1. Introduction
This Information Security Policy is the foundation of the information security program of HIRETT Limited (The Company) and ties together all other policies as they relate to information security and data protection.
The Company’s Information Security Policy covers all aspects of how we identify, secure, manage, use and dispose of information and physical assets as well as acceptable use protocols, remote access, password and encryptions.
The company’s IT infrastructure is based on Amazon Web Services (AWS) Cloud and benefits from using AWS data centres and network to protect information, identities, applications and devices.
2. Policy Framework
The Company is committed to preserving Information Security of all physical, electronic and intangible information assets across the business, including, but not limited to all operations and activities.
We aim to provide information and physical security to:
● Protect customer, 3rd party and client data
● Preserve the integrity of The Company and our reputation
● Comply with legal, statutory, regulatory and contractual compliance
● Ensure business continuity and minimum disruption
● Minimise and mitigate against business risk
3. Purpose
The aim of the HIRETT Information Security Policy is to preserve:
Confidentiality | Access to data shall be confined to those with appropriate authority to access. |
Integrity | Information shall be complete and accurate. All systems, assets and network will be protected from unauthorised changes. |
Availability | Data, objects and resources are accessible to authorised users only for the purpose required for. |
4. Scope
The policy relates to all the Company staff (permanent and temporary) and contracted vendors engaged with the Company. The policy has been created to ensure that staff deal with the area that this policy relates to in accordance with legal, regulatory, contractual and business expectations and requirements.
5. Objectives
The Company has adopted the below set of principles and objectives to outline and underpin this policy and any associated information security procedures:
● Information will be protected in line with all our data protection and security policies and the associated regulations and legislation, notably those relating to data protection, human rights and the Freedom of Information Act
● All information assets will be documented on an Information Asset Register (IAR) by the Chief Risk Officer and will be assigned a nominated owner who will be responsible for defining the appropriate uses of the asset and ensuring that appropriate security measures are in place to protect it
● All information will be classified according to an appropriate level of security and will only be made available solely to those who have a legitimate need for access and who are authorised to do so
● It is the responsibility of all individuals who have been granted access to any personal or confidential information, to handle it appropriately in accordance with its classification and the data protection principles
● Information will be protected against unauthorised access and we will use encryption methods as set out in the above objectives in this policy
● Compliance with this Information Security and associated policies will be enforced and failure to follow either this policy or its associated procedures will result in disciplinary action
The Chief Risk Officer has the overall responsibility for the governance and maintenance of this document and its associated procedures and will review this policy at least annually to ensure that it is still fit for purpose and compliant with all legal, statutory and regulatory requirements and rules.
It is the sole responsibility of the Chief Risk Officer to ensure that these reviews take place and to ensure that the policy set is and remains internally consistent.
6. Procedures and Guidelines
6.1 Classification of Information
The Company classifies information based on the following:
Confidential: Available only to specified and relevant parties, with appropriate authorisation. A breach in confidentiality could result in unacceptable damage and consequences.
Restricted: Available only to specified and/ or relevant parties, with approportionate authorisation. A breach could cause severe damage resulting in compromise of activities including sensitive or confidential data.
Internal: Available only to authenticated staff and breach of data or leakage outside the company could be inappropriate.
Public: Available to any member of the public without restriction.
Each information asset will be assigned a security classification by the Chief Risk Officer which will reflect the sensitivity of the asset. Each piece of information, or an “object” has an “owner” which is responsible for its functionality and security as well as for performing following actions:
● identifies authorised persons and their access rights to the certain piece of information;
● conducts risk analysis (new objects, amendments to existing objects);
● develops object usage rights;
● outlines requirements for object recovery in case if it has been changed without authorisation or it has been lost;
The level of confidentiality will be driven by data being personal identifiable information (PII), commercial sensitive, business secrets or public information.
6.1.1 Sensitive Data
During onboarding to the company platform, a customer provides the following details;
● Customer ID where provided by the Open Banking API
● First and Last name
● Address
● Contact phone number
● Email address
The company stores only necessary information from the customers – including session token and access token. All customer details will be encrypted and stored on AWS database. Customer personal details can only be accessible by company staff with appropriate level of permissions. EdocOnline will not process or store Customer payment details and Account Details/Card Details.
6.1.2 Data Storage and Infrastructure
● The company’s infrastructure for data storage will be Dynamo database provided by AWS.
● All sensitive data mentioned in 5.1.3 will be encrypted and adhere with same standards followed by Open Banking methodologies.
● The company will update our encryption algorithm in line with Open Banking standards. For any version upgrade or using new version of Open Banking API, our encryption will use the same standards as Open Banking. This removes any delay in updating our encryption algorithm.
6.2 Access Controls
Staff at the Company will only be granted access to the information that they need to fulfil their role within the organisation. Access to data, program source libraries will be controlled and restricted to authorised users who have a legitimate need e.g. system administrators. Staff who have been granted access must not pass on information to others unless they have also been granted access through appropriate authorisation.
