ISO27001 security Physical, Human and Digital security capability through design. ISO27001 certification We’ve been ISO27001 certified (certification no. 598644) since 2013 and retain a dedicated CLAS certified consultant to ensure our processes continue to meet the high level of data security standards. We work with the HMG Security Policy Framework (Cabinet Office, October 2013) and our certification and experience covers design, development, implementation, hosting and support of systems classified as ‘Official’ (IL2/IL3) for security. All of our processes and procedures incorporate Physical, Human and Digital security capability to ensure that client data and systems are continuously secure against threats to Confidentiality, Integrity and Availability. All of our employees undergo security screening and CRB checks and have BPSS security clearance. Our key staff members are vetted to Security Clearance (SC). We can guarantee security by only providing certain levels of access (e.g. server-level access) to suitably qualified and trained Axis12 staff covered by our ISO27001 certificate and Cyber Essentials training. Asset protection and resilience Consumer data is stored in highly secure ex-military facilities now operated as datacentres by The Bunker, these being located in Sandwich, Kent and Newbury, Berkshire. Both datacentres are included within the scope of The Bunker’s ISO 27001:2013 certification (copy attached). Physical security at our datacentre is ensured by: 1. 3m thick walls Solid steel blast protection doors 24 hour on-site technical and security team On-site MOD trained guard dogs Infrared CCTV Military electromagnetic pulse protection Tempest RFI intrusion protection Sophisticated access controls SCADA Environmental and Power 10. Monitoring system Early Smoke Detection Apparatus Fire suppression system CCTV system 24/7/365 video recording and monitoring Visual verification of all persons entering the data floor 24/7/365 manned guardroom (fitted with bullet-proof glass) 24/7/365 on-site security staff (ex-military & police) Random patrols with guard dogs 19. Infrared cameras Vehicular gate with control barrier Customer data is not accessible by local unauthorised parties. Without appropriate measures in place, data may be inadvertently disclosed on discarded, lost or stolen media. External interface protection Our data centres are subjected to independent security testing on an annual basis. Access to the service and management console is protected by two layers of authentication and can be restricted to specific IP addresses if required. We ensure cloud boundary protection though Snort IDS monitoring and alerting at the along with hardened server builds to disable unused ports. Both of our datacentres have the capability of diverting all data through a scrubbing service in the event of a DDOS attack. The management systems continually analyses data so that when a DDoS attack is detected, traffic can be redirected for “scrubbing”. This will remove any traffic that matches known attack or unusual traffic patterns and only pass the clean traffic on to our service. We manage smaller scale DDOS attacks that do not trigger the scrubbing service through IP blacklisting at the edge. In the event of any such attack, we will inform our customers and keep them informed of progress through to resolution. Data at rest Data at rest is not encrypted by default but can be, if required by the customer. This is an aspect of the service which is discussed on a customer by customer basis to ensure cost effective and appropriate levels of protection are implemented. Data in transit protection We use TLS version 1.2 and 256bit SHA to encrypt data in transit outside of our network. We connect to the network via IPsec VPN; and the connection between our primary and secondary datacentres which are owned and operated by The Bunker, is over IPsec. Our network is protected at the boundary by an intrusion detection system (Snort). When hosting through our datacentre, physical protection at the datacentre level against tampering and/or interception of data on and adjacent to the site includes staff background checks in accordance with BS7858:2012; sophisticated access controls; 3-metre-thick reinforced concrete walls; solid steel blast protection doors; 24 hour on-site security team; on-site MOD trained guard dogs; infrared CCTV; military electromagnetic pulse protection and Tempest RFI intrusion protection. Assured data destruction Our documented processes for destruction and/or deletion of data at the termination of the contract are aligned to IAS 5 Secure Sanitisation and ISO 27002:2013 and form part of our ISMS. Integrity of service Our DDOS scrubbing services will aid in minimising the impact of wide scale DDOS attack targeted at either the datacentre or a customer’s specific domain. In the event of a targeted, volumetric and distributed attack we would identify the target and null route the associated IP ranges to protect all other customers on the service Secure service administration We use role-based access permissions, strong passwords, two-layer authentication, IP whitelisting, IPsec VPN to mitigate against interception attempts between the office and the service when our administrators are managing the service. Our processes and procedures used to manage the operational service are documented within our ISMS, and are subjected to quarterly and annual internal reviews. ISO 27001 recertification also takes place on an annual basis with the audit being performed by the British Standards Institution. Operational security The processes and procedures in place address the following aspect of the operational security of the service: Configuration and change management We use controlled code repositories, automated deployment processes and a Change Management System to ensure that changes to the system do not unexpectedly alter security properties and have been properly tested and authorised. Vulnerability management Our internal security team is responsible for monitoring security notifications and identifying potential security vulnerabilities; conducting impact assessments; and scheduling security patching in the timeframes identified in our ISMS as appropriate to the criticality level. Protective monitoring Both datacentres use an Intrusion Detection System (IDS) to detect attacks and alert on unauthorised activity on the service. Incident management All security incidents are logged in our ISMS and managed through to resolution using Corrective and Improvement Action Plans. Where relevant, the Incident Report, Corrective and Improvement Action Plans are shared with our customers. Our information security processes and procedures are audited and reviewed internally on a quarterly basis, and externally by the British Standards Institution on an annual basis. Our hosting services are subjected to external security penetration test and audits annually. Any non-conformities that are identified in the audit processes are captured as Incident Reports, and managed through to resolution using Corrective and Preventative Action Plans. Where relevant, the Incident Report, Corrective and Preventative Action Plans are shared with our customers. Personnel security Our key staff are all security vetted and hold Security Clearance (SC). We conduct UK BPSS screening on all our personnel, and carry out induction, annual refresher and ad-hoc security training and testing for all staff. Secure development Development is carried out in line with industry good practice regarding secure design, coding, testing and deployment and includes reference to recognised security advisory sources such as the OWASP Top 10. We use Bitbucket as our code repository to ensure integrity of the solution through development, testing and deployment. All newly identified threats are reviewed by our internal security team. Patches for critical vulnerabilities are deployed to production within 24hrs of impact assessment. Less critical vulnerability patches are deployed in the first week of the following month. Security incidents (i.e. incidents that pose a threat to confidentiality, integrity and/or availability) are recorded in our Information Security Management System (ISMS). Customers are informed of the occurrence of a security incident usually immediately but within a maximum of 24 hrs and are provided with a copy of the completed Incident Report. Secure consumer management Only authorised and authenticated personnel are able to report faults and instruct changes to the service. All such requests are required to be raised in our ticketing system, which is only accessible to named DH personnel with valid logins. Authorised personnel and the actions they are permitted to perform are clearly identified in our Operation Agreement with our customers. Each customer’s management console is kept separate from each other to ensure that other consumers cannot access, modify or otherwise affect services other than their own. Identity and authentication The proposal employs two layers of authentication to management consoles. If additional levels of security are required, console access can be locked down to specific IP addresses. Additionally, the service supports granular permissioning controls to ensure that users are assigned roles appropriate to the level of access required. Service traffic outside of the protected network is encrypted using TLS. Our stand setup consists of a series of layers that provide granular control and restriction to data and services. Primary firewalls are the first line of defence locking down all unnecessary ports and providing the facility to automatically (using a IDS) or manually ban malicious traffic. Traffic will then hit a reverse proxy inside a DMZ that would can route either using layer 7 or layer 4 (depending on requirements) and allowing for additional security controls including IP or api key based filtering.