Security

WORQ implements the highest security standards that take you and your data seriously

We take security very seriously.  WORQ has been assessed against the ISM to hold data up to a Protected level.  Australian Government Information Security Manual (ISM) | Cyber.gov.au

We conduct comprehensive audits of our applications, systems, procedures and networks to ensure that your data is protected. 

Product security and reliability

WORQ offers many security features, including SAML SSO, IP Whitelisting from your site, audit, Role Based Access Controls (RBAC) and Attribute Based Access Controls (ABAC) to ensure your data is confidentially managed.
WORQ offers Single Sign-on (SSO) to keep the control of access to your data in the hands of your administrators. We can integrate into your on-premise SAML or OpenID providers. This includes Azure Active Directory, OneLogin, Okta, G Suite, ADFS and more.
Access to data within the WORQ platform is governed by role-based access controls (RBAC). WORQ has various permission levels for users. You can assign a user to Role or Team, with vary levels of access to functions within the system.
Access to specific data can be controlled to Read-Only, Edit or No Access. An example would be that a sensitive Audit that is being conducted in the system can only be edited by a specific auditor and read-only to the Senior Management.
WORQ endeavours to have a 99.5% or higher uptime. WORQ has multiple levels of redundancy built into its architecture, handling a failure in one region or multiple data centres.  
WORQ can filter access to a clients data based on a fixed IP address for that client. WORQ filters administrator access to the platform from a fixed IP address.

Cloud security

WORQ uses Azure data centres in Australia only. The services and data are hosted in Azure facilities across two regions.
WORQ has designed a multi-layer approach to DDoS mitigation. Azure Cloud Front and Azure DDoS protection is used for network edge defences, including caching, scaling and Web Application Firewall.
Access to the WORQ Production Network and Resources is restricted by an explicit need-to-know basis, utilising least privilege, is strongly audited and monitored. Employees accessing the WORQ Production systems are required to use multiple factors of authentication and complete extensive background checks along with many technical and administrative controls. All employees accessing these resources are Australian Citizens.

WORQ has designed with disaster recovery in mind. The data is protected by two availability zones and three availability sets and infrastructure is deployed to 2 regions. We can handle a data centre destruction event.

In the case of the database region failure (2 data centres being destroyed) we take backups to another region and can restore the database to that. In this case we can achieve a Recovery Time Objective of 4 hours and Recovery Point Objective of 30 minutes.

You cannot access WORQ Administration services from the internet, it is locked behind strict controls in a network that is not exposed to the internet (no public IP addresses).
On an application level, WORQ produces audit logs for all activity and is analysed using Log Analytics and Application Insights. All actions taken on production or in the WORQ application are logged and archived for 365 days.
All data sent to or from WORQ is encrypted in transit using 256 bit encryption. We encrypt data at rest using an industry-standard AES-0256 encryption algorithm.
WORQ uses third party security tools to continuously scan for vulnerabilities. The application is penetration tested scanned on a monthly basis to ensure new functions and features have not introduced vunrabilities.

Platform Security

WORQ practices extensive processes and controls to ensure application security. Common best practices defined by standards like OWASP, ISM and CIS Benchmarks are used in our coding practices.
No code goes into our platform without being reviewed from a senior developer through a Pull Request process. There are 1000’s of automated test that are run on each change to the code to ensure that no errors are introduced to the code. Included in our pipeline is static code analysis that scans against known vulnerabilities like OWASP controls.
As part of our deployment process, we have a manual penetration test process that is completed for major releases. New features are tested by Quality Assurance experts to reduce our exposure to defects and vulnerabilities in code.
Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.

HR Security

At WORQ we ensure that our employees adhere to the highest security standards by implementing extensive employee background checks and multiple administrative controls. All Administrators are locally based in Australia.
All employees complete Security Awareness training annually and during onboarding.
All employee contracts include a confidentiality agreement.

Compliance

WORQ has built is Information Security Management System on top of the ISM to ensure the best practice protection controls are implemented based on industry standards.
Our system is certified to Protected by an independent IRAP assessor using the ISM as the control framework. We have an active monitoring policy across our application to ensure that ISM controls are not compromised. No resource can be deployed outside of an Australian data centre.

We monitor and comply with the CIS Microsoft Azure Foundations Benchmark.  This policy is actively scanned and enforced.

Regulatory Compliance details for CIS Microsoft Azure Foundations Benchmark – Azure Policy | Microsoft Docs

We monitor and comply with the Azure Security Benchmark.  This policy is actively scanned and enforced.

Regulatory Compliance details for Azure Security Benchmark – Azure Policy | Microsoft Docs

We monitor and comply with the ISO 27001:2013 controls .  This policy is actively scanned and enforced.

Regulatory Compliance details for ISO 27001:2013 – Azure Policy | Microsoft Docs

 

We monitor and comply with the PCI-DSS standard.  This policy is actively scanned and enforced.

Payment Card Industry (PCI) Data Security Standard (DSS) – Microsoft Compliance | Microsoft Docs

 

Privacy and Data Protection

Security Concern?

If you think you may have found a security vulnerability, please get in touch with our security team at [email protected]