Please help us help you and fill where relevant:
Your LimeSurvey version: LimeSurvey Cloud Version 5.3.25
Own server or LimeSurvey hosting: LimeSurvey hosting
Survey theme/template:
==================
Hello,

My team and I are interested in switching to LimeSurvey CE from LimeSurvey Cloud. This is because we want to host LimeSurvey and our data (including participant info) on our own specific servers. Please correct me if I am wrong, but I believe that LimeSurvey CE would be the best approach for this.


I also had a few questions that I needed clarifying in regards to LimeSurvey CE. Please let me know if there is a better place to ask these questions! 

1. How much technical knowledge would we require to navigate LimeSurvey CE?
2. What is the cyber security framework that LimeSurvey follows (e.g. NIST, ISO27001) and how does it adhere to it?
3. Has LimeSurvey CE undergone a previous privacy/security assessment by a 3rd party? Could we please obtain information regarding any identified risks, and any corresponding mitigation status of each risk. 
4. What is the implementation of role-based user accounts and access controls?
5. When data reaches legal or desired expiry dates, are there provisions for completely destroying the data in the system? 
6. How is data encrypted (at rest and in transit)?
7. Could you please explain the encryption levels implemented in LimeSurvey CE (e.g. database level, file level, application level, OS level, data in transit)? 
8. How is LimeSurvey CE hardened to prevent intrusion, denial of service, and other attacks?
9. Will LimeSurvey CE function exclusively on TLS 1.2 and above? If not, could you explain why? 
10. How does LimeSurvey CE control the data that is transferred to the local system (i.e. content transferred within the application is contained and cannot be saved to the local device). 
11. Are there any strong password policies in place?
12. Can LimeSurvey CE use Multi-Factor Authentication? 
13. Is it possible to configure automatic user log-off due to inactivity, wherein the user then needs to authenticate?
14. What is the patch management process both at the application level and OS level?
15. What is LimeSurvey CE's security patching response timelines for newly discovered vulnerabilities?
16. What user activity data is logged and any other auditing capabilities (and what log files and format are available)? 
17. What are LimeSurvey CE's backup and restore policies or procedures?
18. What is LimeSurvey CE's disaster recovery plan?
19. What is LimeSurvey CE's support model and associated SLA’s?
    

Thank you.
 

These questions sounds partly not suitable for the community edition? Are you the author of these questions?

If yes, why do you ask e.g question 18 and 19?
18.What are LimeSurvey CE's backup and restore policies or procedures?
19.What is LimeSurvey CE's disaster recovery plan?

If your company host LimeSurvey CE, you have to define the policies and a disaster recovery plan.

Hi Jelo,

Thank you for your response.

No I am not the author of these questions, our institution is requiring us to have the answers to the questions above.

Ah okay I see - and would that be part of the prompted steps when installing or just on our end, we would make that plan?

And what do you mean not suitable for the community edition? Just trying to learn more about CE and how it works and the process of instillation.

You have been very helpful so thank you for that!

And is there is a manual or page that would have these answers, the direction would be much appreciated!

I think basically all this information needs to be answered by you internally. Limesurvey Community Edition is a open source software that you install on your own servers. Most of what you are asking needs to be answered by the person who will install and be responsible for the administration of your instance of Limesurvey CE. No one can give answers about your server environment.

The good thing about Limesurvey CE is: You can download and install it for free and make all your own tests.

boshra.m wrote:

Hi Jelo,

And what do you mean not suitable for the community edition? Just trying to learn more about CE and how it works and the process of instillation.
 

As holch elaborated, most questions cannot by the developers of LimeSurvey.
The question list is made for SaaS where you have the application and the service provider.
E..g. the question  "Will LimeSurvey CE function exclusively on TLS 1.2 and above? If not, could you explain why?" is not controlled by the LimeSurvey application. The webserver configuration is the relevant part here. There the TLS connection will be startet.

There a few questions which are pure application questions.
E.g. "How does LimeSurvey CE control the data that is transferred to the local system (i.e. content transferred within the application is contained and cannot be saved to the local device).".
LimeSurvey is a serverbased PHP application. The data will be saved into the local file system or a database. The webserver and the PHP runtime control the data handling.



 

boshra.m wrote:

And is there is a manual or page that would have these answers, the direction would be much appreciated!

The manual is a wiki. Feel free to contribute.