Security

Hosting

Knowledge Hub is hosted by Amazon Web Services (AWS) in the UK in some of the most highly specified datacentres available; built to exacting, rigorous standards and delivering a very high level of security, power, connectivity, and environmental control. The data centres are engineered with fully redundant connectivity, power, and HVAC to avoid any single point of failure. Each data centre is staffed 24/7 by highly trained technical support staff.

More specifically, the Knowledge Hub is hosted within two UK-based data centres in the London area. It sits in a secure cloud hosting service that is compliant to UK Government standard ‘Official’. The hosting service is supported by Rackspace, via a managed service from our partner PFI Knowledge Solutions Limited (PFIKS). Both Rackspace and PFIKS are ISO/IEC 27001-certified suppliers.

Access to the data centres:

  • Is limited to authorised supplier and contracted third-party personnel;
  • Is monitored 24 hours a day, seven days a week through closed circuit video surveillance; and
  • Requires identification for access

Data and threat protection

Knowledge Hub uses the HTTPS protocol to provide a secure and encrypted connection to all clients (256 bit, TLS 1.2). All Knowledge Hub data is protected at rest through enterprise grade encryption, hosted on a cloud platform designed with information security as a top priority.

The software components are security-hardened and regularly tested against possible vulnerabilities such as XSS attacks and SQL injection. The Knowledge Hub uses ClamAV®, an open source antivirus engine for detecting trojans, viruses, malware and other malicious threats, whenever content is uploaded to the Knowledge Hub.

Knowledge Hub’s underlying software, Liferay DXP, is regularly penetration tested and verified by Veracode.

Liferay (the software underlying TeamWorXX) follows the OWASP Top 10 (2013) and CWE/SANS Top 25 lists to ensure that Liferay Portal is as secure as possible. Following these recommendations protects the portal against known kinds of attacks and security vulnerabilities. For example, Liferay Portal’s persistence layer is generated and maintained by the Service Builder framework which prevents SQL Injection using Hibernate and parameter based queries.

To prevent Cross Site Scripting (XSS), user-submitted values are escaped on output. To support integration features, Liferay Portal doesn’t encode input. Data is stored in the original form as submitted by the user. Liferay Portal includes built-in protection against CSRF attacks, Local File Inclusion, Open Redirects, Uploading and serving files of dangerous types, Content Sniffing, Clickjacking, Path Traversal, and many other common attacks.

To stay on top, Liferay Portal also contains fixes for state-of-the-art attacks and techniques to improve product security. For example, Liferay Portal uses PBKDF2 to store passwords. Liferay Portal also contains mitigation for Quadratic Blowup XXE attack, Rosetta Flash vulnerability, Reflected File Download, and other kinds of attacks.

Penetration testing

A full penetration test on the TeamWorXX managed service took place during March 2018. The scope of this test included the application as well as the managed infrastructure. The outcome and any residual risks from this test have been shared with The Police ICT Company.

ISO 27001

PFIKS is ISO 27001 certified. An annual external audit covering the full SOA is being conducted by Bureau Veritas on 9/10 August 2018.

Security processes

PFIKS Security policies and procedures are contained in three manuals – User Management Manual, Technical Controls Manual and Management Manual. These can be shared with organisations with whom they have NDAs in place.

Service availability and recovery

PFIKS aim to provide platform uptime of 99.9% or greater. Any service impacting planned maintenance work is performed outside of UK business hours, with adequate notification. They take weekly full backups and nightly differential backups of all operating system and user data, with a 2-week onsite retention, as standard. Backups can be restored at any time, by request.

Account security

Every individual registered on Knowledge Hub has their own password to access their account and may set their own profile privacy settings to a level of visibility with which they feel comfortable.

Based on member feedback, Knowledge Hub does not have a password change policy, but we do have the ability to enforce a password change policy across the platform should it be required.

Support

All support requests should be directed to The Police ICT Company in the first instance. Find out how to contact us. If necessary, we will liaise with PFIKS to resolve any technical issues.

PFIKS provides a dedicated web-based support desk, available 9am-5pm Monday to Friday excluding UK Public Holidays for all support-related communications. High-priority incidents will be dealt with within 4 business hours, those with minimal impact, within three business days.