nelsonic
commented
7 years ago No hosting is performed directly by DWYL everything is hosted on the Amazon Web Services (AWS) infrastructure and the account is controlled the client (i.e. DWYL does not "own" the AWS account!)
The development environment is on each developer's laptop and holds only dummy data (developers never use customer data for any purpose).
Test (Continuous Integration (CI) testing) and Staging environments are hosted on AWS and are logically isolated from production (i.e. no access to customer data!)
No customer data is available in any environment other than "production" and no developers have access to the data. This is by design (not by accident) as it ensures "segregation of duties".
Given that the organisation is small we only have one administrator for the IT infrastructure. If this is considered a "business continuity risk" we can implement a control/process to ensure that in the case of an illness/emergency or other unforeseen event, a nominated person can administer the system with delegated authority.
The underlying OS is patched automatically and transparently by Amazon Web Services. please see: https://aws.amazon.com/amazon-linux-ami/faqs/
We replied to an InfoSec Questionnaire that was heavily based on ISO 27001 sent to by a "Fortune 500" company. it had over 130 questions and these were the only ones they need additional info on:
But let's address these Questions Now so they know Security is our Top Priority!! 👍