We take security seriously at PageUp, that’s why we’re certified to industry best practice frameworks and use best in breed technology to empower Security, learn more below.
Industry recognised and best practice to implement an effective Information Security Management System.
PageUp is certified to ISO/IEC 27001:2013. ISO 27001 is widely regarded as best practice for implementing an Information Security Management System and the most complete security guideline in existence.
Compliance to this standard is merely a byproduct, the real value for both PageUp and our clients is that we implement controls that are industry recognised and externally audited twice a year to verify their effectiveness and compliance to this standard.
The scope of PageUp’s ISO 27001 ISMS is key also, while many companies may just certify their homepage, or the HR Department, PageUp’s ISO 27001 Scope is across the entire Unified Talent Management platform, plus the development and support of that platform, giving our clients peace of mind.
Furthermore the environment that hosts the PageUp Unified Talent Management Platform maintains multiple certifications for its data centers, people and services. For more information about their certification and compliance status, please visit the AWS Security website and the AWS Compliance website.
No system is perfect, flaws, weaknesses and vulnerabilities will be found. Because of this, Risk Management across any SaaS or Technology platform is key. PageUp bases its Risk Management methodology on the international standard for Risk Management ISO 31000:2009.
PageUp uses a two-tiered approach for managing information security risk. Using a two-tiered approach allows for the periodic assessment of risks across the entire organisation, as well as ongoing day-to-day management of individual risks as they are identified.
Asset Risks are annually identified and assessed at a high (strategic) level to determine the common risks across the entire PageUp environment. This risk assessment is used to determine a set of common security controls to be applied across the organisation. These security controls are defined in the PageUp information security policies. Risks in the asset risk register are reviewed on an annual basis and the set of common controls modified as required.
Any new risks identified throughout the year are entered into a tactical risk register and managed from there. These risks often relate to new systems, new threats (e.g. a new type of virus) or newly discovered vulnerabilities. These risks are reviewed at least quarterly with the Information Security Governance Committee (ISGC) to discuss progress or to agree that the risk has been either accepted or treated and can be closed.
PageUp's solution is hosted on Amazon Web Services (AWS). AWS are highly compliant and maintain strong Security which PageUp are able to take advantage of immediately.
PageUp leverages Imperva Incapsula for WAF, IDS/IPS Protection technologies. It provides protection against all OWASP Top 10 threats, bad bot attacks, DDOS attacks, Vulnerability Scanners etc.
PageUp utilise Sophos Cloud Endpoint Protection on all staff machines and our Unified Talent Management Platform. It is a technique and behaviour based platform that updates in real time, meaning effective protection against zero-day threats.
Cloud Conformity gives PageUp continual assurance and pro-active alerting across our entire AWS Infrastructure. It has over 300 checks that run multiple times per day across the 5 pillars of AWS Operational Excellence - Security, Reliability, Performance Efficiency and Cost Optimisation.
PageUp send all email from the Unified Talent Management Platform from SendGrid. SendGrid offer all clients the ability to receive email to their internal infrastructure via end-to-end TLS. SendGrid and PageUp both fully support SPF, DKIM and DMARC for added Security.
Although PageUp have extensive logging and alerting via AWS Cloudwatch and Internal monitoring software, Pingdom allow us a separate 3rd party monitoring platform that shows insights in availability, performance and uptime.
SAI Global are the compliance and risk experts. They did the original ISO 27001:2005 Certification for PageUp when we first became certified in 2013, the upgrade to ISO 27001:2013 in 2015 and continue to do annual surveillance audits across the PageUp Unified Talent Management Platform, Development and Support.
PageUp engaged BluePrint IS before becoming originally certified to assist PageUp in the development of the ISMS to ensure it was correctly aligned and able to be certified with ISO 27001. We continue to use their services annually in the capacity as our Internal Auditor for ISO 27001:2013
Strong segregation between PageUp staff and the production environment is key to maintain secure access to client data. We use Palo Alto Authentication Policies with an additional layer of 2FA via DUO to provide locked down, time expiry (8 hours) based access to those users that require it.
NEXT DC and Vocus allow PageUp to connect to our AWS Infrastructure, API’s and Consoles via secure, dedicated and private connections.
The very nature of Slack means that PageUp use it for many purposes, especially Security. We have a Security channel for Security talk and awareness around the business, Security Alerts channel to collate Security news, patches, vulnerabilities etc. Alerting channels to tell us when our providers may be having issues that will affect our clients and some shared channels with our key 3rd party providers for real time discussion.
PageUp supports all modern browsers. No plugins, no software.
All connections to PageUp are sent over HTTPs using TLS 1.1 and above and on modern, secure cipher suites.
ADFS, OKTA, SAML, etc, whatever you use, we can implement SSO so setting new passwords is not required. Just use your work login for seamless login and ensure all passwords, timeouts etc match your internal policy requirements.
Industry Leading WAF, IDS, IPS, DDOS protection from Imperva Incapsula for all requests to PageUp’s Unified Talent Management Platform
Strong security policies across our Elastic Load Balancers, only accepting traffic from our WAF.
Security groups setup on least privilege basis. Regularly and automatically reviewed for changes.
Individual core DB per client. Hot/hot mirroring.
Strong physical and logical security controls around the hosting locations, trusted by PageUp and the worlds biggest and most security conscious companies.
We regularly test and verify our Disaster Recovery plans and commitments to our clients with zero impact to clients given our Highly Available, Secure and Elastically Scalable infrastructure.
We heavily segregate and protect our production environment from our offices. PageUp Office access to sensitive data is protected behind firewalls that require 2 Factor Authentication to access. This access expires every 8 hours and need to be repeated to re-establish access.
Just as PageUp uses 3rd parties to verify our Infomation Security Management System's effectiveness, we also engage 3rd parties to perform Web Application Penetration Testing.
The vendors we select are given full access to the PageUp system along with detailed business logic and workflow scenarios.
They will then use a comprehensive set of tools and manual techniques to identify and exploit the system. Based on the findings, they will then execute specific attacks against the application.
These attacks test the target systems for the following OWASP Top 10 critical Web Application Security Risks, inlcuding, but not limited too
Upon completion of a penetration test the Information Security Officer will hold an ISGC governance meeting. The ISGC will review the report and work to mitigate any risks by:
Once all open risks with treatment plans are fixed and pending closure, we hand back to the Vendor to
CEO & Co-founder
COO / CFO
ISO Compliance & Security Officer
Senior Technical Advisor
Chief Product Owner
Senior Technical Advisor
Head of Technical Account Management
Legal General Counsel
SVP Global Talent
Security & Compliance Analyst
The Information Security Governance Committee (ISGC) actively support security within PageUp through clear direction, demonstrated commitment, explicit assignment and familiarity with all areas of the business including:
As a client, you choose where you want your data to reside. AWS allows PageUp to run at a global scale, easily and securely.
PageUp has a number of data centers to offer clients, depending on their primary location or preference, please see below:
|Client Location||PageUp Data Centre|
|Australia / New Zealand||Data is hosted in the Sydney AWS region.|
ap-southeast-2a, ap-southeast-2b, ap-southeast-2c
|Singapore / Hong Kong / China / Thailand / Malaysia / Indonesia||Data is hosted in the Singapore AWS region.|
|USA / Canada / South America||Data is hosted in the US, in the N. Virginia AWS region.|
us-east-1a, us-east-1b, us-east-1c, us-east-1d, us-east-1e, us-east-1f
|UK / EU / South Africa||Data is hosted in the Ireland AWS region.|
eu-west-1a, eu-west-1b, eu-west-1c