| Category | Activity | Short description | Status of the internal audit |
|---|
| Developer environment | Developer's computers verification | - Virus protection effect
- Full Disc Encryption (BitLocker) is in effect
| We have validated the notebooks of all of our 4 developers. On each computer - the virus protection was active
- every notebook was encrypted using Bitlocker's full disc encryption
|
| Source code management systems verification | - Bitbucket can be accessed only through VPN
- Only authorized persons have permissions to Bitbucket
- Only minimal permissions are granted
| We have validated access and permissions to our internal (Bitbucket) source code management system. - Bitbucket can be accessed only by the authenticated users
- The product owners (2 users) have full admin permissions
- In addition to the product owners, the following users have login access to Bitbucket:
- The developers (2 users)
- The support team (2 users)
- The product test team (1 user - subcontractor: CodeCanvas)
- Technical user for test automation user (1 technical user - subcontractor: CodeCanvas)
- AWS environments support team (1 user - subcontractor: Enoventum)
- On repository level, for our Cloud apps (Email This Issue, Content Exporter, Atlassian Connect framework, Logging framework), only the least privileges are granted, which are:
- product owners have full admin rights
- in addition to product owners, 1 senior developer has admin permission to Email This Issue's repositories.
- all other users have only the minimally necessary read/write permissions
- During the audit, we have removed 2 subcontractor users, who are not working on our apps any more
|
| Package and artifact management system verification | - JFrog can be accessed only through VPN
- Only authorized persons have permissions to JFrog
- Only minimal permissions are granted
| We have validated access and permissions to our internal (JFrog's Artifactory) package and artifact management system. - JFrog Artifactory be accessed only by the authenticated users
- One product owner has full admin permissions
- In addition to this, the following users have access to Artifactory:
- The developers (2 users)
- Technical release user (1 technical user for release management)
- Technical user for test automation (1 technical user for the build and test logs - subcontractor: CodeCanvas)
- On repository level, only the least privileges are granted, which are:
- Read access for all logged in users
- Read, annotate, deploy and delete permissions for the test automation user on the build log repository
- Read, annotate, deploy and delete permissions for the release user on the release and snapshot repositories
|
| Build systems verification | - Bamboo can be accessed only through VPN
- Only authorized persons have permissions to Bamboo
- Only minimal permissions are granted
| We have validated access and permissions to our internal (Bamboo) build system - Bamboo be accessed only by the authenticated users
- The two product owners and one senior developer have full admin permissions
- In addition to this, the following users have access to Bamboo:
- Developers (1 users)
- Test team (2 users - subcontractor: CodeCanvas)
- Technical user for test automation (1 technical user for the build and test logs - subcontractor: CodeCanvas)
- On repository level, for our Cloud apps, only the least privileges are granted, which are:
- View access for all logged in users
- Create plan and admin project for the senior developer
|
| Stage environment | Cloud Amazon Stage verification | - AWS access is restricted to authorized persons only
- Only minimal permissions are granted
- Kubernetes SSH access is protected by keys
- Database access is allowed only from fix IP
- There was no unauthorized access
| We have validated access, permissions, network policies in our stage Amazon AWS environment. Our stage Cloud Apps are running in managed a Kubernetes cluster (Amazon EKS) and use managed databases (Amazon RDS). - Our stage environment is completely separated from the production environment, it has a dedicated AWS account and can be accessed by the following users:
- One product owner (1 user)
- One senior developer (1 user)
- AWS support team (1 user - subcontractor: Enoventum)
- On environment (AWS account) level, only the least privileges are granted, which are:
- Admin permission for the
- product owner
- senior developer
- AWS support team
- On network level
- Access to Kubernetes SSH is allowed only via key exchange, through a dedicated EC2 instance
- Access to the databases are allowed only from
- The AWS environment's internal network
- Fixed IP of META-INF's build server
- Fixed IP of subcontractor CodeCanvas (for database level testing)
- External database access is done by SSL/TLS connection
- We have reviewed the access log entries for the last 3 months in Amazon's access log (IAM Account Activity History) and have not found in unauthorized or suspicous entries.
|
| Production environment | Cloud Amazon Production verification | - AWS access is restricted to authorized persons only
- Only minimal permissions are granted
- Kubernetes SSH access is protected by keys
- Database access is allowed only from fix IP
- There was no unauthorized access
| We have validated access, permissions, network policies in our production Amazon AWS environment. Our production Cloud Apps are running in managed a Kubernetes cluster (Amazon EKS) and use managed databases (Amazon RDS). - Our production environment is completely separated from the stage environment, it has a dedicated AWS account and can be accessed by the following users:
- One product owner (1 user)
- One senior developer (1 user)
- AWS support team (1 user - subcontractor: Enoventum)
- On environment (AWS account) level, only the least privileges are granted, which are:
- Admin permission for the
- product owner
- senior developer
- Read-only access for the
- On network level
- Access to Kubernetes SSH is allowed only via key exchange, through a dedicated EC2 instance
- Access to the databases are allowed only from
- The AWS environment's internal network
- Fixed IP of META-INF's build server
- Fixed IP of subcontractor Enoventum (for database upgrades and maintenance)
- External database access is done by SSL/TLS connection
- We have reviewed the access log entries for the last 3 months in Amazon's access log (IAM Account Activity History) and have not found in unauthorized or suspicous entries.
|
| Log analysis | Cloud Datadog Stage verification | - Only authorized persons have permissions to Datadog
- Only minimal permissions are granted
| We have validated access, permissions to DataDog. This service is used to collect and search logs from our stage and production AWS enviroments. - Our Datadog environment can be accessed by the following users:
- One DataDog owner account (1 technical user)
- One product owner (1 user)
- The developer team (2 user)
- The support team (2 user)
- AWS support team (1 user - subcontractor: Enoventum)
- On log analysis and search, for our Cloud apps, only the least privileges are granted, which are:
- Admin access
- One product owner
- One DataDog owner account (1 technical user)
- View access for all logged in users
|
| Cloud Datadog Production verification | - Only authorized persons have permissions to Datadog
- Only minimal permissions are granted
|
