training for domain management, chargeable at the consultancy day-rate at the time of training, not the initial order.

ComputerMinds cannot guarantee the security of any domains managed by third parties or clients. If such security is required, then this should be explicit in a contract and is included in the third party’s own security policy.

Email management

ComputerMinds does not offer email management to most clients. This is to mitigate the client against the risks of external email management.

However, specific requirements can be discussed and training and consultancy in the use and security of email packages can be provided at the usual day-rate.

ComputerMinds cannot guarantee the security of any email accounts managed by third parties or clients. If such security is required, then this should be explicit in a contract and is included in the third party’s own security policy.

Third-party software

ComputerMinds is not responsible for the security of any third party software used by the client.

However, specific requirements mean that some clients require assistance with software integrated or used in conjunction with ComputerMinds websites. These requirements can be discussed and training and consultancy in the use and security of third party software can be provided at the usual day-rate.

Access and session management

User IDs, permissions and access management should be discussed prior to work on any website commencing. Access to websites can be precisely defined, although on many websites, this may change during the build and after launch.

Any changes to website permissions must be ordered at the highest level of administration within the website and are treated as ‘change requests’, which are chargeable at the normal development rates.

Superuser Password Rules

Once a website is on a live/public-facing server, all superuser (ComputerMinds employee) passwords:

  1. Are at least eight characters in length
  2. Contain characters from at least three of the four categories – uppercase letters, lowercase letters, numbers, non-alphanumeric characters

Client Password Rules

The client is recommended to apply the same security procedures as those above. The following scenarios are available:

  1. The website can accept any password, although it advises if a password is unsecure (Green)
  2. The website only allows secure passwords and will not accept an unsecure password (Red)

The client is advised to change passwords on a regular basis (usually once per calendar month). Client passwords are not stored at ComputerMinds and superusers have no knowledge of them.

Superusers can reset client passwords if required, although all websites allow clients to do this themselves.

Password Storage and Transmission

Superuser passwords are stored securely in a special password manager, which is locked with a master key. The database is encrypted with the best 256-bit encryption algorithms available (AES and Twofish)

Passwords are not sent unencrypted over public networks.

Clients resetting their passwords will be sent a one-time login via email, which will expire after a given amount of time.

Successful and Unsuccessful logins

All attempts to login and reset passwords are stored within a Report Log on each website, to which the superuser has access. Password attempts themselves are not stored.

Authentication

ComputerMinds can offer a range of security options relating to authentication on a website. These options include:

  1. Disabling auto-complete on usernames and passwords (Amber)
  2. reCAPTCHA on login and/or form/comment creation (Amber)
  3. User accounts locked after an agreed period of inactivity (Red)
  4. Prohibition of concurrent sessions with the same login credentials (Red)
  5. A second level of authentication when accessing sensitive data or critical areas of website management (Red)

Client-side user account management

Ordinarily, user accounts are added, edited and removed by the ComputerMinds project manager (Green). This is done is a timely manner, according to the contract or service level agreement (SLA) and is chargeable.

However, websites can include access to user management creation and editing screens for clients and/or third parties (Amber). In this instance, ComputerMinds will still be able to add, edit and remove user accounts, but recommends that the client assigns an administrator to perform these tasks. The roles and responsibilities of this administrator must be detailed in the client’s security policy and outlined or referred to in the contract.

ComputerMinds must be notified of a change of administrator within 24 hours or before any additional work is completed on any website within the administrator’s remit by any user, whichever is the sooner.

In the case of client-side user account management, additional user account management by ComputerMinds is considered chargeable work. ComputerMinds takes no responsibility for any errors caused by the client (or third party) in adding, editing and removing user accounts.

Session management

Login to a website always generates a new session ID, which is random, non-sequential and contain at least 10 alphanumeric characters.

Session data never identifies individual users and is deleted at the point of a user logging out.

Sessions last according to the current php default, but this can be adjusted according to client requirements. (Amber)

Where sessions are related to a third-party application (such as logging-in via Facebook or Twitter), they last as long as those within the application, but can be adjusted should the client require. (Red)

Users can be provided with a warning that the session is about to end. (Red)

Development and Application Security

ComputerMinds takes security during development very seriously. To ensure the highest levels of security are met, development takes place offline, within version-controlled repositories. Test platforms are provided where required. (Amber)

ComputerMinds can provide a developer on-site (e.g. for sensitive intranet development), in which case, additional charges apply, including reasonable travel and expenses. (Red)

Test environments never contain sensitive information and are usually populated with test content, including Lorem Ipsum copy and generic, Royalty-free images, unrelated to the destination content.

