Data Security Measures
Zest4 have invested heavily both the physical and virtual security of our servers. All data servers are held securely in an onsite secure environment.
Technical controls that are in place include, but are not limited, to the following:
- Review our entire company, the way we handle data and the way in which we use it to provide our services.
- The access lists on firewalls are based on specific open ports for applications only. All other ports are blocked
- The web servers are highly secure, which have inbuilt features capable of protecting various threats, enable and configure request filtering rules and security configuration wizard
- Servers and PCs are protected and regularly scanned with best available updated antivirus / spyware/ malware which are updated in line with our patching policies and processes
- Servers and PCs have inbuilt features e.g. dynamic rules-based policies to protect shared folders and files
- Security auditing is enabled as a risk assessment feature, which helps identify attacks (successful or not) that pose a threat to our network, or attacks against resources
- Data held in is encrypted at rest and in transit; this includes files stored on our servers and the use of opportunistic TLS, at a minimum, for all email traffic.
Access to client data is strictly controlled through our Role Based Access Controls, which are maintained in line with our Information Security Policy, IT Policy and Administrator Accounts Policy. Only when a client specifically requests that change is made, or a request for support relating to specific client data is made, will a qualified member of the Service Team access the client data set.
Training & Awareness
All Zest4 employees with access to either personal or client data are given appropriate data protection and information security training. This is supported with awareness campaigns and group workshops to promote best practice and promote information governance as a business enabler.
Q: Is a corporate approach to risk management in place which enables the escalation of project risks to programme and/or organisational level risk registers??
A: The running of risk management activities is conducted by the IT Management Team. The Board has full oversight of risks and sufficient levels of escalation routes exist to effectively manage any risks which are above/outside of the organisation’s risk appetite.
Business Continuity / Disaster Recovery and Backups
Q: Do you have a BCP (Business Continuity Pan) and DRP (Disaster Recovery Plan) in place?
A: Yes – Zest4 continually reviews these plans when updating services, processes to ensure that all aspects of our services are included within its scope. Our data is backed on premises and will imminently also be backed up at data centres based in the UK.
Q: Is data backup encrypted and to what standard??
A: Backup data is encrypted using 256bit AES
Q: How long are backups maintained for??
A: 7 years
Q: How is client data separated from other clients’ data??
A: Zest4 has adopted multi-tenancy principles, client data is segregated using appropriate logical controls.
Q: Is there a process to ensure that media is erased securely at disposal??
A: All physical hardware containing personal data is securely disposed of using approved WEEE vendors
Q: Has an owner been assigned to all information assets which require protection??
Security Assessment & Incident Management
Q: Are there regular vulnerability scans performed??
A: Vulnerability scans are conducted regularly against all key systems, to ensure that Zest4 continues to protect the data it holds. This includes, but is not limited to, the following:
- Port Scanning
- Services Probing
- Application Layer Testing
- Password Strength Testing
- Manual Vulnerability Testing and Verification
- Manual Configuration Weakness Testing and Verification
- Database Security Controls Testing
Any risks or vulnerabilities identified are immediately rectified by appropriate remedial actions.
Q: Are security assessments undertaken at regular intervals??
A: Both Internal and external assessments are regularly conducted as part of our information security and data protection programmes to monitor the effectiveness of our controls. Areas covered include, but are not limited to, the following:
- Perimeter Security
- Access Control
- Secure areas and/or cabinets for the storage of sensitive assets.
Q: Is there a security incident procedure??
A: Our incident management policy and process contain additional provisions for data breaches and security incidents. This includes the identification of a breach/incident, established scope, notification to third parties/data subjects and all investigative efforts and remedial actions.
Q: Are user passwords hashed / how are they stored??
A: Passwords are hashed and encrypted.
Q: Is any part of the service outsourced to a 3rd party? If yes, do the terms of the contract between the Provider and its subcontractors reflect the same level of security and data protection as the one that the Provider commits??
A: Aspects of the systems we use are outsourced to third parties, this includes our data centre providers and off-site data backup solutions. All contractual agreements with our third-party providers reflect those we have entered with our clients.
Access Controls & Administrator Management
Q: Are access controls in place to ensure information is only available to system users who require access??
A: Yes, Zest4 follows the principle of Role Based Access Control to ensure that data is only accessible to those who require access as part of their core activities.
Remote Working and Mobile Device Management
Q: In relation to the ICT systems used to deliver your service, which of the following is true?
- We permit remote working
- We allow staff to connect their own devices to our ICT systems
A: We promote remote working as many activities we conduct are conducted on client sites. Security controls and strict processes are in place to ensure that the risks of remote working are minimised, this includes device encryption, secure VPN traffic and the use of mobile device management software to set organisations controls on remote devices. Only approved devices, which have been supplied by Zest4, are permitted to be used on our ICT infrastructure.
Q: Are network security boundaries defined and enforced to group users, services and information that require different levels of protection?
A: Yes, permissions and access are assigned based on roles and responsibilities.
Q: Are processes and controls in place to ensure that equipment and cabling is protected and maintained to preserve the confidentiality, integrity and availability of our assets?
A: Yes, these assets are protected to meet industry best practice.
Q: Are background verification checks carried out on employees and contractors who have access to our assets??
A: All staff have routine verification checks conducted prior to employment, including checks of identification, right to work and verification of previous employment.
Q: Are non-disclosure agreements in place with all staff who have access to our assets??
A: Yes, these are built into the terms of employment and Citation’s company policies.
Q: Is a disciplinary process in place for employees and contractors who have committed a security breach??
A: Yes, any breach of company policies and procedures may be subject to disciplinary action.
Q: Upon termination of employment is there a process in place to ensure assets are returned and rights to assets revoked??
A: Yes, this is part of the standard staff management process.