Skip to end of banner
Go to start of banner

Summary - High Level Security Information

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 35 Next »

EPAPRO Logo_RGB.png

Document Version

1.4

Date Created

Date Amended

Amended By

Lisa Clancy

Skilltech Solutions Ltd - Accreditations

ISO27001:2022

Initial Certification: 23 August 2021
Latest Issue: 14 September 2023
Expiry Date: 22 August 2024
subject to annual assessments

Cyber Essentials

Certificate Number: bccec15a-880b-4dd9-a0bd-aecc5acac7ad

Date of certification: 13/02/2024

image-20240214-133759.png

Cyber Essentials Plus

Certificate Number: 4c77aa96-9ba9-4827-b6d9-f83df0953a7d

Date of certification: 04/02/2024

Data Storage

Where is data stored for epaPRO?

  • Data is stored with our hosting partner - Positive Internet.

Positive Internet are a UK based company with datacentres in London, Cambridge and Manchester, specifically, Cambridgeshire for primary hosting, Manchester for network peering and Manchester for DR facilities

They have ISO 27001 accreditation

  • They have internal bastion servers which mediate admin access to the platform.

Architecture

Physical Architecture

  • The system is a LAMP stack, based on Debian GNU/Linux Long-Term-Support stable version (of which our hosting partner is a founding corporate Gold sponsor).  

  •  The Proxmox virtualisation layer will manage the VMs atop a dedicated, managed hypervisor platform, with dedicated firewalls into VLANS, database servers and backup systems.

  • No part of the system is shared with any other client. 

  • The platform is primarily written using PHP and associated frameworks and libraries. It will run the latest stable version of PHP. It uses the latest stable version of MariaDB 10 for database services.  

Cloud

The service is run from a private cloud infrastructure, provided by our hosting partner

Security

Authorised Access Control via SSH Key & IP

Are these users strictly maintained by the service provider and regularly audited?

Is there Unique user access?

Is there a Password Control Policy?

Are there regular audits for access control?

Our Security Practices include:-

OS patches - applied within formally agreed patching timescales

Managed by our hosting partner

Application patches - applied within formally agreed patching timescales

Managed our hosting partner

Information Security Incident Response Plan

  • Part of our Skilltech Information Security Procedure  Data Breach and Incident Response  plan 

  • Any Incident would be documented with detailed collective analysis.

Security Policy and procedures clearly defined for all employees

Staff training for security

Secure coding practices

Hiring and termination processes

Internal access & authorisation - based on principle of least privilege

Removable Media Policy

Password Standards Policy

Data Protection Policy

Regular reporting against OLAs and SLAs

The following are documented for Policies & Organisational Structure:-

Backups & Disaster Recovery

Regular Encrypted backups in accordance with our SMP (Security Management Plan).

Are there hourly/daily/weekly RPOs (Recovery Point Objective)?

Are there hourly/daily/weekly RTO (Recovery Time Objective) ?

How often will restoration of backups be performed

Every 6 months as a minimum

Data Processing Policy?

Skilltech Solutions has and follows its Data Protection Policy v2.0

Our hosting partner only processes personal data received and authorised by the Data Controller (Skilltech Solutions). 

Data Retention and disposal

Business Continuity Plan

Information Security Policy

Incident Response Plan

Protection against service failures

Are operational procedures documented and implemented to ensure the configuration/installation and operation of systems are standardised?

Are Third Party relationships reviewed Annually?

Are staff required to sign Confidentiality Agreements as part of their contract?

Risk Management Policy

Disciplinary policies

Do you have internal audit to assure your information security policies and customer security requirements are being adhered to?

✔  

Are audits documented, reported to management and retained as evidence of the audit programme?

Is all data in epaPRO classified as Confidential?

Physical Security of Premises

What controls are implemented to protect against malicious damage, damage caused by natural disasters (e.g. flooding, fire, storm etc.) or accidental damage?

Our hosting partner has protection for:- 

  • Hardware Failure

  • Security

  • Power

  • Cooling

  • Fire & Flood

  • Network

  • Geographical Resilience.

Is physical access to systems and services hosting data  restricted to authorised employees?

Yes. All data is in fully secured racks, on a fully secured data floor, in a fully secured datacentre owned and operated by the our hosting partner in charge of managing the epaPRO platform.

Are physical security perimeters implemented for both Skilltech Solutions and the third party supplier?

System Operations & Network Security

Use of Antivirus and Patch management

Hosted Environment

  • secure private cloud environment

  • The database and file storage are not exposed to the Internet in any respect.

  • The system runs fully-secured, appropriately patched versions of the operating system and its related libraries at all times.

  • All network access to the systems are fully logged.

  • There is no possible direct connection to the database servers via the Internet, and local access is mediated via multi-factor authentication.

  • The data lies on completely dedicated hardware, at a highly secure, UK-based data centre.

  • The epaPRO infrastructure is monitored by our hosting partner who utilise embargoed mailing lists and threat report channels, and any potential impact to epaPRO.

Local Environment

  • Antivirus software is employed on all PC’s.

  • Accredited with CE+ Standard

  • All latest application and OS patches are managed and applied via controls set by Cambridge Support

  • Live Device Monitoring by Cambridge Support

  • Email Management - Spam and virus scanning service by Cambridge Support

Control of installation of unauthorised applications

Managed by our hosting partner

In addition Skilltech also has an internal - Information Security Policy Access Control

Operational Procedures (config/installation and operation of systems hosting data)

Managed by our hosting partner

Do you have a Security Information and Event Management (SIEM) for event correlation and analysis?

Managed by our hosting partner

Security Monitoring

All of our platforms are monitored by our hosting partner to ensure no unwanted activity and also to check all systems are performing correctly.

In addition, Skilltech carries out separate monitoring of both infrastructure and Application metrics.

We have also signed up to the NCSC Early Warning Service Early Warning - NCSC.GOV.UK

Do you utilise Firewalls and Intrusion Detection System/Identity Provider in place (IDS/IdP)?

Do you use Encryption on the disks?

All data in transit secured by TLS, all data is stored on encrypted disks.

Do you have Annual PEN Testing?

Are your firewall rules monitored and reviewed on an annual basis as part of your CE assessment?

Is there monitoring of Capacity/Scalability within your technology and infrastructure?

epaPRO has 99.9 percent availability.  Annual Performance Test

Application Development Security

Do you use Standards in the Software Development Lifecycle?

Yes, the application is built on an industry standard framework to utilise the latest security features.  Care is taken to ensure that developments do not expose vulnerabilities in the application.  This is checked via an annual penetration test and follows OWASP (Open Web Application Security Project) Standards.

For more info on OWASP - About Us | The OWASP Foundation

Is there a fully documented Software Development Release Cycle?

This is covered off in Confluence

Do you have Versioning Control

Yes, all within Bitbucket & Atlassian

Is the Application developed in adherence to company policies

Is Application security testing part of the product lifecycle?

Are there Separate Development/Test/Staging/Production environments?

Do you employ Change Management procedures?

Hosting Partner

Everything is logged and has to go through their process for any change management

Internally

All changes to hardware or software is done via Cambridge Support and signed off by Ian Jarvis MD of Skilltech Solutions.

Documented in Information Security Policy - Change Management and Information Security Standard - Change Management

Is SSO (Single Sign On) Supported for Microsoft & Google?

Asset Management

Is there an Asset Management Policy?

Is there an inventory of all critical assets

All local hardware inventoried by Cambridge Support.

Data Centre managed by our hosting partner.

Skilltech also has a monthly report of all hardware as the IT Services Report

Is there a policy and procedure for sanitising hardware, for example upon decommissioning?

  • No labels