The Company classifies staff by the level of access to information:
● users of information systems who have read-only access to the information;
● system administrators who possess full access rights to all of the network resources;
● system testers who possess the right to modify system software within the test server;
● auditors and security employees who are being granted full access to any information system for the purpose of its inspection.
6.2.1 Privilege Access
Production database will only be accessed using a service account and a privilege access would be requested. The following will apply;
• Privilege access will be granted for production deployment and to resolve a production- related incident.
• Privilege access will be granted to a unique traceable person for a limited period of time.
• The requester and approver of a privilege access cannot be the same person.
• Changes will be logged and auditable.
6.2.2 Contracts of Employment
Staff security requirements shall be addressed at the recruitment stage. When an employee is hired, he or she is being familiarised with The Company’s internal policies and procedures, as well as guidance on the use of information systems. Job contract contains a confidentiality agreement and new employees are allowed to access information resources only after a job application has been filed and the training process has been completed.
Should the job duties of an employee be amended, all access rights to The Company’s information resources are being terminated. New access rights are being later assigned on the basis of the new application and in accordance to the functions performed by the employee. In case the job contract has been terminated, all access rights to The Company’s information resources are also being terminated along with related accounts.
If an information system administrator, computer network administrator, internal auditor or an IT Security Officer is being dismissed, all passwords are being changed for systems which a dismissed employee had access to, along with the standard procedure of access right termination.
6.2.3 Staff Engagement
All staff must follow our staff policy regarding equipment and accessibility specifically;
1. Staff will be provided and must use company provided laptops.
2. Where staff cannot use company laptops, Remote working will be provided via VPN setup.
3. Staff will be required to sign up, data security terms.
4. No staff will be able to access production environment without going through the privilege access process as outlined in section 6.2.1
6.3 Secure Disposal of Information
The Company will not permit the disposal of electronic storage devices without prior destruction. Devices have to be destroyed in the way which would prevent further data restoration.
Electronic information must be securely erased or otherwise rendered inaccessible prior to leaving the possession of the Company. Information has to be erased in the way so it would not be later recovered, such as by low-level formatting or wiping.
6.4 Removable Media
The Company will not permit devices such as Cell Phones, laptops, tablets, smartphones, external hard drives, USB sticks, digital recorders) to store customer sensitive data. Data is stored on AWS database infrastructure and encrypted at rest using RSA512.
6.5 Data Encryption
Encryption methods are always used to protect sensitive and personal data within the Company and when transmitted across data networks. We also use encryption methods when accessing the Company network services, which requires authentication of valid credentials (usernames and passwords).
Data in transit is protected using hypertext transfer protocol secure (https) and authorised certificates. All other protocols and ports will be disabled.
Mutual transport layer security (MTLS) connection will be set up with Open Banking as part of connection requirement with Open Banking.
Sensitive data is stored on AWS database infrastructure and encrypted at rest using RSA512.
6.6 Protection from Malicious Software and Fraud
The company use of AWS infrastructure mitigates most forms of fraud and attacks as it allows the company to benefit from IP filtering of requests originating from outside the UK, XSS filtering, throttling to prevent DOS attack and logging all requests on the web server.
6.7 System Monitoring
The company network and infrastructure usage will be monitored and alerts generated to notify of threats (e.g. DOS) and any suspected activities.
Alerts will also cover events of login failures, usage metrics and the system being unavailable.
6.8 Security Breach Management
The Company’s definition of a breach for the purposes of this and related documents, is a divergence from any standard operating mode, which causes a failure to meet the required compliance standards.
6.8.1 Breach Management Approach
Information breaches are usually detected by someone reporting it or by our system monitoring tool alerting when a breach is identified. As soon as a breach is identified, the support team will assess and remove the relevant data from our website or lock the accounts affected by the breach, notify the account holders and ask them to change their usernames and passwords.
The company will undertake a full review to identify the extent of any information that may have been accessible or breached. Our primary concern will be to ensure the protection and safeguarding of customers who may be identifiable from the data or who may have been otherwise affected by the breach. The company will contact the affected customers to apologise and advise of the extent of the data breach and the relevant next steps.
The company will take immediate and corrective measures to mitigate such breach happening again. We will refer the matter to the Information Commissioner’s Office and inform the FCA. Where required, the company will provide a phone number and email address for the affected individuals to contact us with questions or concerns.
Whilst the company takes every care with our systems, security and information, risks still exist when using technology and being reliant on human intervention, necessitating defined measures and protocols for handling any breaches. This is covered separately in an Incident Report document.
7. Declaration
All information users within the Company are responsible for protecting and ensuring the security of the information to which they have access. Managers and staff are responsible for ensuring that all information in their direct work area is managed in conformance with this policy and any subsequent procedures or documents.
All staff will be expected to be familiar with this policy and accept the declaration upon joining the company and periodically via online training on information security.
Staff who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures. The Company will ensure that staff do not attempt to gain access to information that is not necessary to hold, know or process and that restrictions and/or encryptions are in place for specific roles within the organisation relating to personal and/or sensitive information.
8. Appendix A – AWS Terms & Conditions
Our AWS Relationships will be managed and governed by AWS Service policy/ Terms & Conditions.
https://aws.amazon.com/agreement/