Website Security Policy

Websites can be dangerous. Even legitimate websites like garrison.com can be hacked by criminals or other malicious parties and used to host malware which could compromise your machine. Our web pages incorporate elements such as Javascript from third party websites including Google Analytics and Hotjar in order to collect and analyse anonymous usage information. We also use third party software provided by OneTrust to manage user cookie preferences. The Javascript from these third party websites could also potentially be hacked, and used to host malware which could compromise your machine.

This policy describes at a high level the measures we have used to reduce the risk of this.

Higher security approaches exist. We have chosen this approach based on a balance of security, convenience and cost.

  1. We use an Apache web server with PHP and a MySQL database, hosted on an Ubuntu operating system
  2. The Ubuntu operating system is set to auto-update
  3. Logins to the Ubuntu operating system are protected by passwords and two-factor authentication
  4. The web server is running on two load-balanced Amazon EC2 instances
  5. The EC2 security policy is set to allow HTTP access only (TCP port 80) to the instances from the EC2 load balancer, together with SSH access from a single administrative IP address
  6. The EC2 load balancer is located behind an AWS Web Application Firewall using the WAF policy described at: http://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/template.html
  7. The AWS administrative accounts are protected by passwords and two-factor authentication