/
Summary - High Level Security Information
  • Complete

    • Summary - High Level Security Information

    Owned by Lisa Clancy
    Last updated: Feb 21, 2025
    6 min read
    EPAPRO Logo_RGB.png

    Document Version

    1.4

    Date Created

    Mar 11, 2022

    Date Amended

    Feb 21, 2025

    Amended By

    @Lisa Clancy

    Skilltech Solutions Ltd - Accreditations

    ISO/IEC 27001:2022

    Initial Certification: 23 August 2021
    Latest Issue: 21 August 2024
    Expiry Date: 22 August 2027
    subject to annual assessments

    Cyber Essentials

    Certificate Number: 6516f21d-95a2-4149-8019-7b872bed1d0c

    Date of certification: 10/02/2025

    Date of expiry: 06/02/2026

    image-20240214-133759.png

    Cyber Essentials Plus

    Certificate Number: c51b4d05-f9d8-40b8-922f-58b1842b500e

    Date of Certification: 20/02/2025

    Date of Expiry: 20/02/2026

    Data Storage

    Where is data stored for epaPRO?

    • Data is stored with our hosting partner - Positive Internet.

    Positive Internet are a UK based company with datacentres in London, Cambridge and Manchester, specifically, Cambridgeshire for primary hosting, Manchester for network peering and Manchester for DR facilities

    They have ISO 27001 accreditation

    • They have internal bastion servers which mediate admin access to the platform.

    Architecture

    Physical Architecture

    • The system is a LAMP stack, based on Debian GNU/Linux Long-Term-Support stable version (of which our hosting partner is a founding corporate Gold sponsor).  

    •  The Proxmox virtualisation layer will manage the VMs atop a dedicated, managed hypervisor platform, with dedicated firewalls into VLANS, database servers and backup systems.

    • No part of the system is shared with any other client. 

    • The platform is primarily written using PHP and associated frameworks and libraries. It will run the latest stable version of PHP. It uses the latest stable version of MariaDB 10 for database services.  

    Cloud

    The service is run from a private cloud infrastructure, provided by our hosting partner

     

    Security

    Authorised Access Control via SSH Key & IP

    Are these users strictly maintained by the service provider and regularly audited?

    Is there Unique user access?

    Is there a Password Control Policy?

    Are there regular audits for access control?

    Our Security Practices include:-

    OS patches - applied within formally agreed patching timescales

    Managed by our hosting partner

    Application patches - applied within formally agreed patching timescales

    Managed our hosting partner

    Information Security Incident Response Plan

    • Part of our Skilltech Information Security Procedure  Data Breach and Incident Response  plan 

    • Any Incident would be documented with detailed collective analysis.

    Security Policy and procedures clearly defined for all employees

    Staff training for security

    Secure coding practices

    Hiring and termination processes

    Internal access & authorisation - based on principle of least privilege

    Removable Media Policy

    Password Standards Policy

    Data Protection Policy

    Regular reporting against OLAs and SLAs

     

    The following are documented for Policies & Organisational Structure:-

    Backups & Disaster Recovery

    Regular Encrypted backups in accordance with our SMP (Security Management Plan).

    Are there hourly/daily/weekly RPOs (Recovery Point Objective)?

    Are there hourly/daily/weekly RTO (Recovery Time Objective) ?

    How often will restoration of backups be performed

    Every 6 months as a minimum

    Data Processing Policy?

    Skilltech Solutions has and follows its Data Protection Policy v2.0

    Our hosting partner only processes personal data received and authorised by the Data Controller (Skilltech Solutions). 

    Data Retention and disposal

    Business Continuity Plan

    Information Security Policy

    Incident Response Plan

    Protection against service failures

    Are operational procedures documented and implemented to ensure the configuration/installation and operation of systems are standardised?

    Are Third Party relationships reviewed Annually?

    Are staff required to sign Confidentiality Agreements as part of their contract?

    Risk Management Policy

    Disciplinary policies

    Do you have internal audit to assure your information security policies and customer security requirements are being adhered to?

     

    Are audits documented, reported to management and retained as evidence of the audit programme?

    Is all data in epaPRO classified as Confidential?

