Approach to Security

Microsoft 365 E3

As a new start-up company (June 2019), there was every reason to adopt best practice and to minimise the potential for mistakes in setting up our internal data and IT structures.  Microsoft 365 E3 was chosen as the key place to start, along with Azure AD.  We use Microsoft Intune.  Our Microsoft 365 account is hosted in Australia, and we only use MS Azure resources in Australia.  

​

We take security very seriously.  We recognise that encryption is our best friend, so all of our laptops and desktops have BitLocker turned on (by policy).  We only primarily use Windows 11 Pro/Enterprise (with development machines still using Windows 10 Pro) and we use endpoint.microsoft.com to push updates to all devices.

​​

The consultants at geoworx need elevated permissions to do our jobs and so we have local admin permissions on our laptops, and where necessary we are Azure AD admins as well.  

​​

Our mobile devices are all iOS.  We are a BYOD organisation. We encourage collaboration and recognise the value of mobile working.  Intune mobile policies are in use for these devices.  We can (and will) destroy data remotely if needed.

​

We actively use SharePoint 365 and OneDrive.  All customer-related project documentation is stored exclusively in SharePoint 365.  We use OneDrive to store data and to ensure it is replicated.  If a project requires a large dataset then we use internal file shares.  We keep data local on our machines as well as in the cloud.  All users authorised to access project data/documents will have the encrypted data stored locally.  This ensures that all records exist in multiple places for backup and recovery purposes.

​

We use Azure AD for authentication to any other online services, where that is required.  This includes ArcGIS Online and our own ArcGIS Enterprise environment.

Anti-Virus

We use an End Point security tool on every machine which is kept up to date.  We also have folder level policies to protect us from Malware.  

Internal infrastructure

Yes, we have internal servers for development and pre-sales purposes.  Where we use VM's they are stored on physical disks that have BitLocker applied and we use BitLocker on the Virtual Disks used by that VM.  There are no exceptions to this rule.   All VM's hosted internally by geoworx are for Sales and Marketing only.  We do not host applications or services.  Where customer data is needed on those devices, it will only be hosted with the prior agreement of the customer for a genuine business outcome.  All VM's are Domain Joined, using an internal domain controller that is configured in a hybrid configuration with Azure AD.  Customer data will be removed and deleted as soon as practicable, and not retained beyond the agreed timescales.

We maintain an internal Certification Authority for HTTPS encryption.  We only use TLS1.2 with strong cyphers.  A reverse proxy is in place and only HTTPS inbound traffic is allowed.  The reverse proxy is in a DMZ and multiple subnets are in use, along with all devices being on a Windows Domain.  Strong passwords are used for all devices, services and users.

​

We maintain a NAS for the storage of larger datasets.  This is domain joined.  Disks are in a Raid 1 configuration and encryption at rest is applied to all disks.

Data and documentation

Documentation supplied to geoworx, related to a project will be retained for a minimum of 2 years, unless geoworx is instructed to delete it.  Data will not be retained beyond the project itself.  Documents that geoworx creates on behalf of the customer and all internal documentation related to a given project will be retained for up to 10 years.  As noted above, customer data is only stored in SharePoint, OneDrive or where large datasets are in use then we will use an internally hosted NAS.

​

All data and documentation will be shared via email or SharePoint using the encryption levels provided by Microsoft 365.  HTTP will never be used by geoworx for official business.  If a customer requests us to use their FTP site or other methodologies then we will do so at the customers' own risk and instruction.  Once the data or documentation is received into geoworx systems it will be stored in line with the comments above.

Use and storage of other business information

We have a privacy policy related to this website here.   If we are working with you on a project then we will store the contact information you provide to us to the same standards as addressed above.  We use Outlook, Outlook Customer Manager and SharePoint to hold contact information.  If we are requested to delete it or amend it then we will do so at the earliest point possible.  It will only be used for the purposes of conducting business and the sharing of infrequent newsletters.