Documented Security

It is no longer a question of, "Do you have a system?". Now the questions are about security, privacy, backup, and access control. ReloTracker has been tested by an outside company to confirm that there are no significant security concerns.

Questions you should expect to be asked:

  • Does the Service Provider use up-to-date anti-virus, anti-spyware scanning, firewall and intrusion detection software to protect personal information?
  • Is your information hosted under ISO 27001 certification?
  • How is application authentication performed?

We have always taken security very seriously, which is why ReloTracker is the first Relocation Management System to have been tested by an independent testing firm in September, 2013. This testing revealed no “High Priority” security issues.

ReloTracker is built using Microsoft’s ASP.NET Framework, used by millions of companies to create applications. ASP.NET has built-in features to prevent different types of attacks, like Cross-site Scripting and Session Hijacking.
In addition to the security features provided by ASP.NET, ReloTracker has several security measures built into its design, including.

  • All access is Role-based. There is no default role, so the role of every user needs to be determined before the system shows any information.
  • The cookie that ReloTracker sets in the user’s browser is encrypted, so it is not possible to understand and manipulate a cookie.
  • Database queries are made using parameters in the business layer, rather than simply replacing variables, and user input is validated, to prevent SQL injection attacks.
  • Tracing and debugging are turned off by default.
  • ReloTracker requires that users have at least 6 characters in a password. Passwords are encrypted in the database.
  • Solution and Project files are not stored on the web server.

Enforcing Strict Security Controls

The first measure of our security controls means that we train our developers and support personnel on the guidelines that we have put in place. They are expected to make changes to the system within those guidelines.

The second measure of controls is that all changes to the system are reviewed before release. This means that when a developer makes changes and submits them, that that the Director of Operations reviews them before they are released and implemented.

Internal Testing

Despite these controls, there remains a possibility that weaknesses enter into the system. For this reason, we conduct internal testing on a regular basis.

Tools such as the OWASP’s Zed Attack Proxy are regularly used to test for a wide range of vulnerabilities against attacks and threat agents.

External Testing

Occasionally we also employ an outside company to perform penetration testing of the application. This is both to ensure that vulnerabilities are identified, and to confirm that our internal tests are identifying any issues.

Hosting Security

Our hosting infrastructure includes physical and technical measures to prevent intrusion and to protect information against loss and service interruption. Daily backups are encrypted before being sent to another secure off-site facility.

Please contact us now for more information about we manage security.