If required, genuine data can be used within demonstration websites or for final-phase testing.

Encryption keys are stored securely, protected against unauthorised access and changed at least annually.

Online payment systems

Within online payment systems, special attention is paid to security protocols relating to confidential user data. During development, dummy card and bank account details (usually supplied by the vendor) are used to test any integration.

Confidential, payment card data are never stored by ComputerMinds, but where this is a requirement within a project then we would recommend a PCI-compliant, multi-tier, 256-bit encrypted web application. (Red)

Where payment systems are a part of a website build, ComputerMinds will endeavour to draw-up a complete workflow to demonstrate the route that confidential data takes, including clear labelling of component parts.

Database control

In the past, many high-profile websites have been subjected to consistent attacks and eventually succumbed to providing access to hackers. ComputerMinds takes every possible step to ensure that this doesn’t happen and recommends measures to clients to ensure that security is not compromised client-side.

If the client requires a third party to access data, then the terms of this access must be detailed in the client’s security policy and outlined or referred to in the contract.

No sensitive data are stored onsite in the ComputerMinds premises in Bristol or Coventry.

Data entry

All data is validated to prevent SQL injection attacks and similar approaches. Server-side validation is always performed on both the username and password fields.

Resting data

ComputerMinds never provides direct access to a database. Should data be required, an SQL dump can be provided, given the necessary permissions at the highest level on the client side. Data is logically separated (Green) or physically separated (Amber) if required.

Data in transit

ComputerMinds does not usually transmit data either physically or over unsecured networks. Data transfer from a website to a client is encrypted via SSL. Where ‘offline’ data transit is required, ComputerMinds recommends 256-bit encryption. (Red)

Physical Security

ComputerMinds operates from two offices – one in Bristol and one in Coventry. This section refers to the security of these offices only. Information about the physical security of data centres can be provided dependent on the server package specified and any level of data security can be met. The data manager referred to below is Mike Dixon, managing director of ComputerMinds.

Physical data

In terms of data storage, the following policies are followed as standard:

  1. Live website data is not stored at either site
  2. Website design data are stored on a secure digital cloud-based repository, where it can be shared between the data manager, designers, themers, developers and project managers. Access within ComputerMinds is restricted to those staff members that require it. Once access is no longer required by individuals, the data manager updates permissions.
  3. Confidential client information (legal, contractual information etc owned by ComputerMinds but referring to client budgets and procedures) is stored in a secure digital repository
  4. UAT data are stored on machines within ComputerMinds, which are backed up daily to a secure offsite digital repository. Most of ComputerMinds’ UAT is now cloud-based.
  5. Software owned and used by ComputerMinds is held on individual terminals and backed-up daily to a secure offsite digital repository.
  6. All ComputerMinds computers, tablets and mobile devices are locked, with login credentials known only to the individual user and the data manager (via a 256-bit encrypted password storage system).
Building security

Both ComputerMinds premises are self-contained buildings, protected by professionally-retrofitted zone-enabled alarm systems. These alert the data manager by telephone should they be activated. Adequate locks are fitted to the doors and windows.

Precise security details are available subject to a binding Non-Disclosure Agreement.

Network Security

Our offices have fixed IP addresses, making it possible to easily lock down access to any externally-hosted resources to our physical locations. All terminals are password protected with passwords known only to individual employees.

External access to our network can be achieved via SSH in the normal manner but no access to any sensitive encrypted information is possible via this route.

It is also possible to connect to a webserver that resides in our Bristol office, which is used to host development builds.

Before populating any site with live data we would prefer to move the code base over to the final hosting environment so it sits offsite.

Access to the Internet from both ComputerMinds premises is provided via a configured DMZ.

Wireless access to the network is encrypted via WPA2 and passwords changed on a regular basis.

Precise details of ComputerMinds’ network security are available subject to a binding Non-Disclosure Agreement.

Business Continuity

ComputerMinds operates a comprehensive business continuity plan.

The risks of fire, flood and other natural disasters are reviewed on a regular basis. Both ComputerMinds premises comply with all Health and Safety regulations, including the number, placement and servicing of fire extinguishers.

For more information, see the ComputerMinds Business Continuity Plan.