The VIPR Connect application development follows the OWASP Top 10 guidelines and security is at the forefront of coding practices. Security is considered at all parts of the development and deployment cycles. Further information about the structure and development of the hosted environment can be found via https://www.microsoft.com/en-us/trustcenter.
Microsoft Azure configures their environment in accordance with best practices and all relevant and reasonable steps are taken to harden the systems configuration and as well as networks managed by Impel used to access the infrastructure.
All security patches are managed by Microsoft Azure. Application and SQL database instances are regularly kept up to date with patching / versions. Appropriate firewall, spam and virus protection is also managed and kept up to date by Microsoft Azure and includes a web-application firewall (WAF) to detect and block web-based attacks such as XSS, SQL Injection, and CSRF.
Microsoft Azure has an incident management process to handle all security incidents and a process for notification to its customers of any incidents that may have an impact on their services.
All data hosting environments are in Australia.
There are multiple levels of security attached to the RIEMS system. Firstly, the information being transferred between the user device and the cloud environment is encrypted using SSL technology. Most people are familiar with this level of security when they see the little lock when either performing internet banking or paying for an online item with a credit card. Secondly, the RIEMS system utilises the Microsoft Azure Hosting environment based in Australia. Microsoft’s Azure cloud platform was the first public cloud service in Australia to pass an Australian Signals Directorate (ASD) Industry Security Registered Assessors Program (IRAP) compliance assessment. The IRAP program was designed to evaluate whether the applicant was actively managing security risks associated with electronic data transmission, aggregation and storage. The areas evaluated included intrusion detection, cryptography, cross domain security and access control. Finally, each database within the RIEMS system utilises various data triggers as well as software based access protection to ensure that each client’s data remains secure.
The data that is entered/supplied by the institution remains with the original data owner which in the case of data entered into VIPR Connect would be the client institution (unless they are entering data owned by some else). System data provided by VIP Research with the VIPR Connect modules is owned by VIP Research.
All data within the application is transferred over encrypted network protocols.
All encryption keys are securely managed and access is only available to a small number of authorised personnel within VIP-Research.
Data which is specific to each client is segregated from other client’s data through comprehensive use of identifiers and associated integrated application level security.
Access to the service requires authentication by username and password (LDAP integration pending). Two factor authentication is not supported for the service application log in at this time. Provisions have been made to ease implementation of this if required. Two factor authentication is optionally supported for administrative access to the application and hosting infrastructure (Microsoft Azure via associated Microsoft Account login).
A user may have unlimited attempts to login to the system without being locked out. A simple configuration change can enable this within desired parameters if required e.g. 5 attempts, lock user out for 1 hour.
Web server logging is in place which provides audit capabilities. Currently there is no client / user facing access to the audit log. The log files can be accessed via the Azure management portal (access only provided to VIP-Research). The logs capture the username of the person that made the request, date, time, IP address etc, and the full request URL so as to detail what operation / interaction with the data the user has made. This is functionality provided as standard by Azure / Microsoft IIS web server. If required, the interface would need to be designed by VIP-Research to access the audit log and present it in a user-friendly manner to the client.
Once a client ceases to subscribe to the service, all services are deleted through the Azure management portal and any trace data is disposed of as part of Microsoft Azure’s normal data scrubbing processes.
Yes although there are some licensing requirements in terms of not on-selling the data, internal use only etc but the downloading of this data is available as an separate option. The price is available on request and can be a one off data extraction or three extractions over three years which is a more economical option.
Yes, all data that has been either uploaded from your other repositories (such as publications, grants, IP, income) or has been entered directly (such as impact, engagement, research ideas) can be exported in either csv or Json format.
VIP Research solutions are hosted on the Microsoft Azure platform and are therefore covered under the SLA provided by Microsoft. The SLA for apps running under a customer subscription, guarantees the application to be available 99% of the time. For further details on the SLA, https://azure.microsoft.com/en-us/support/legal/sla/app-service/v1_4/ For full information details on all Microsoft Azure SLAs is https://azure.microsoft.com/en-au/support/legal/sla/.
Yes. Information pertaining to Microsoft Azure Disaster recovery systems can be found at https://docs.microsoft.com/en-us/azure/resiliency/resiliency-disaster-recovery-high-availability-azure-applications
All data related management activities are completed by Microsoft Azure and are managed in accordance with their policies and security governance agreements. This covers:
• Distribution across multiple servers
• Network, database and disk redundancies
• Daily backups including off site storage
• Scalable resources for increased storage requirements
• A validated disaster recovery plan (DRP)
• Alternative hot data centre(s) available with Sydney currently being our best candidate
As VIPR Connect is a subscription based system, all maintenance, bug fixes and standard enhancements are included in the 12-month subscription fee.
If the client chooses to create logins for the users in the cloud based environment, then there should be no local IT support required. If the client wishes to employ a Single Sign On process (when available), a minimal level of coordination will be required initially to integrate this. As long as staff/users have internet access, there should be no other technology support needed from your IT team.
Being a cloud based information search system, the system can operate successfully as a standalone system as all required data is provided with the solution. If the client needs to upload a number of users/initial logins when they first utilise the system, a template based data upload facility is available but other than that, the Industry Profiling system has no other data pre-requisites. Once a client has subscribed to the system, they can be sent a login and start using it immediately.
Data is collected from a wide variety of publicly available sources including company websites, annual reports, government reports, analyst reports etc. The data is then cross-matched and standardised into a format that permits searching and analysis.
Over 2000 currently (August 2019) with the expectation of over 5000 in 2020.
As the data used for impact and engagement tracking normally happens a period after a research project or output has been created and stored, the system uses a series of templates to allow institutions to load existing data from your other repositories to provide a detailed pathway to impact and to collate for the purposes of strategic planning and government assessment. Data that can be loaded includes research projects/grants, outputs, researchers, postgraduate student (where applicable), academic organisational units (AOUs), classifications (FoRs, SEOs etc) plus various related data sets. The loading of this data is optional and dependant on the client’s internal needs.
Whilst all products operating on the VIPR Connect platform do have links to integrate the data, they do not have any reliance on each other and therefore can all be subscribed to individually. If you have subscribed to both Research Ideas and Industry Profiling, the integrated functionality to search on industry profiles to match to your research ideas and funding requirements is active, whereas if you have not subscribed to Industry Profiling this functionality is hidden from view. In a similar vain, if you have subscribed to Impact & Engagement, you can link research ideas to impact and engagement to see a full pathway to impact and/or to record proposed impact and engagement for your research ideas.
The primary objective of the system is to supply research information in a graphical, easily accessible interface that allows users to view and analyse their research performance compared with other entities and indicators.
The Research Analytics datasets contain a multitude of data about organisations, countries, organisation units/departments, and people, income, expenses, research outputs, patents, disciplines, students, processes, grants, government assessed data such as ERA and many other elements. All data has been sourced, cleaned and formatted for use with hundreds of pre-existing analyses provided with the solution which allow you to see consolidated data to analyse and compare and use to assist with decision making and reporting in all areas relating to research performance, QA, best practice and process improvement.
Yes. By subscribing to the Authoring Tool you will be trained and certified to add/modify you own analyses in the VIP-R system.
Yes. By subscribing to the Base Subscription plus the Internal Data Ad-On you can upload your internal data and begin using all of the available analyses for your detailed internal data sets.