We implement and maintain the security measures set out in this document. Such security measures may be updated or modified from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services we provide.
We have a documented information security policy, which is communicated internally to all staff. Our security policy is approved by top management and sets out their commitment to information security and the continual improvement of our Information Security Management System (ISMS).
The policies within our ISMS are approved by either the CEO, COO or CTO. We regularly review the effectiveness of our ISMS and top management formally review it at least once every 12 months.
Our ISMS is driven by the CEO, using a risk-based approach to managing the security of our information, systems and the services we provide and is aligned with business requirements. The day-to-day management of security is conducted by our Security and Compliance Manager, who reports directly to the CTO. Security related roles and responsibilities for all other staff are defined within our ISMS.
Our Security and Compliance Manager monitors staff compliance with our security policy. We believe the most effective route to staff compliance is through security awareness training and regular reviews of security behaviour. We achieve this by conducting frequent training, which begins during our employee’s induction and continues throughout their career. Regular tests allow us to measure the effectiveness of training. We have also established various metrics, which are reviewed on a regular basis, to help monitor compliance with our security policy.
We have established an internal audit schedule to conduct information security audits. These are carried out by trained and independent staff, who report results to the Security and Compliance Manager. External audits of our ISMS are conducted on a regular basis by a UKAS accredited certification body. We also conduct a range of internal and external technical audits. The results of all audits are reviewed by top management.
Our incident management policy and associated processes and procedures have been designed to allow us to quickly investigate and respond to security incidents. We monitor a variety of communication channels for security incidents and our security team will react promptly to known incidents. Where we deem it necessary, such as if your services are impacted by a data breach via our infrastructure, we will provide you with details of the incident and our response via our status page (https://wirehive.info). This is separate to any other notification procedures we have in place, such as how we notify you of personal data breaches.
The systems we use have been designed to enable us to take snapshots in the event of a suspected security incident. This allows us to retain a copy of the state of a system for investigation, and forensic analysis if required. We also provide guidance about evidence collection and handling to our staff, which follows the advice given in the Association of Chief Police Officers’ of England, Wales and Northern Ireland Good Practice Guide for Digital Evidence (http://library.college.police.uk/docs/acpo/digital-evidence-2012.pdf).
We believe it is important to learn from security incidents, near-misses and general security observations. We have implemented a reporting system that allows us to effectively use such events to improve the effectiveness of our security measures.
We follow recognised risk management methodologies and have built our information security risk management process around the requirements of ISO 27005. We record risks in risk registers; each risk is assigned an owner who is responsible for ensuring it is reviewed regularly and at intervals of no more than 12 months.
Our Security and Compliance Manager reports on the status of information security risks to top management each month. We also conduct internal audits of our risk management methodology to ensure our processes remain effective.
We maintain asset registers for physical equipment, systems, software and information assets. The systems we employ allow us to uniquely identify your assets.
We have implemented a data classification policy and use labels to identify the sensitivity of information. This allows us to use data loss prevention tools to mitigate against sensitive information from being shared with unauthorised people.
We conduct security vetting and employment checks for all permanent, temporary and contract staff. This service is outsourced to an established and reputable screening company and includes identity and address verification, employment history, financial probity and criminal record checks.
All staff are required to sign an employment contract. This includes a non-disclosure clause and a requirement to adhere to our privacy and security policies.
We update the security vetting of staff at regular intervals during their employment. Our staff are subject to a disciplinary policy which includes sanctions such as re-training, revocation or reduction in access rights, termination of employment and criminal investigation for both intentional and unintentional breaches of our security policy.
The sanctions imposed for breaches of our security policy depend on the circumstances and are decided on a case-by-case basis following a formal investigation. We have established a just culture, which means we accept that staff will make mistakes from time-to-time but we will not tolerate deliberate or malicious actions to circumvent our security policies or controls. This is not a blame free culture, but we have found it to be the most effective approach for individual accountability, reporting and learning from security incidents.
Our employee termination process ensures that all assets are returned and account access revoked prior to the staff member leaving work on their final day of employment. This includes any period of gardening leave prior to an employee’s last day. We use the same process for all staff, irrespective of contract type or job position and for both amicable and non-amicable termination.
During the leaving process, staff are reminded of their ongoing legal obligations, which are detailed in their contract of employment. This includes their ongoing responsibility regarding non-disclosure and confidentiality.
Whether we use any outsourced suppliers or third-parties to provide hosting for your service is dependent on the service we provide to you. If you have a service from one of our Hyperscale Cloud Service Providers such as Microsoft Azure, Amazon Web Services or Google Cloud Platform, this will be made clear to you.
