We implement and maintain the security measures set out in this document. Such security measures may be updated or modified from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services we provide.
Security Policy, Compliance, Auditing and Incident Management
We have a documented information security policy, which is communicated internally to all staff. Our security policy is approved by top management and sets out their commitment to information security and the continual improvement of our Information Security Management System (ISMS).
The policies within our ISMS are approved by either the CEO, COO or CTO. We regularly review the effectiveness of our ISMS and top management formally review it at least once every 12 months.
Our ISMS is driven by the CEO, using a risk-based approach to managing the security of our information, systems and the services we provide and is aligned with business requirements. The day-to-day management of security is conducted by our Security and Compliance Manager, who reports directly to the CTO. Security related roles and responsibilities for all other staff are defined within our ISMS.
Our Security and Compliance Manager monitors staff compliance with our security policy. We believe the most effective route to staff compliance is through security awareness training and regular reviews of security behaviour. We achieve this by conducting frequent training, which begins during our employee’s induction and continues throughout their career. Regular tests allow us to measure the effectiveness of training. We have also established various metrics, which are reviewed on a regular basis, to help monitor compliance with our security policy.
We have established an internal audit schedule to conduct information security audits. These are carried out by trained and independent staff, who report results to the Security and Compliance Manager. External audits of our ISMS are conducted on a regular basis by a UKAS accredited certification body. We also conduct a range of internal and external technical audits. The results of all audits are reviewed by top management.
Our incident management policy and associated processes and procedures have been designed to allow us to quickly investigate and respond to security incidents. We monitor a variety of communication channels for security incidents and our security team will react promptly to known incidents. Where we deem it necessary, such as if your services are impacted by a data breach via our infrastructure, we will provide you with details of the incident and our response via our status page (https://wirehive.info). This is separate to any other notification procedures we have in place, such as how we notify you of personal data breaches.
The systems we use have been designed to enable us to take snapshots in the event of a suspected security incident. This allows us to retain a copy of the state of a system for investigation, and forensic analysis if required. We also provide guidance about evidence collection and handling to our staff, which follows the advice given in the Association of Chief Police Officers’ of England, Wales and Northern Ireland Good Practice Guide for Digital Evidence (http://library.college.police.uk/docs/acpo/digital-evidence-2012.pdf).
We believe it is important to learn from security incidents, near-misses and general security observations. We have implemented a reporting system that allows us to effectively use such events to improve the effectiveness of our security measures.
Risk Assessment and Asset Management
We follow recognised risk management methodologies and have built our information security risk management process around the requirements of ISO 27005. We record risks in risk registers; each risk is assigned an owner who is responsible for ensuring it is reviewed regularly and at intervals of no more than 12 months.
Our Security and Compliance Manager reports on the status of information security risks to top management each month. We also conduct internal audits of our risk management methodology to ensure our processes remain effective.
We maintain asset registers for physical equipment, systems, software and information assets. The systems we employ allow us to uniquely identify your assets.
We have implemented a data classification policy and use labels to identify the sensitivity of information. This allows us to use data loss prevention tools to mitigate against sensitive information from being shared with unauthorised people.
Human Resources Security
Prior to employment
We conduct security vetting and employment checks for all permanent, temporary and contract staff. This service is outsourced to an established and reputable screening company and includes identity and address verification, employment history, financial probity and criminal record checks.
All staff are required to sign an employment contract. This includes a non-disclosure clause and a requirement to adhere to our privacy and security policies.
We update the security vetting of staff at regular intervals during their employment. Our staff are subject to a disciplinary policy which includes sanctions such as re-training, revocation or reduction in access rights, termination of employment and criminal investigation for both intentional and unintentional breaches of our security policy.
The sanctions imposed for breaches of our security policy depend on the circumstances and are decided on a case-by-case basis following a formal investigation. We have established a just culture, which means we accept that staff will make mistakes from time-to-time but we will not tolerate deliberate or malicious actions to circumvent our security policies or controls. This is not a blame free culture, but we have found it to be the most effective approach for individual accountability, reporting and learning from security incidents.
End of employment
Our employee termination process ensures that all assets are returned and account access revoked prior to the staff member leaving work on their final day of employment. This includes any period of gardening leave prior to an employee’s last day. We use the same process for all staff, irrespective of contract type or job position and for both amicable and non-amicable termination.
During the leaving process, staff are reminded of their ongoing legal obligations, which are detailed in their contract of employment. This includes their ongoing responsibility regarding non-disclosure and confidentiality.
Outsourcing and Third-Parties
Whether we use any outsourced suppliers or third-parties to provide hosting for your service is dependent on the service we provide to you. If you have a service from one of our Hyperscale Cloud Service Providers such as Microsoft Azure, Amazon Web Services or Google Cloud Platform, this will be made clear to you.
We use a supplier relationship management process that covers the whole lifecycle of our relationship with suppliers. Before onboarding sub-processors, we conduct a review of their security and privacy practices to ensure they provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. This allows us to assess any security risks and decide on controls that must be in place before we enter into a contract and to conduct regular reviews to ensure that our security requirements are being adhered to by suppliers. Our supplier relationship lifecycle also includes planning for the ongoing security of information should we decide to end an agreement.
We make sure that our contracts with suppliers includes provision for us to conduct security audits of the services they provide. Records of such audits are retained and we review the results as part of our wider supplier relationship management programme. This allows us to satisfy ourselves that the supplier is providing a secure service in accordance with their contractual obligations.
Cloud Services and Managed Services
Hyperscale Cloud Service Providers
We may provide services utilising one or more of the Infrastructure-, Platform- and Software-as-a-Service products offered by Amazon Web Services, Google Cloud Platform and Microsoft Azure. The security measures implemented by our Cloud Service Providers are explained at the links in the following table: