Date: December 2020
At Elucidat, the safeguarding of your data is at the forefront of everything we do. We have robust processes and practices in place to ensure data, server, application, network, physical and access security in everything we do.
In our security practices we fully adhere to the General Data Protection Regulation (GDPR). Our systems, infrastructure and our own behaviours are designed with confidentiality, integrity and availability in mind so that we provide a reliable service with data you have trust in.
As a company we take pride in ensuring data protection is by design and by default - making security part of our cultural capital (Article 25).
We have comprehensive processes and procedures to ensure that your data can only be accessed by those you have authorisation to do so. Our processing partners are chosen only on the grounds they align to our own standards of security (Article 25 & 32).
In the event of an issue occurring, we have comprehensive backups and procedures in place to minimise any alteration, unauthorised access or loss to data (Article 5(1)). Should a compromise around data rights occur we have robust processes in place to ensure containment and restoration. As well as clear protocols around communication.
Because security lies at the heart of what we do, our overall security is reviewed twice a year with clear lines of governance around responsibility and accountability. All staff receive regular training, as well as participation in open discussions and quizzes to ensure security remains at the forefront of what we do.
Our specific measures are detailed below:
- We conduct annual PEN tests via an external agency to ensure that our server environment is completely secure.
- All servers have security updates applied automatically, daily:
- All servers are built via 'infrastructure as code' - ensuring a highly consistent, secure and resilient server environment.
- All servers are hosted within Virtual Private Networks, and hardened, using industry-standard hardening practices such as non-standard ports and firewalls, limiting our attack surface area
- All (virtual) access to servers and online resources is:
- conducted on a Least Privilege (POLP) basis.
- signed off by the CTO or Lead Engineer.
- protected by two factor authentication and secure passwords (and/or keys).
- There is no physical access to servers by Elucidat staff. AWS data-center security controls are detailed here: https://aws.amazon.com/compliance/data-center/controls/
- Our data is backed up automatically, at least daily.
- All Elucidat services are set up to auto-scale to ensure resilience in periods of high demand
- We have a comprehensive Disaster Recovery Plan in place:
- We ensure that all data can be restored in a timely manner in the case of disaster
- We conduct disaster recovery rehearsals annually.
- All development follows our Software Development Lifecycle process - which enshrines secure development processes:
- Any risks associated with development are identified, mitigated and managed through this process
- All development and testing is carried out in secure environments without access to production data (or any personally identifiable information).
- All personally identifiable data about Learners and Authors using Elucidat is deleted or anonymised after a period of 3 years from license end.
- We conduct due diligence on all third party suppliers to ensure that they meet our security standards, and are GDPR compliant.
- All data is encrypted, at rest and in transit (using SSH or HTTPS, and AES256 encryption).
- Access to our secure networks is only via VPN.
- Approval is required (and signed off by CTO or Lead Engineer to carry out bulk data downloads
- Access to download data is managed on a Least Privilege (POLP) basis - the least privilege required to accomplish a task being given, and access revoked when no longer needed, in accordance with our software Access Control Policy.
- Secure processes are in place in order to transfer data to our customers.
- 'Unpluggable' storage (e.g. USB sticks) are not used at Elucidat.
- Staff are regularly requested to remove any downloaded data from their laptops and ensure it is securely deleted after use.
- Downloading data is only carried out either in support of the service we provide or at the request of our clients.
- Downloaded personal data is deleted immediately after use.
Physical & Organisational Measures
- All staff take annual, formal, mandatory cyber security training, and have training on the policies mentioned below, as appropriate.
- Information supporting best practice and up to date processes is disseminated regularly through team and company meetings.
- We encourage all staff to feed back so we can improve our processes at the same meetings.
- Adherence to security is mandatory, and has enforceable actions identified in employment contracts.
- Our internal security rules apply whether staff are working in the office or remotely.
Computer and all devices
- are covered by an IT security checklist that is reviewed annually.
- are encrypted, and protected by firewalls and anti-malware and anti-virus software.
- run software updates automatically to ensure that they are constantly protected.
- are asset tracked and remotely wiped in the case of loss.
- automatically log out after a period of inactivity.
- Staff are obliged to maintain good data hygiene by securely deleting any data downloaded on to their laptops.
- All passwords used are secure, using a mixture of alpha-numeric characters and symbols, and managed and enforced through a password management app.
- all computers are managed centrally by MDM software to enforce policy adherence.
3rd party software access
- Access to 3rd party software is managed on a Least Privilege (POLP) basis - the least privilege required to accomplish a task being given, and access revoked when no longer needed, in accordance with our software Access Control Policy.
- We use two-factor authentication where supported by the vendor, and require 2FA where personal data is stored in the 3rd party system.
- All staff are required to have secure and unique access handled through our password management app.
- Our Access Control Policy outlines what data permissions each role has access to in terms of categories and types of data.
- Leavers are immediately removed from all software.
- We conduct due diligence on suppliers to ensure that they meet our security standards, and are GDPR compliant.
- Access to physical spaces is managed on a POLP basis - the least privilege required to accomplish a task being given, and access revoked when no longer needed.
- Visitors are always accompanied when within the office.
- All keys and alarm code knowledge are managed through asset tracking, including those of 3rd parties (principly our cleaning company and office locking/unlocking service).
- All devices with network access (principly laptops and tablets) are securely locked away when not in use.
- Elucidat has no server infrastructure in the office - which substantially reduces our risk in this area.
- Out of hours office access is strictly limited - and all staff are aware of the policies in place through our staff handbook.
- All paper based waste is shredded and disposed of securely.
- IT assets such as laptops are securely wiped before disposal.
- Office setup ensures the contents of computer screens are not viewable through windows.
- Staff members using their own devices to access Elucidat software or data must do so in accordance with our security rules.
- Principally this means that:
- Screens must lock automatically after a period of inactivity.
- A secure password or fingerprint must be required to unlock the device.
- In certain situations, our staff may use their own devices to access Elucidat services or software. In this case staff are prohibited from downloading personal data onto their device.
- All access to Elucidat software or systems can be blocked remotely without device access.
- Any compromises to security involving personal devices will follow the same process outlined in our Incident and Breach Policies.
- Staff members must advise Elucidat immediately upon loss, theft or unauthorized access to any device with access to Elucidat systems.
- We conduct due diligence on all 3rd party suppliers to ensure that they meet our security standards, and adhere to GDPR.
- All suppliers using Elucidat systems or infrastructure are subject to the same access controls as our staff. For example - strong passwords, asset tracked equipment, good data hygiene, leavers process as above.
- 3rd parties are aware of, and are expected to adhere to, our security (and other) policies which includes security around access controls.
- Within the course of our regular account management of suppliers, we:
- Set clear expectations of responsibilities of processes around handling Elucidat data
- Conduct regular checks on processes and adherence to policies.
- This policy is reviewed every 6 months accompanied by an annual risk assessment of our security as a whole.
- Key people:
- The CTO is ultimately accountable for information security.
- All leadership team members (department heads) are responsible for policy adherence within their department.
- Our Incident Management, Data Breach and Disaster Recovery Policies are reviewed annually.
- Any security incidents will be logged immediately and, once resolved, reviewed for lessons learnt as part of our security risk assessments and our GDPR review meetings.
- Any changes to the business affecting how we handle data undergo a risk analysis and assessment before any actions are carried out.