     

    Physical Security of Premises

    What controls are implemented to protect against malicious damage, damage caused by natural disasters (e.g. flooding, fire, storm etc.) or accidental damage?

    Our hosting partner has protection for:- 

    • Hardware Failure

    • Security

    • Power

    • Cooling

    • Fire & Flood

    • Network

    • Geographical Resilience.

    Is physical access to systems and services hosting data  restricted to authorised employees?

    Yes. All data is in fully secured racks, on a fully secured data floor, in a fully secured datacentre owned and operated by the our hosting partner in charge of managing the epaPRO platform.

    Are physical security perimeters implemented for both Skilltech Solutions and the third party supplier?

     

    System Operations & Network Security

    Use of Antivirus and Patch management

    Hosted Environment

    • secure private cloud environment

    • The database and file storage are not exposed to the Internet in any respect.

    • The system runs fully-secured, appropriately patched versions of the operating system and its related libraries at all times.

    • All network access to the systems are fully logged.

    • There is no possible direct connection to the database servers via the Internet, and local access is mediated via multi-factor authentication.

    • The data lies on completely dedicated hardware, at a highly secure, UK-based data centre.

    • The epaPRO infrastructure is monitored by our hosting partner who utilise embargoed mailing lists and threat report channels, and any potential impact to epaPRO.

    Local Environment

    • Antivirus software is employed on all PC’s.

    • Accredited with CE+ Standard

    • All latest application and OS patches are managed and applied via controls set by Cambridge Support

    • Live Device Monitoring by Cambridge Support

    • Email Management - Spam and virus scanning service by Cambridge Support

    Control of installation of unauthorised applications

    Managed by our hosting partner

    In addition Skilltech also has an internal - Information Security Policy Access Control

    Operational Procedures (config/installation and operation of systems hosting data)

    Managed by our hosting partner

    Do you have a Security Information and Event Management (SIEM) for event correlation and analysis?

    Managed by our hosting partner

    Security Monitoring

    All of our platforms are monitored by our hosting partner to ensure no unwanted activity and also to check all systems are performing correctly.

    In addition, Skilltech carries out separate monitoring of both infrastructure and Application metrics.

    We have also signed up to the NCSC Early Warning Service Early Warning - NCSC.GOV.UK

    Do you utilise Firewalls and Intrusion Detection System/Identity Provider in place (IDS/IdP)?

    Do you use Encryption on the disks?

    All data in transit secured by TLS, all data is stored on encrypted disks.

    Do you have Annual PEN Testing?

    Are your firewall rules monitored and reviewed on an annual basis as part of your CE assessment?

    Is there monitoring of Capacity/Scalability within your technology and infrastructure?

    epaPRO has 99.9 percent availability.  Annual Performance Test

    Application Development Security

    Do you use Standards in the Software Development Lifecycle?

    Yes, the application is built on an industry standard framework to utilise the latest security features.  Care is taken to ensure that developments do not expose vulnerabilities in the application.  This is checked via an annual penetration test and follows OWASP (Open Web Application Security Project) Standards.

    For more info on OWASP - About Us | The OWASP Foundation

    Is there a fully documented Software Development Release Cycle?

    This is covered off in Confluence

    Do you have Versioning Control

    Yes, all within Bitbucket & Atlassian

    Is the Application developed in adherence to company policies

    Is Application security testing part of the product lifecycle?

    Are there Separate Development/Test/Staging/Production environments?

    Do you employ Change Management procedures?

    Hosting Partner

    Everything is logged and has to go through their process for any change management

    Internally

    All changes to hardware or software is done via Cambridge Support and signed off by Ian Jarvis MD of Skilltech Solutions.

    Documented in Information Security Policy - Change Management and Information Security Standard - Change Management

     

    Is SSO (Single Sign On) Supported for Microsoft & Google?

     

    Asset Management

    Is there an Asset Management Policy?

    Is there an inventory of all critical assets

    All local hardware inventoried by Cambridge Support.

    Data Centre managed by our hosting partner.

    Skilltech also has a monthly report of all hardware as the IT Services Report

    Is there a policy and procedure for sanitising hardware, for example upon decommissioning?