In the last post we provided 6 questions to get to the bottom of SaaS vendor security and uptime. Thankfully, myStaffingPro has always scored well in these categories. To prove it, below are our responses to last week’s post.
What is the average downtime statistics for the last five years? Please provide a copy of your standard Service Level Agreement (SLA).
myStaffingPro has an uptime of 99.999% for the last five years.
Describe your fail‐over ability and other contingency plans for hardware failure.
All hardware has all of the redundancy built in that is possible, and is backed up by at least one like piece of equipment. The mission critical servers are clustered and load balanced so that no one single failure can affect service delivery. The non-mission critical servers have a sibling server than can be used to provide its functions either by moving the application over or by utilizing system imaging to quickly re-create the affected machine.
Describe your application architecture in terms of database, logic, two‐tier vs. three‐tier, centralized vs. decentralized, etc.
We use a three tiered approach with the data access layer, business layer and presentation layer. Our data access layer utilizes classes for data access to a database server, our business layer uses a combination of stored procedures, components and scripts, and our presentation layer uses html and style sheets.
Describe how your company will logically and/or physically segregate our data from other customers and users.
As a SaaS applicant tracking solution, we house virtual databases for each client keyed off robust permissions, so that all data for a client is accessible only by the client and our support staff. The virtual databases reside on a redundant hardware solution, and share the same schema. This means that multiple clients may reside on the same physical database. This model allows us to deploy enhancements and upgrades to all users with minimal complication and cost.
The following controls have been put into place to insure the security of client data:
- The system provides security and control access to functions based on permissions assigned to a user
- The system authenticates users with a unique session variable that authorizes with access only to the data that the user has been granted permission to see.
Do you have regular vulnerability/ penetration tests performed on your network? Please discuss with us the results and how issues were remediated.
Vulnerability scans are performed monthly, and manual intensive penetration test are performed yearly. The monthly test includes an internal vulnerability scan as well as an external vulnerability scan. The external scan is all encompassing and test for PCI compliance, SANS Top 20 vulnerabilities, Open Ports, and Qualys Top 20 vulnerabilities. The internal scan test for open ports, vulnerable services, unnecessary services, OS release, and patches.
The yearly penetration test is a two week process of automated and manual penetration testing by certified penetration specialists. Both anonymous access and privileged access are tested.
Do you have a defined incident response plan, if so, please provide a copy of the plan and how often it is tested? Please describe how you communicate an incident or breach affecting customer data to appropriate customer management. Does your plan include remedies for incidents including but not limited to data breaches, unexpected data loss, unexpected system downtime, pandemic, and natural disasters.
Our disaster recovery plan addresses data breaches, data loss, system downtime and natural disasters. Our incident response plan involves notifying the administrator users of all affected clients via email in the event of an incident, as well as providing a conference call follow-up, if needed. In the event of a disaster, our incident response team is on task immediately, working until the issue is resolved. We hope to never have to use our plan, but we do test it annually.