Security
What is the purpose of this system, service or integration in question and how will the data be presented and consumed?
WorksManager is a cloud-based Software-as-a-Service (SaaS) application that manages the transfer of data between office and the civil job site. The application is hosted on the cloud and presents data within a web browser. https://constructionsoftware.trimble.com/products/worksmanager
a. Will there be a requirement for infrastructure, core server applications, supporting infrastructure services, specialist resourcing. Active Directory (AD): user and group objects with elevated permissions.
NA
How is the product put together? Where is the data geographically stored, processed and supported from?
Amazon Web Services (AWS) is the Infrastructure-as-a-Service (IaaS) provider. All data is stored, processed and supported from within AWS data centers.
a. What is data sovereignty?
(The physical location that the data is stored, used) - United States
How will the information your product/service stores and processes for our business be protected from unauthorized access, while the data is at rest and in transit?
Uploading and downloading data occurs over HTTPS/TLS. Access controls limit access to source code to developers. Only devops and operations support have permissions to access code in the production environment.
What type of encryption algorithm is used to encrypt the data, and how are the cryptographic keys managed?
Identity and session details are encrypted. Data is stored in encrypted volumes through AWS managed services. WorksManager is ISO 270001:2013 compliant and adheres to all policies as defined by ISO.
Are other network security measures, such as anti-virus software and mobile applications, compatible with the product or service?
N/A This is a SaaS application.
How quickly and often do you report security vulnerabilities within your product or services, and what standard do you use to assess the severity of these vulnerabilities?
WorksManager is ISO 270001:2013 compliant and adheres to all policies as defined by ISO.
How do you monitor the product or service for unusual activity and contact us if you detect something unusual?
Intrusion Detection Systems (CrowdStrike) are in place to routinely monitor network level intrusions.
a. Are 24/7 real-time security alert monitoring and alerts available?
No
Do you utilize any sub-contracted third parties in the provision of your products or services, what access would these organizations have to my data, and how will this access be managed?
AWS, Mongo Atlas, remot3.it, Gainsight are integrated into WorksManager. These organizations do not have direct access to your data. Any user level data capture is triggered by explicit consent within the application.
How is access to sensitive information within your product or service monitored?
Access to production environments is limited to select senior engineers and devops employees. Tooling is in place which monitors production machines for malware and other threats.
Does your product or service support the creation and use of strong and complex pass-phrases?
Yes
Can multi-factor authorisation be applied to your product or service (especially for IT administrator accounts)?
Yes. The application uses Trimble Identity system which supports MFA.
How often are back-ups conducted and verified; and where are the back-ups stored?
AWS is the Infrastructure-as-a-Service (IaaS) provider and handles data backups.
What are your disaster recovery processes and business continuity plans, and do you test them regularly?
As the IaaS provider, AWS provides disaster recovery capabilities via availability zones. Primary servers are located in AWS US-WEST region.