Jisc operates an Information Security Management System (ISMS) and many of the processes and policies used to operate Online Surveys, and by Jisc staff, are part of the ISMS. Jisc provides a number of services that are certified to ISO 27001, including Online Surveys
Where is my data stored?
All account and survey data is stored within Amazon Web Services (AWS), within the Republic of Ireland.
All systems are physically located within datacentres operated by AWS. The information security of AWS is managed in conformance with the requirements of ISO 27001, providing Jisc and our customers with assurances of the security of the datacentre and virtualization aspects of the service. The security of the operating system and application stack is managed by Jisc.
Any transfer of data between Jisc and AWS are conducted over secure, encrypted, connections. Staff at Jisc are subject to our “Secure Working Practices Policy” that covers the physical security of information when working in an office or remotely at other locations.
All new staff at Jisc, including casual staff, are given a contract of employment containing a confidentiality clause and are made aware of their responsibilities toward personal data as part of their induction process. All staff at Jisc are subject to our “Secure Working Practices Policy” that communicates their responsibilities towards information security, as well as providing advice and guidance on common security threats. All Jisc staff involved with providing the Online Surveys service are provided with data security training.
Jisc may use sub-contractors to enable Jisc to provide Online Surveys to its customers. Details of sub-contractors are listed here: https://onlinesurveys.jisc.ac.uk/sub-contractors/
Jisc is responsible for maintaining the security of the operating system and application stack used to provide Online Surveys. Vulnerability and patch management is carried out on a regular schedule accordance with our vulnerability management processes. Occasionally, critical security patches may require us to take the service offline at short notice. Where possible we will work with customers to minimize any disruption. The system is regularly scanned for vulnerabilities by automated systems, and is subject to periodic penetration testing of both the network environment, operating system, and application. All issues discovered are prioritized and accordingly addressed. Jisc encourages third parties to work with us to resolve any security vulnerabilities discovered – please e-mail email@example.com for more information.
Online Surveys is protected from DDoS attacks by services provided by Amazon, including AWS Shield and Amazon CloudFront.
Physical, logical, application and network access-control for all Jisc managed systems that hold personal data are managed on a least-privilege, need-to-know, basis.
Access to data stored within Online Surveys is strictly limited to Online Surveys’ support and technical teams. This access is only permitted when it is at the request of the client concerned, or necessary for the investigation of operational issues, or when required by law.
The Online Surveys servers and backups are accessible only by members of the Online Surveys technical team and other authorised members of staff at Jisc (such as systems administrators or those responsible for maintaining the backup service).
Incidents and Breaches
Jisc has an established process for handling information security incidents including data breaches. Should an incident occur, it will be handled according to this process and in line with current data protection legislation. If an incident has an impact on the security of information secured in Online Surveys then Jisc’s Senior Information Risk Owner (SIRO), will make decisions as to whether and how customers and the Information Commissioner’s Office are notified.
Communications related to breaches will arrive through Jisc’s normal communications channels. Jisc will never ask you to provide passwords and other authentication information by e-mail.
To log in, Online Surveys users are issued an authentication email with a single-use URL. Online Surveys issues a cookie to store session information when registered users log in.
No cookies are used when survey respondents complete surveys.
All survey responses are collected over encrypted SSL (TLS) connections. SSL is the standard technology for establishing an encrypted link between a web server and a browser. It ensures that sensitive information can be transmitted securely. All communications within onlinesurveys.jisc.ac.uk are also sent over SSL encrypted connections. Jisc does not commit to using particular ciphers as this may be limiting as new weaknesses are discovered. Instead we commit to achieving and maintaining a grade of at least A when tested by SSLLabs. You can view the current status at https://www.ssllabs.com/ssltest/analyze.html?d=app.onlinesurveys.jisc.ac.uk&hideResults=on.
Data is not encrypted whilst at rest within Online Surveys.
Jisc endeavors to ensure that all data is securely erased and any media securely destroyed once it is no longer required for the operation of the system. Due to the complex nature of a cloud based environment, Jisc may be dependent on third parties to ensure this occurs. Where this is the case there will be a contract in place between Jisc and the third party.
Some data may persist in backups. For more information see the section of this FAQ on Backups.
Online Surveys’ data stores are backed up daily.
Online Surveys has a data retention policy that means that backups are only held for 30 days. Backups are stored securely within the EU. After 30 days, the backups are deleted and destroyed. Online Surveys enables users to export survey response data in a number of popular formats (see FAQ for details) so that it can be backed up or used with other software.