Xcite Digital: Security Measures – NEW 2018
At Xcite Digital the security of our data and yours is a high priority. We therefore implement and maintain the security measures set out in this document.
We also keep our security measures under continual review and, as such, may update or modify them without advance notice. Such modifications will serve only to improve the overall security of the services we provide.
This document outlines the structure of our security policy, compliance, auditing and incident management.
Information Security Policy
Our information security policy has the full commitment of our Board of Directors and is subject to formal review on an annual basis. It is fully documented and communicated internally to all staff. Our policy covers all our information, systems and services, and is fully aligned with our business requirements and priorities.
Security Management and Compliance
The day-to-day management and implementation of our security is conducted and overseen by our Security and Compliance Manager, who reports directly to the MD. We support our staff’s compliance with our security policy by providing regular training and other awareness-raising measures. We also monitor and review the security behaviour and policy compliance of all our staff – including Board members – on a regular basis.
Whilst we do all that we can to prevent incidents from occurring, we also have an incident management policy to cover that eventuality, and enable us to investigate and respond rapidly to security incidents. As part of this policy we monitor our Internet and other communication channels for security vulnerabilities. This means that we can preempt many potential incidents and react effectively to any that do occur.
As part of our incident management policy, we undertake to provide you with details of any incident or data breach that impacts upon you or your business, and our response to that. Our incident management policy also required and enables us to learn from any potential or actual security incidents, to improve the effectiveness of our security measures.
Human Resources Security
At Xcite Digital we need to be able to place the utmost trust in all of our staff so we conduct rigorous vetting checks at all stages of the employment cycle.
Prior to employment we conduct thorough security vetting and employment checks. All staff are then required to sign an employment contract that includes a non-disclosure clause and a commitment to adhere to our privacy and security policies.
During employment we update the security vetting of staff at regular intervals. In the unlikely event of either an intentional or unintentional breach of our security policy they will be subject to our disciplinary policy. This includes a range of sanctions appropriate to the breach ranging from re-training and reduced access rights at one end of the spectrum to termination of employment and criminal investigation at the other.
On leaving employment we insist that an employee returns all company assets; we also revoke access to company accounts on the final day of employment. Company data and accounts are also wiped from any personal staff device. We also remind staff during the leaving process of their ongoing legal obligations, including non-disclosure and confidentiality. These protocols apply to all staff, irrespective of job position and reason for leaving.
Security of Third-Parties
At times we may need to use outsourced suppliers to provide hosting for your service, but this will always be made clear to you.
If this is the case we always implement a supplier relationship management process that includes a review of their security and privacy practices. This allows us to assess any potential security risks and ensure that our required security requirements are being adhered to.
During our relationship with a supplier we conduct regular security audits of the services they provide. We also have rigorous procedures in place should we decide to end that relationship.
These procedures also apply to our cloud and managed services. These suppliers – and their standard security measures – as as follows:
Amazon Web Services: https://aws.amazon.com/security
Google Cloud Platform: https://cloud.google.com/security
Microsoft Azure: https://www.microsoft.com/en-us/trustcenter/security
RISK ASSESSMENT, DISASTER RECOVERY AND BUSINESS CONTINUITY
At Xcite Digital we have robust risk management policies in place. These are reviewed regularly to ensure their currency and effectiveness. Our Security and Compliance Manager reports on the status of information security risks to Board members each month.
We maintain asset registers for all our various assets. These include physical equipment, computer systems, software and information. We are able to uniquely identify each type of asset. We have also implemented a data classification policy that enables us to identify the sensitivity of information. We use data loss prevention tools to ensure that sensitive information is not shared with unauthorised people.
We operate regular data backup on both our public cloud and dedicated server storage. This enables us to recover your data in the unlikely event of a fail in infrastructure. We test out backup processes on a regular basis.
Business Continuity/Disaster Recovery
Business Continuity and Disaster Recovery are high on our priority list. We therefore conduct regular desktop reviews and interactive tests of our business continuity and disaster recovery plans. We welcome feedback from all stakeholders during these activities so that we can continue to improve our business continuity and disaster recovery procedures. We want you to be reassured that, should the worst case scenario happen, we can get things up and running again.
HARDWARE AND SOFTWARE MANAGEMENT
By the very nature of our business we are often developing or changing software. Below are some of the controls we use to ensure that this is done in a secure and robust environment:
We control access to software development environments and ensure that only staff who need access are authorised to do so. We have measures in place to protect source code from unauthorised changes and to ensure that any live data being used for testing purposes is anonymised prior to use.
We conduct extensive testing before going live with changes. We also have in place formal regression plans, so that we are able to quickly revert to a previously working state in the event of anything going wrong. We also conduct security testing against acceptance criteria specified in the associated design document. These measures enable us to ensure the continued confidentiality, integrity and availability of our systems and the service provided to you.
All IT equipment within our office building is sited to prevent any members of the public from viewing confidential information. Staff need to obtain specific permission to remove equipment from the premises, apart from issued laptop/tablet computers.
Destruction of data storage
If hardware failure occurs on storage media, such as a disk, and the media cannot be erased, it is stored securely stored until it can be destroyed.
Clear desk and screen policy
All staff are required to lock their systems when not in use and to log out of remote sessions when they are complete. Staff are also required to operate a clear desk policy and lock away any confidential information when not at their desks.
At Xcite Digital we use multiple layers of network security, including firewalls, to protect our external facing systems. We have robust intrusion detection capabilities to provide insight into ongoing attacks and sufficient information to respond to incidents. We also use secure encrypted communication protocols to manage our servers and network devices.
Our internal access control policies and procedures are designed to prevent unauthorised people gaining access to systems used to process data. Access approvals are managed and records kept of all changes maintained. Real-time access to systems is logged to create an audit trail for accountability.
We also require the use of unique user IDs, strong passwords, two factor authentication to minimise the potential for unauthorised account use. We have implemented password policies that follow industry best practices and include guidelines on expiry, password sharing, reuse and sufficient password strength.
Data is stored in either dedicated and/or multi-tenant environments, depending on the services provided. Data is not shared unless you expressly instruct us to do so.
We protect our endpoints with anti-virus software that is configured to automatically update virus definitions daily. It will also automatically scan new files and external media.
We also conduct DNS and software blacklisting to prevent staff from using harmful and unauthorised software and from visiting potentially malicious websites. We treat all staff personal devices as untrusted, and enforce stringent security requirements for them. Staff are required to inform the Security and Compliance Manager in the event of any devices used to access company systems being lost or stolen.
We also conduct internal and external automated vulnerability assessments of our systems, and periodic internal and external penetration testing.