Below is an outline of common questions and answers about the FastTrack360 service. Should you have other points not covered below, please contact your Account Manager or Enterprise Sales Manager to organise further clarification.
Hosting
Question | Answer |
Where is the application service hosted?
| Amazon Web Services – Tier 1 Data Centres
Physical location of these data centre is not published or publicly provided by Amazon. |
Is the building alarmed? | Please see the below links for AWS power and security details: https://aws.amazon.com/about-aws/global-infrastructure/
|
Is it monitored with CCTV? | |
Is your data centre a manned/unmanned operation? | |
Does the site have an electronic access control system? | |
Are your systems protected by a backup power supply? | |
In the event of a power failure, how long can your systems run on the backup power supply? |
Network
Question | Answer |
Do you have an Intruder Detection System (IDS) installed on your network? | Yes |
Do you have resilient/redundant Internet connections? | Yes |
If so, how do you achieve the level of resilience? | BGP (Border Gateway Protocol) |
If your resilience in the form of diverse physical connections, please give details of how they are routed. Please include information such as how the physical connections are routed out of the building, whether they connect to separate exchanges, whether you use different ISPs etc.
| We have multiple ISP providers who in turn use multiple network exchanges to ensure resilience. Our facility is connected to the power grid from multiple points as well as having generator power backups. Network connectivity is provided to our facility via multiple physical connections via different physical risers in the building. We also have a second data centre which would be used to host the service should we suffer a complete loss of the primary site. There would be a recovery window required in this event. |
Is access to core network equipment restricted to key personnel? | Yes |
Are all changes to the configuration of core network equipment managed by a change--‐management process? | Yes |
Are firmware upgrades/patches for network equipment tested before live deployment? | Yes |
If so, to what extent are the patches tested: basic network operation or full testing of the application? | Full application testing |
Do you have staff who work remotely? If so, please describe the method by which they connect to your core network for example BeamYourScreen, Business Broadband etc., and how you prevent this method being used to provide unauthorised access to your network. | No direct external access is permitted to the application network |
Servers
Question | Answer |
Do you restrict physical access to your servers to key personnel? | Yes |
How soon after an operating system patch is released do you apply it to your servers?
| Planned maintenance is planned based on a monthly scheduled ;
Notification of planned maintenance is provide with 7 days’ notice and is advised via Status Page email notification and also in product on the dashboard. For all critical emergency/patches FastTrack will take every effort to provide as much notice as possible. Notification will be provided and is advised via Status Page/email notification and also in product on the dashboard. |
Are operating system patches and upgrades under the control of change management? | Yes |
Do you test all operating system patches and upgrades prior to live deployment? | Yes |
If so, to what extent are the patches tested, just the impact on the operating system or full testing of the application? | Environment & Application testing |
Do you run an anti-virus product on your servers? | Yes |
What standards does the hosting facility meet? | Tier III Uptime Institute standards, ISO 27001
|
Disaster Recovery / Business Continuity
Question | Answer |
How often are your servers backed up?
| Database Servers:
All other Servers:
|
Are the backups full file system backups or a combination of full and incremental? | A combination of both full and incremental backups. |
In the event of the loss of a file/database, how quickly can you restore from a backup?
| File restoration process will take up to 5 minutes from the beginning of the process. |
How often do you test restoration of files? | Backup restoration process is tested 3 monthly. |
In the event of a server failure, how quickly can you restore the service onto new hardware?
| All servers have a redundant server within the active site. Should a server fail, all services will be taken up by the redundant server. |
How often do you test server recovery? | No set schedule |
Do you have a recovery procedure for the total loss of your data centre?
| If there is a full failure at the primary site, then DR plan will be initiated where the secondary site will be enabled, and failover of all services will occur. For timeframes please see DR plan section. |
Application Design
Question | Answer |
Has the application been built to an established design pattern (e.g. MVC, JavaBlueprints, etc.)? | Yes |
Are revisions to the code controlled using version control software (e.g. PVCS, SVN, and Visual Source Safe)? | Yes |
Do you use issue tracking software such as TFS? | Yes, we utilise Atlassian’s JIRA |
If yes to both the above questions, are the two linked so that the fixing of issues can be tracked easily to specific versions of the code? | Yes |
What is your testing strategy for the application, i.e. do you perform a full test of all the functionality on a new release or just test those areas where the code has been changed?
| Depends on the nature of the change, for minor releases all potentially affected areas are tested, but not the entire application. We also encourage the development of automated tests within the build process. |
What design steps have you taken to ensure that your application is immune from attacks such as SQL Injections and Cross Site Scripting? | We follow OWASP principles and also use an external agency to verify the integrity of the system. |
Has your application been tested to show it is immune to such attacks? | Yes |
If so, did you perform the test, or did you make use of the services of a third-party testing company? | External specialist company |
How often is your application tested for vulnerabilities? | At the end of each major release or every 6 months. |
Do you have multiple customers on a single frontend and server, or do you have servers dedicated to each customer? | It’s a multi-tenanted infrastructure where each client is on a separate individual instance of the product for isolation and security |
What controls do you have in place to ensure that copies of the application code, either electronic, hardcopy, are not accessible to unauthorised staff. | Only Authorised staff have access to the application code. |
Do you have a single database for all customers? | No |
Do you have a data retention policy? | At this time all data is retained |
If so, how long do you keep data for? | The term of the LSA |
Do you have automated procedures in place to cleanse data which has expired with regards the data retention policy? | No |
Where do you host your data?
| Within multiple geographical locations in Australia with Amazon Web Services. |
Do you ensure that all confidential data sent to customers is encrypted? | Yes |
What standard of encryption do you use? | SSL |