We use a supplier relationship management process that covers the whole lifecycle of our relationship with suppliers. Before onboarding sub-processors, we conduct a review of their security and privacy practices to ensure they provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. This allows us to assess any security risks and decide on controls that must be in place before we enter into a contract and to conduct regular reviews to ensure that our security requirements are being adhered to by suppliers. Our supplier relationship lifecycle also includes planning for the ongoing security of information should we decide to end an agreement.
We make sure that our contracts with suppliers includes provision for us to conduct security audits of the services they provide. Records of such audits are retained and we review the results as part of our wider supplier relationship management programme. This allows us to satisfy ourselves that the supplier is providing a secure service in accordance with their contractual obligations.
We may provide services utilising one or more of the Infrastructure-, Platform- and Software-as-a-Service products offered by Amazon Web Services, Google Cloud Platform and Microsoft Azure. The security measures implemented by our Cloud Service Providers are explained at the links in the following table:
Amazon Web Services
Google Cloud Platform
Our co-located data centres maintain an on-site security operation responsible for all physical data centre security functions 24 hours a day, 7 days a week.
Each of our data centres employ an electronic key card and/or biometric access control system that are linked to an alarm system. The access control system monitors and records everyone’s electronic key card and when they access perimeter doors and other critical areas. Unauthorised activity and failed access attempts are logged by the access control system and investigated, as appropriate. Authorised access throughout the business operations and data centres is restricted based on zones and the individual’s job responsibilities. The fire doors at the data centres are alarmed.
Closed circuit TV (CCTV) cameras are in operation both inside and outside the data centres. The positioning of the cameras has been designed to cover strategic areas including, among others, the perimeter, doors to the data centre building, and loading/unloading areas. On-site security staff manage the CCTV monitoring, recording and control equipment. Cameras record on site via digital video recorders 24 hours a day, 7 days a week. Each data centre maintains surveillance records.
The on-site security staff monitor all alarm systems. On-site security staff perform internal and external patrols of the data centres.
We maintain formal access procedures for allowing physical access to our co-located data centres. All entrants to the data centre are required to identify themselves as well as show proof of identity to on-site security staff. Only authorised employees, contractors and visitors are allowed entry to the data centres.
Only authorised employees and contractors are permitted to request electronic key card access to these facilities. Electronic key card access requests must be made through e-mail and require the approval of both our CTO and data centre manager. All other entrants requiring temporary data centre access must obtain approval in advance from our CTO and the data centre manager for the specific data centre and sign in with the on-site security staff.
All our production data is stored in physically secure data centres. We operate co-located equipment in geographically distributed data centres in the United Kingdom as well as utilising Infrastructure/Platform/Software-as-a-Service provided by our Hyperscale Cloud Service Providers. Should you choose to use one or more of our Hyperscale Cloud Service Providers, you will be responsible for choosing the geographic location(s) in which your data is processed.
Our systems have been designed to minimise single points of failure and anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy and allow us to perform certain types of preventative and corrective maintenance without interruption.
Our co-located data centres have electrical power systems that are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, 7 days a week. In most cases, a primary and an alternate power source is provided for critical infrastructure components in our data centres. Backup power is provided by various mechanisms such as uninterruptible power supply (UPS) batteries, which supply consistently reliable power protection. If power is interrupted for a prolonged period, diesel generator systems take over. The diesel generators are capable of automatically starting up within seconds to provide enough electrical power to run the data centre at full capacity, with refuel contracts in place to ensure there is always sufficient fuel.
Our co-located data centres are typically connected via secured high-speed links to provide secure and fast data transfer. This is designed to prevent data from being read, copied, altered or removed without authorisation during electronic transfer or while being recorded onto data storage media. We transfer data via industry standard protocols.
We operate formal change control processes which conform to ITIL best practices. Additionally, we have a quality management system that has been certified to ISO 9001 standards.
If we have provided you with a bespoke solution, the security requirements and any associated security acceptance tests you have specified are documented in your solution design document. Any changes to these requirements are subject to formal approval by you prior to implementation.
Our in-house software team operate an agile methodology, which allows us to make frequent updates to our software. Software security risks are captured in the associated design document and considered throughout the development and operational use lifecycles. We implement appropriate measures to mitigate these risks.
As part of the software development process we conduct security testing. The security acceptance criteria for these tests are specified in the associated design document. Our development team reference the OWASP Top 10 for all services we make available on the internet.
