Security
Access Management
All entities in the system are assigned a unique identifier, allowing all activities related to a given entity to be tracked.
Permissions at the application level can be managed through organizational units, roles, and competencies (role groups). Roles can also be imported directly from Active Directory (AD).
TAS supports AD for user synchronization and authentication.
Password policies follow the rules set in AD, or they can be configured for the internal authentication system.
Each user and administrator is granted only the necessary access rights, meaning there is a clear separation between roles such as requesters, approvers, etc.
Software
Installing an agent for malware detection and removal, with updates at least once per day, does not interfere with the application's functionality.
The standard release cycle for major versions is three months. Critical fixes are prioritized and released on a weekly basis if necessary.
TAS is designed to be verifiable for potential vulnerabilities.
Remote code execution from an external source is not possible.
All high and critical vulnerabilities (based on CVE scores) are addressed as a priority. However, some vulnerabilities in dependencies cannot be resolved if updates are not compatible with the application.
Confidentiality and Integrity
The database layer of the TAS application is managed by an MSSQL server, which ensures data confidentiality and integrity through authentication, authorization, transactional processing, and encryption.
TAS supports MSSQL with encrypted communication.
Confidentiality and integrity of data are maintained during both backup and archival processes, including storage on backup media, except for administrative interventions by database administrators.
Auditability and Non-Repudiation
All changes to processes and data can be audited at the application layer.
The application includes an optional automation feature for exporting logs to a SIEM system.
The application startup and shutdown events are logged at multiple levels (application, OS log).
User and administrator login and logout events, including failed login attempts, are logged.
System activity records are maintained at multiple levels, each addressing specific aspects of security. However, full compliance with integrity, provability, and non-repudiation principles is not guaranteed at every level.
Cryptographic Measures
Currently, the application supports encryption only for user-uploaded data files, not for all processed data.
Backup and Recovery
TAS allows both continuous and batch backups of all data affected by system usage, including not only database records but also configurations and settings that are created and modified during operation.
Backups can include configurations, database-level data, and attached data files.
