Jisc operates an Information Security Management System (ISMS) and many of the processes and policies used to operate BOS, and by Jisc staff, are part of the ISMS. Jisc holds a limited scope ISO 27001:2013 certificate, and this has not yet been extended to cover BOS. Regardless, where applicable, many of these processes and policies have been subject to formal internal and external review as part of the certification process.
Where is my data stored?
All data is stored within Amazon Web Services (AWS), within the Republic of Ireland.
All systems are physically located within datacentres operated by AWS. The information security of AWS is managed in conformance with the requirements of ISO 27001, providing Jisc and our customers with assurances of the security of the datacentre and virtualization aspects of the service. The security of the operating system and application stack is managed by Jisc.
Any transfer of data between Jisc and AWS are conducted over secure, encrypted, connections. Staff at Jisc are subject to our “Secure Working Practices Policy” that covers the physical security of information when working in an office or remotely at other locations.
All new staff at Jisc, including casual staff, are given a contract of employment containing a confidentiality clause and are made aware of their responsibilities toward personal data as part of their induction process. All staff at Jisc are subject to our “Secure Working Practices Policy” that communicates their responsibilities towards information security, as well as providing advice and guidance on common security threats. All Jisc staff involved with providing the BOS service are provided with data security training.
Jisc is responsible for maintaining the security of the operating system and application stack used to provide BOS. Vulnerability and patch management is carried out on a regular schedule accordance with our vulnerability management processes. Occasionally, critical security patches may require us to take the service offline at short notice. Where possible we will work with customers to minimize any disruption. The system is regularly scanned for vulnerabilities by automated systems, and is subject to periodic penetration testing of both the network environment, operating system, and application. All issues discovered are prioritized and accordingly addressed. Jisc encourages third parties to work with us to resolve any security vulnerabilities discovered – please e-mail firstname.lastname@example.org for more information.
BOS is protected from DDoS attacks by services provided by Amazon, including AWS Shield and Amazon CloudFront.
Physical, logical, application and network access-control for all Jisc managed systems that hold personal data are managed on a least-privilege, need-to-know, basis.
Access to data stored within BOS is strictly limited to BOS’s support and technical teams. This access is only permitted when it is at the request of the client concerned, or necessary for the investigation of operational issues, or when required by law.
The BOS servers and backups are accessible only by members of the BOS technical team and other authorised members of staff at Jisc (such as systems administrators or those responsible for maintaining the backup service).
Incidents and Breaches
Jisc has an established process for handling information security incidents including data breaches. Should an incident occur, it will be handled according to this process and in line with current data protection legislation. If an incident has an impact on the security of information secured in BOS then Jisc’s Senior Information Risk Owner (SIRO), will make decisions as to whether and how customers and the Information Commissioner’s Office are notified.
Communications related to breaches will arrive through Jisc’s normal communications channels. Jisc will never ask you to provide passwords and other authentication information by e-mail.
New users choose their own passwords and will need to enter a username and password each time they log in. BOS issues a cookie to store session information when registered users log in. The session cookie does not include user information and is not retained once the browser is closed.
No cookies are used when survey respondents complete surveys.
All survey responses are collected over encrypted SSL (TLS) connections. SSL is the standard technology for establishing an encrypted link between a web server and a browser. It ensures that sensitive information can be transmitted securely. All communications within onlinesurveys.ac.uk are also sent over SSL encrypted connections. Jisc does not commit to using particular ciphers as this may be limiting as new weaknesses are discovered. Instead we commit to achieving and maintaining a grade of at least A when tested by SSLLabs. You can view the current status at https://www.ssllabs.com/ssltest/analyze.html?d=www.onlinesurveys.ac.uk&hideResults=on.
Data is not encrypted whilst at rest within BOS. BOS user passwords are hashed using PBKDF2 with a random salt. Jisc is responsible for the management of all cryptographic keys and material involved with BOS, and will do so in line with our “Cryptographic Control Policy” and related guidance.
Jisc endeavors to ensure that all data is securely erased and any media securely destroyed once it is no longer required for the operation of the system. Due to the complex nature of a cloud based environment, Jisc may be dependent on third parties to ensure this occurs. Where this is the case there will be a contract in place between Jisc and the third party.
Some data may persist in backups. For more information see the section of this FAQ on Backups.
Business continuity The BOS service runs over two availability zones in AWS (within the Republic of Ireland) in an active-active high availability configuration using AWS Elastic load balancing. In the event of multiple availability failures the BOS service will be restored into a different AWS region.
The performance of the service depends on the use of the system and AWS, We monitor the system’s performance routinely and have automated alerts. In the event of high traffic, AWS allows us to increase resources quickly to meet demand.
Backups BOS’s data stores are backed up daily.
BOS has a data retention policy that means that backups are only held for three months. Backups are stored securely in a Jisc office and replicated to a data centre, both located in the UK. After three months the backups are deleted and destroyed. Recent backups are also stored for 14 days in AWS S3 storage (within the Republic of Ireland) for fast restore. BOS enables users to export survey response data in a number of popular formats (see FAQ for details) so that it can be backed up or used with other software.
Jisc publishes SPF and DMARC policies for the onlinesurveys.ac.uk domain. Operators of e-mail systems wishing to improve the reliability and trust of e-mail delivery from BOS can use these DMARC policies to identify authorized senders for this domain
Users must not share accounts – by this we mean that each person who has access to a BOS account must use a unique username and password. You must not allow other people to use your username and password and multiple users must not log in using a single set of shared credentials.
Users’ passwords should be sufficiently complicated, stored securely (if stored at all) and not be the same as used on any other system. Your institution is responsible for ensuring that access to accounts is well-managed and that access to accounts is revoked when users change role or leave the organisation. Your institution should ensure that you have appropriate levels of security on your own systems should you choose to export sensitive data. You and/or your institution are the Data Controller for any information collected using surveys run through BOS. If you are not sure of the implications of being a Data Controller please consult the data protection officer (or equivalent) at your institution.