Do you have a firewall? Is it controlled, updated, and maintained by a specific group of administrators? Do you periodically audit the firewall to ensure it is working correctly?

• We firewall all of our machines. We allow login only from a few designated IP addresses. Any access to any port other than mail,http,https is tightly controlled.
• The firewall is controlled by the operations team, and all changes to its configuration are stored in our version control system and logged on our administrative interface.

Do you routinely monitor and review network, server, and/or application logs? If so, how often?

• We collect logs from all servers on four separate syslog recording machines, and periodically check these logs.

Do you have an intrusion detection/prevention system (IDS/IPS) in place?

• We employ a third party service (Hacker Safe) to perform daily intrustion attempts.

Do you have a patching process/policy in place? Is there a test environment where patches and code updates can be applied where it will not impact users?

• We monitor appropriate security mailing lists, keep current with Debian Linux security updates, and use several development machines for pre-production test of these updates.

Will other users of this system have access to our wiki's data?

• Only designated operations and support team members have access to any user data. If the data is marked 'private' the support team may request temporary read-only access from the wiki owner to resolve a support incident.

What protocols and procedures do you have in place to prevent social engineering attacks?

• Only the creator of a wiki (or someone with access to their email account) can request a password change or other data-exposing action.
• By policy, our support team may not reveal any information about any wiki participant for any reason without prior approval from that person.
• There is no automatic means for an external party to directly recover the email address, password, or originating IP address of a wiki's creator.
• Wikis can be configured to reject any request not coming from administrator-designated IP addresses, ensuring two-factor security (password or security token plus IP address) in the event of a social attack against your own users.

In the event of a user-facing incident (downtime, degradation of service, or security breach) do you have a notification policy? If so, what is it?

• We have a general notification policy in place for customer wikis utilizing our user forums and blog.
• When an incident affects wiki availability for longer than a minute or two we post an incident report on our forums and blog. This includes internal errors (server failures, software problems) and external (power loss, upstream network problems)
• We have explored direct notification as a part of some enterprise licenses but at this time it is not part of our routine policy.
• We have never experienced a security breach but in the event of one we will notify affected users by email in addition to public notice.

What process or policies are in place to safeguard our wiki's data throughout its business lifecycle? Please cover how it's protected while in use, at rest, and what is done when it is no longer needed.

• We physically destroy retired hard drives (we use disk for all backup, no 'backup tapes' exist).
• We copy all user data to a secure offsite facility within five minutes. These backups are public-key encrypted using 1024-bit DSA and the only copies of that key are in two separate secure physical locations outside of our NOC.
• All servers are housed in cabinets in a locked, guarded, patrolled data center. Access is possible only for our operations team.
• All administrative traffic is over SSH only.
• All servers run security-enhanced linux kernels (e.g. 2.6.21.5.pbwiki-grsec #1 SMP) which further guard against a number of classes of security vulnerabilities.
• All persons with access to user data have undergone a thorough background check.
• No regular employees have any access to production storage servers, databases, or user data - only designated need-to-know operations, engineering, and support personnel.

 Create your own business wiki!Support CommunityPublic, Platinum wiki Privacy Policy RSS