Access to all systems is managed on a least privilege basis. All access to core components requires two-factor authentication and access logs are kept for reconciliation against access requests.
All production systems are accessed through bastion hosts with multi-factor authentication and IP whitelisting.
All passwords for production systems are randomly generated, 64 characters in length, recycled regularly and are never reused.
All access attempts to core components are logged and access to these logs is restricted to the Operations Team. All core logs are centralised for analysis.
Standard security patches are applied within 30 days of release and critical patches are applied as appropriate to the risk. Operating systems are upgraded at least twice annually.
The production network is entirely separate from all other company networks. Logical components are separated into their own private subnets with strictly controlled communication channels.
Internal vulnerability scans and penetrations tests are carried out biannually by an accredited third-party and we follow OWASP guidelines throughout development and code review.
Firewalls are provided by Amazon Web Services and Security Groups and network ACL usage are designed in accordance with best practice.
System, access and other logs are centrally managed and collated and inform KPI-driven application-level metrics upon which we will base our automated monitoring and alerting.