We control access to software development environments and ensure that only staff who need access are authorised to do so. Whilst each development environment is bespoke to the software being developed, we employ the same security principles to each. This includes protecting source code from unauthorised changes and ensuring that any live data used for testing purposes is anonymised and approved by our CTO prior to use.
If we make any changes to our infrastructure, we ensure that they are recorded. This includes recording changes to firewall rules. By recording and monitoring changes we have the ability to identify any unauthorised alterations, which could be an indication that an attacker has been able to compromise part of our network.
Before we promote a change from our test environment to the live environment we conduct extensive testing. We also formalise regression plans, so that we are able to quickly revert to a
previously known state should something go wrong. By doing so, we help to ensure the continued confidentiality, integrity and availability of our systems and the service provided to you.
We apply similar levels of protection to our office building as we do our co-located data centres. Entry is controlled by electronic key card, which is unique to each member of staff. Access to secure areas within the office building is restricted to authorised staff only. We have installed a motion detecting burglar alarm system, which is further protected by CCTV with remote notification capabilities. These, along with our fire alarm system, are regularly tested.
Visitor access to our office building is controlled. Visitors are required to be hosted by a staff member and must be booked in in advance. We have an out-of-band procedure for verifying the legitimacy of unexpected visitors prior to granting them entry into our office building. Visitors are issued with passes identifying them as such and which only grant access to communal areas.
Deliveries and loading are conducted at authorised locations only.
Except when there is an explicit requirement for them to do so, visitors are not permitted to work in secure areas. From time-to-time, we may require contractors to work in secure areas and we ensure they are escorted by an authorised member of staff when doing so.
We expect remote working staff to apply the same principles in their work environment and reserve the right to conduct ad-hoc inspections. Additionally, we do not permit our staff to use freely available public Wi-Fi access points to access our systems due to the potential for confidential information to be observed or that the access point is operated by a malicious entity.
Equipment within the office building is sited to minimise the ability for members of the public to view confidential information. Staff are required to obtain permission from asset owners prior to removing equipment from the premises. We give perpetual permission to staff to remove issued laptops from company premises.
We record all physical hardware assets in asset registers. These are kept up-to-date by asset owners, who are responsible for ensuring the accuracy of the information stored therein.
Disks containing data may experience performance issues, errors or hardware failure that lead them to be removed from service. Every disk undergoes a secure erasure processes before leaving our premises either for reuse elsewhere or destruction. The erase results are logged by
the decommissioned disk’s serial number for tracking. Once erased, disks may be released for redeployment and reuse elsewhere.
If, due to hardware failure, the disk cannot be erased, it is securely stored until it can be destroyed. We employ suitably qualified third-party contractors (as may be amended from time to time) to conduct secure destruction. Our approved contractors follow Waste Electrical and Electronic Equipment disposal and recycling guidelines. Waste Transfer Notes and, where applicable, Certificates of Destruction, are retained by our CTO.
We regularly audit compliance with our secure disposal policy.
Our staff are required to lock their systems when not in use. This is enforced by system configuration settings. Staff are also required to log out of remote sessions when they are complete. We also require staff to operate a clear desk policy and lock any confidential information away when not at their desks.
The servers used for providing our Wirehive Public Cloud Service use a VMWare hypervisor layer to provide the services. Servers for our Dedicated Platform use server operating systems as specified by you. Services based on AWS, Azure and/or GCP use server operating systems implemented and, where applicable, customised by the service provider for provision of the underlying services.
We employ multiple layers of network devices, including firewalls, to protect our external attack surface. We consider possible attack vectors and incorporate appropriate security controls into external facing systems. Remote access to our systems is via a VPN.
We operate a centralised logging system that records network activity, access requests and device actions. Our log retention policy ensures we keep sufficient data to investigate security incidents up to 12 months after they have occurred.
Our intrusion detection capabilities are intended to provide insight into ongoing attacks and sufficient information to respond to incidents. Our intrusion detection measures include use of detection controls at data entry and exit points and employment of various security controls to limit the size and make-up of our attack surface.
We use secure communication protocols to manage our servers and network devices. The exact protocol used is dependent on the task being conducted and the endpoint being accessed. As an example, we use SSH to administer Linux based endpoints and SSL/TLS enabled RDP for Windows based endpoints.
We do not develop our own cryptographic algorithms or protocols and use open source standards compliant implementations wherever possible. If this is not possible for any reason, we will only use industry accepted proprietary algorithms.
Our cryptography policies prohibit use of weak and obsolete algorithms and key lengths. Minimum key lengths and choice of algorithms are based on the advice provided at https://www.keylength.com and are currently expected to provide security to 2030 and beyond.
