July 1, 2015

Security

Location

• UK based data-centres

• ISO 27001 certified

• Police audited

Data-centre Security

• All public access is strictly forbidden

• 24 -hour video surveillance

• Biometric access

• Manned 24/7 by SC authorised staff

• Unmarked to provide a lower profile

Network Security

• Dedicated redundant Cisco firewalls and switches

• Network intrusion detection system

• DDoS mitigation in case of attack

• Data encryption in transit with high-grade SSL

• All data stored on fully hardware encrypted hard-disks

• Application gateway in separate network segments to protect higher IL data

Server Security

• Restricted access to named security cleared Empowering Communities staff only

• All server management access is logged

• Access is via encrypted management VPN only

Backup

• Fully automated backup of data every 30 minutes stored in our UK based data-centres

• Clustered primary database servers

• Near real-time redundant database slave servers

• 30 minute incremental backups stored for 10 days

Application Security

• Penetration tested against OWASP Top 10 attack vectors by third party

• Advanced application firewall protection between IL data segments

• Comprehensive granular authorisation controls which default to closed

• User authorisation verified on every request

• Session data encrypted and stored on the server not client

• Passwords and security codes encrypted using multi-pass rotating algorithms

SLA

• GPG 13 monitoring of all layers of the application and infrastructure

• Multiple external monitoring systems including full application level monitoring

• 24/7 Alerting of any serious issues