Summary - High Level Security Information
Document Version | 1.4 |
Date Created | Mar 11, 2022 |
Date Amended | Feb 21, 2025 |
Amended By | @Lisa Clancy |
Skilltech Solutions Ltd - Accreditations | |
ISO/IEC 27001:2022Initial Certification: 23 August 2021 | |
Cyber EssentialsCertificate Number: 6516f21d-95a2-4149-8019-7b872bed1d0c Date of certification: 10/02/2025 Date of expiry: 06/02/2026 | |
Cyber Essentials PlusCertificate Number: c51b4d05-f9d8-40b8-922f-58b1842b500e Date of Certification: 20/02/2025 Date of Expiry: 20/02/2026 |
|
Data Storage | |
Where is data stored for epaPRO? |
Positive Internet are a UK based company with datacentres in London, Cambridge and Manchester, specifically, Cambridgeshire for primary hosting, Manchester for network peering and Manchester for DR facilities They have
|
Architecture | |
Physical Architecture |
|
Cloud | The service is run from a private cloud infrastructure, provided by our hosting partner |
Security | |
Authorised Access Control via SSH Key & IP |
|
Are these users strictly maintained by the service provider and regularly audited? |
|
Is there Unique user access? |
|
Is there a Password Control Policy? |
|
Are there regular audits for access control? |
|
Our Security Practices include:- | |
OS patches - applied within formally agreed patching timescales | Managed by our hosting partner |
Application patches - applied within formally agreed patching timescales | Managed our hosting partner |
Information Security Incident Response Plan |
|
Security Policy and procedures clearly defined for all employees |
|
Staff training for security |
|
Secure coding practices |
|
Hiring and termination processes |
|
Internal access & authorisation - based on principle of least privilege |
|
Removable Media Policy |
|
Password Standards Policy |
|
Data Protection Policy |
|
Regular reporting against OLAs and SLAs |
|
The following are documented for Policies & Organisational Structure:- | |
Backups & Disaster Recovery |
|
Regular Encrypted backups in accordance with our SMP (Security Management Plan). |
|
Are there hourly/daily/weekly RPOs (Recovery Point Objective)? |
|
Are there hourly/daily/weekly RTO (Recovery Time Objective) ? |
|
How often will restoration of backups be performed | Every 6 months as a minimum |
Data Processing Policy? |
Skilltech Solutions has and follows its Data Protection Policy v2.0 Our hosting partner only processes personal data received and authorised by the Data Controller (Skilltech Solutions). |
Data Retention and disposal |
|
Business Continuity Plan |
|
Information Security Policy |
|
Incident Response Plan |
|
Protection against service failures |
|
Are operational procedures documented and implemented to ensure the configuration/installation and operation of systems are standardised? | |
Are Third Party relationships reviewed Annually? |
|
Are staff required to sign Confidentiality Agreements as part of their contract? |
|
Risk Management Policy |
|
Disciplinary policies |
|
Do you have internal audit to assure your information security policies and customer security requirements are being adhered to? |
|
Are audits documented, reported to management and retained as evidence of the audit programme? |
|
Is all data in epaPRO classified as Confidential? |
|
Physical Security of Premises | |
What controls are implemented to protect against malicious damage, damage caused by natural disasters (e.g. flooding, fire, storm etc.) or accidental damage? | Our hosting partner has protection for:-
|
Is physical access to systems and services hosting data restricted to authorised employees? | Yes. All data is in fully secured racks, on a fully secured data floor, in a fully secured datacentre owned and operated by the our hosting partner in charge of managing the epaPRO platform. |
Are physical security perimeters implemented for both Skilltech Solutions and the third party supplier? |
|
System Operations & Network Security | |
Use of Antivirus and Patch management | Hosted Environment
Local Environment
|
Control of installation of unauthorised applications |
Managed by our hosting partner In addition Skilltech also has an internal - Information Security Policy Access Control |
Operational Procedures (config/installation and operation of systems hosting data) | Managed by our hosting partner |
Do you have a Security Information and Event Management (SIEM) for event correlation and analysis? | Managed by our hosting partner |
Security Monitoring | All of our platforms are monitored by our hosting partner to ensure no unwanted activity and also to check all systems are performing correctly. In addition, Skilltech carries out separate monitoring of both infrastructure and Application metrics. We have also signed up to the NCSC Early Warning Service Early Warning - NCSC.GOV.UK |
Do you utilise Firewalls and Intrusion Detection System/Identity Provider in place (IDS/IdP)? |
|
Do you use Encryption on the disks? |
All data in transit secured by TLS, all data is stored on encrypted disks. |
Do you have Annual PEN Testing? |
|
Are your firewall rules monitored and reviewed on an annual basis as part of your CE assessment? |
|
Is there monitoring of Capacity/Scalability within your technology and infrastructure? |
epaPRO has 99.9 percent availability. Annual Performance Test |
Application Development Security | |
Do you use Standards in the Software Development Lifecycle? | Yes, the application is built on an industry standard framework to utilise the latest security features. Care is taken to ensure that developments do not expose vulnerabilities in the application. This is checked via an annual penetration test and follows OWASP (Open Web Application Security Project) Standards. For more info on OWASP - About Us | The OWASP Foundation |
Is there a fully documented Software Development Release Cycle? |
This is covered off in Confluence |
Do you have Versioning Control |
Yes, all within Bitbucket & Atlassian |
Is the Application developed in adherence to company policies |
|
Is Application security testing part of the product lifecycle? |
|
Are there Separate Development/Test/Staging/Production environments? |
|
Do you employ Change Management procedures? |
Hosting Partner Everything is logged and has to go through their process for any change management Internally All changes to hardware or software is done via Cambridge Support and signed off by Ian Jarvis MD of Skilltech Solutions. Documented in Information Security Policy - Change Management and Information Security Standard - Change Management
|
Is SSO (Single Sign On) Supported for Microsoft & Google? |
|
Asset Management | |
Is there an Asset Management Policy? |
|
Is there an inventory of all critical assets |
All local hardware inventoried by Cambridge Support. Data Centre managed by our hosting partner. Skilltech also has a monthly report of all hardware as the IT Services Report |
Is there a policy and procedure for sanitising hardware, for example upon decommissioning? |
|