Content Comparison

Document Version

1.0

Date Created

11 Mar 2022

Date Amended

20 29 Apr 2022

Amended By

Lisa Clancy

The following are documented for Policies & Organisational Structure:-

Backups & Disaster Recovery

✔

Regular Encrypted backups in accordance with our SMP (Security Management Plan).

✔

Are there hourly/daily/weekly RPOs (Recovery Point Objective)?

✔

Are there hourly/daily/weekly RTO (Recovery Time Objective) ?

✔

How often will restoration of backups be performed

Every 6 months as a minimum

Data Processing Policy?

✔

Skilltech Solutions has and follows its Data Protection Policy v2.0

Our hosting partner only processes personal data received and authorised by the Data Controller (Skilltech Solutions). 

Data Retention and disposal

✔

Business Continuity Plan

✔

Information Security Policy

✔

Incident Response Plan

✔

Protection against service failures

✔

Are operational procedures documented and implemented to ensure the configuration/installation and operation of systems are standardised?

✔

Are Third Party relationships reviewed Annually?

✔

Are staff required to sign Confidentiality Agreements as part of their contract?

✔

Risk Management Policy

✔

Disciplinary policies

✔

Do you have internal audit to assure your information security policies and customer security requirements are being adhered to?

✔  

Are audits documented, reported to management and retained as evidence of the audit programme?

✔

Is all data in EPAPro classified as Confidential?

✔

System Operations & Network Security

Use of Antivirus and Patch management

Hosted Environment

• secure private cloud environment

• The database and file storage are not exposed to the Internet in any respect.

• The system runs fully-secured, appropriately patched versions of the operating system and its related libraries at all times.

• All network access to the systems are fully logged.

• There is no possible direct connection to the database servers via the Internet, and local access is mediated via multi-factor authentication.

• The data lies on completely dedicated hardware, at a highly secure, UK-based data centre.

• The EPAPro infrastructure is monitored by our hosting partner who utilise embargoed mailing lists and threat report channels, and any potential impact to EPAPro.

Local Environment

• Antivirus software is employed on all PC’s.

• Accredited with CE+ Standard

• All latest application and OS patches are managed and applied via controls set by Cambridge Support

• Live Device Monitoring by Cambridge Support

• Email Management - Spam and virus scanning service by Cambridge Support

Control of installation of unauthorised applications

✔

Managed by our hosting partner

In addition Skilltech also has an internal - Information Security Policy Access Control

Operational Procedures (config/installation and operation of systems hosting data)

Managed by our hosting partner

Do you have a Security Information and Event Management (SIEM) for event correlation and analysis?

Managed by our hosting partner

Security Monitoring

All of our platforms are monitored by our hosting partner to ensure no unwanted activity and also to check all systems are performing correctly.

In addition, Skilltech carries out separate monitoring of both infrastructure and Application metrics.

We have also signed up to the NCSC Early Warning Service Early Warning - NCSC.GOV.UK

Do you utilise Firewalls and Intrusion Detection System/Identity Provider in place (IDS/IdP)?

✔

Do you use Encryption on the disks?

✔

All data in transit secured by TLS, all data is stored on encrypted disks.

Do you have Annual PEN Testing?

✔

Are your firewall rules monitored and reviewed on an annual basis as part of your CE assessment?

✔

Is there monitoring of Capacity/Scalability within your technology and infrastructure?

✔

EPAPro has 99.9 percent availability.  Annual Performance Test