Introduction
Granicus is committed to information security. We understand that the confidentiality, integrity, and availability of data is vital to our and our customers' business, especially as the impact level of the information increases. We have therefore implemented processes and procedures in accordance with ISO27001:2013, trained all staff in information security, and achieved the accreditation to ISO27001:2013.
Granicus is committed to placing relevant security controls around information-related assets to ensure acceptable levels of risk.
Frequently asked questions
Does Granicus have procedures for dealing with suspicious activity e.g. where an account is continually locked and unlocked?
Yes. Granicus has a range of monitoring activities in place to identify unusual activity within the platform. These will be expanded further following the implementation of additional auditing as part of our enhancement for the new GDPR regulations.
Our internal forms use AD credentials. Where these are stored, please?
The only parts of your users' active directory information that we store are username and email address. These are stored on a secure SQL database hosted in Ireland. The authentication between the client and the IIS server uses the Windows Integrated method that does not involve the exchange of passwords. The FAM does not receive or process passwords at all. Further, all data that is transmitted from the FAM to the govService platform via the web browser is encrypted using AES256 already.
Are passwords at risk when using the FAM?
The assertion that passwords are at risk is certainly very questionable. The authentication between the client and the IIS server uses the Windows Integrated method that does not involve the exchange of passwords. The FAM does not receive or process passwords at all. Further, all data that is transmitted from the FAM to the govService platform via the web browser is encrypted using AES256 already.
We do of course request that SSL certificate is available and installed.
How can we advise our customers that the emails they receive are genuine and not phishing emails?
Many organizations such as banks now include a Statement on their emails to advise how their customers can protect against phishing. This functionality can easily be added to relevant email integration templates.
Often, organizations add "security codes" to genuine outgoing emails in the form of part of the postcode string/account number. This can also be added to relevant email integrations through the use of, e.g., environment tokens.
How are passwords stored?
Passwords are encrypted using SHA265 with Salt before being stored in a MySQL database.
How can customers check whether there has been any suspicious activity of their account?
The platform displays the last login date to a customer when accessing their online account; this would highlight any fraudulent activity. Additionally when requests are made, especially password resets, the confirmation emails would be sent to the customer's registered email address.
Where (geographically) is the platform data held?
Data is held within the platform’s primary data center which is located in Dublin. We have a secondary data center located in London.
The govService application uses MySQL version 5.7 as its RDBMS system. The data stored includes site configuration, authentication information, process/form definitions and submitted cases.
What is the govService disaster recovery plan?
Granicus holds and maintains a disaster recovery plan as part of its Information Security procedures under ISO 27001.
All data within the govService platform is subject to cyclic backup routines (6 month cycles). These routines combined with transaction logging allow the platform to be restored to any point in time with backup. The platform is additionally replicated to our alternative data center located in Frankfurt. This provides an alternative location to store and run the platform in the unlikely event that the main server hosted in Dublin were to be fully lost in a scenario requiring disaster recovery.
How soon after an outage to the live environment could a backup be restored?
Servers are backed up daily. Our recovery time objective is 4 hours. (Note: In addition to daily backups, the data is replicated in real time to a separate EEA geographic location).
What is the process for patching/security updates for technology components (both Web Dependencies and Server Software).
The application periodically undergoes security penetration testing and any discovered or known security vulnerabilities are addressed as soon as possible. Security issues are typically addressed by patching or doing a minor technology version update as part of products short term roadmap and release schedule. Major technology version upgrades are scheduled as part of the products longer term roadmap.
Are emails sent from the platform secure?
The govService platform does not support any form of email or email network encryption beyond transfer to the LIM (which is AES-256 encrypted). Therefore we cannot guarantee the security of emails once they leave the SMTP server. If you are concerned about communicating confidential information to your customers, we recommend you build a process workflow which allows the customer to communicate with you through their MyRequests portal using their Self Account.
How are files copied from the Platform to the LIM when using local storage?
Files are converted to base64 to send to the destination. All our LIM traffic is AES-256 encrypted, and may also use HTTPS depending on the individual customer configuration.
Is the govService platform PCI compliant?
GovService Firmstep does not fall under the legislation, as our solution doesn’t hold or take secure payment information. We do ensure that the payment integration is secure.
Are uploaded document/files scanned for viruses?
All uploads are scanned by our ClamAV antivirus program. If the file fails the check, it will not be uploaded.
Is data encrypted?
Data in transit between the client and the server is protected using HTTPS TLS1.2 encryption.
Data at rest is encrypted using AES-256 encryption.
What does 406 Not Acceptable - Error mean?
You may experience a "406 Not Acceptable" error when making certain requests to the govService Platform. This is because the govService Platform is protected by a Web Application Firewall (WAF) which is designed to filter out malicious requests before they can reach the application code.
The reason you are seeing this error is because you are making a request which has been determined by the firewall to likely be malicious or erroneous. This may be due to the content of the request, frequency of requests, or other factors.
If you believe a legitimate request is being blocked by the firewall, please contact Granicus Customer Support with details of the request being made, and we will provide further assistance.
What Browsers/TLS are supported?
To ensure web browsing is secure when using the govService Platform, we only support certain browsers and Transport Layer Security (TLS).
Are user's IP Addresses stored?
IP addresses are collected for forensic/audit purposes, and stored in our audit logs for 30 days, but they are not available through the product.
Does govService use Javascript?
govService uses JavaScript in development. The user's browser is what supports the JavaScript, not their own computer.
top of page