Our internal access control policies and associated procedures and systems are designed to prevent unauthorised persons and/or systems from gaining access to systems used to process data and ensure that data cannot be read, copied, altered or removed without authorisation. This includes any personal data we process.
Our systems are designed to detect any inappropriate access. We operate a centralized access management system to control access to production servers and only provide access to a limited number of authorised staff. Our centralized access management system uses a combination of Active Directory, LDAP, Kerberos and SSH certificates. These controls are designed to grant access rights to systems, logs, data and configuration information to approved staff only.
We require the use of unique user IDs, strong passwords, two factor authentication and access lists to minimize the potential for unauthorised account use. The granting or modification of access rights is based on job role and a need to know basis. The granting or modification of access rights must also be in accordance with our internal access control policies and any necessary training. Approvals are managed and records of all changes maintained and regularly audited. Access to systems is logged to create an audit trail for accountability.
We have also implemented an authentication system that your appointed account administrators must use to authenticate themselves to be able to administer the services we provide to you. Our customer facing staff have access to this system so that they can authenticate you and check you have the necessary authorisations to administer the account.
We have implemented password policies that follow industry best practices, such as those recommended by the National Cyber Security Centre and the National Institute of Standards and Technology. These recommendations include guidelines on password expiry, restrictions on password reuse and sufficient password strength. We require staff to use multi-factor authentication on all accounts.
Our staff are not permitted to share passwords. For some systems, we require use of shared passwords. These are maintained in a secure password management system which uses access controls to restrict access to only those members of staff who are authorised. Access requests are logged and monitored.
We store your data in either dedicated and/or multi-tenant environments, which is determined by the services provided to you. You will be given control over specific data sharing policies and we will not share your data unless you expressly instruct us to do so.
We protect our endpoints with anti-virus software that is configured to automatically update virus definitions daily. Our anti-virus software is also configured to automatically scan new files and external media. We use MDM technology to enforce our anti-virus policy for user devices.
In addition to our anti-virus software, we can conduct DNS and software blacklisting. This enables us to prevent staff from using harmful and unauthorised software and from visiting potentially malicious websites.
Staff endpoints are configured to encrypt data at rest and require a password or passcode to be able to access the device. Host-based firewalls are configured. This is enforced through use of MDM software.
Patching of operating systems and software on our infrastructure systems is managed from a central patch management system. This allows us to automate the installation of security patches and to ascertain whether there are any patches that have not been applied and require manual intervention. Although some critical systems require manual patching, our patch management system enables us to view the current patch levels and put appropriate risk mitigation measures in place until we can safely apply security patches to these systems.
User endpoints are configured to automatically update whenever a patch or new version of software is available. Many of the applications we use are evergreen, which means they will automatically update themselves.
We have implemented robust technical and procedural processes to monitor the patch state of infrastructure equipment and user endpoints. These controls are regularly audited to ensure their effectiveness.
We operate a Corporately-Owned Personally Enabled (COPE) business model and provide our staff with a company laptop. Staff are permitted to use their own devices, such as personal laptops and smart phones, to access company networks. We treat all devices as untrusted and enforce the same security requirements on Bring Your Own Device (BYOD) devices as we do COPE devices.
Staff are required to inform the Security and Compliance Manager in the event that any device which has been used to access company systems is lost or stolen. This is recorded as a security incident and measures are in place to prevent such devices from gaining access to systems and data.
At the end of a staff member’s employment, company data and accounts are wiped from both BYOD and COPE assets.
We conduct internal and external automated vulnerability assessments of our systems. We also conduct periodic internal and external penetration tests. The results of these tests are fed back into our risk management process.
We implement a backup solution on our Wirehive Public Cloud and Dedicated Server solutions that allows us to recover your data if our infrastructure fails. A random sample of our backups are tested monthly.
A dedicated backup solution for your service is available as an optional security control.
NB: For the avoidance of doubt this does not apply to our Hyperscale Cloud Solutions as the hardware is owned and controlled by third parties. Information backups can be built into these solutions at your request during the Solution Design phase.
Our COO has overall responsibility for business continuity and disaster recovery planning. We include security requirements in our plans. We conduct regular table top exercises and tests of our business continuity and disaster recovery plans. Whenever we conduct such tests, we welcome feedback from all stakeholders to help us continue to improve our procedures and to ensure you have a seamless experience.
We have designed and implemented a customer portal for you to manage the services we provide to you. The customer portal provides you with the following security functionality:
The customer portal is the only route by which we will accept change requests to your account.