Security Measures

Certification

The service is Cyber Essentials certified, a UK government-backed scheme managed by the National Cyber Security Centre and a part of GCHQ.

Certificate number: IASME-CE-005986

Physical Access Controls

Microsoft Azure
The service is hosted in the cloud with Microsoft Azure between two data centres based in the UK and comply with industry standards such as ISO 27001.

Microsoft designs, builds, and operates its data centres in a way that strictly controls physical access to the areas where data is stored. Microsoft have an entire division devoted to designing, building, and operating the physical facilities supporting Azure. This team is invested in maintaining state-of-the-art physical security.

Microsoft takes a layered approach to physical security, to reduce the risk of unauthorised users gaining physical access to data and the data centre resources. Data centres managed by Microsoft have extensive layers of protection: access approval at the facility's perimeter, at the building's perimeter, inside the building, and on the data centre floor. Layers of physical security are:

Access request and approval
Access must be requested prior to arriving at the data centre. A valid business justification for visiting must be provided, such as compliance or auditing purposes. All requests are approved on a need-to-access basis by Microsoft employees. A need-to-access basis helps keep the number of individuals needed to complete a task in the data centres to the bare minimum. After Microsoft grants permission, an individual only has access to the discrete area of the data centre required, based on the approved business justification. Permissions are limited to a certain period of time, and then expire.

Facility's perimeter
On arrival at a data centre, visitors are required to go through a well-defined access point. Typically, tall fences made of steel and concrete encompass every inch of the perimeter. There are cameras around the data centres, with a security team monitoring their videos at all times.

Building entrance
The data centre entrance is staffed with professional security officers who have undergone rigorous training and background checks. These security officers also routinely patrol the data centre, and monitor the videos of cameras inside the data centre at all times.

Inside the building
Upon entering the building, visitors must pass two-factor authentication with biometrics to continue moving through the data centre. If the visitor's identity is validated, they can enter only the portion of the data centre that they have approved access to. They can stay there only for the duration of the time approved.

Data centre floor
Visitors are only allowed onto the floor that they are approved to enter. They are required to pass a full body metal detection screening. To reduce the risk of unauthorised data entering or leaving the data centre without Microsoft's knowledge, only approved devices can make their way into the data centre floor. Additionally, video cameras monitor the front and back of every server rack. When exiting the data centre floor, visitors again must pass through full body metal detection screening. To leave the data centre, visitors are required to pass through an additional security scan.

Physical Security Reviews
Periodically, Microsoft conduct physical security reviews of the facilities, to ensure the data centres properly address Azure security requirements. The data centre hosting provider personnel do not provide Azure service management. Personnel can't sign in to Azure systems and don't have physical access to the Azure collocation room and cages.

System Access Controls

Authentication
Remote access to production applications and systems is only provided to support and engineering teams. Access is restricted by IP and valid login credentials are required. Network security groups and roles are in place to ensure limited access to features and services within the production environment.

Personnel Screening
Recommendations from The Home Office Baseline Personnel Security Screening (BPSS) standard are followed for pre-employment screening.

Data Access Controls

Permissions
Granular access to all features within the application can be limited by permission groups for both users and administrators.

Sessions
The application manages sessions client and server side, idle sessions are terminated after 40 minutes.

Transmission Controls

Firewalls
Firewalls are in place to control incoming and outgoing network traffic.

Antivirus
Antivirus software is installed to ensure any malicious files are removed when detected. Virus definitions are automatically updated every 24 hours. Files are scanned on access, critical areas are scanned daily, and full scans run weekly.

Other Defenses
The environment has systems in place to block network attacks, including port scanning, denial-of-service attacks, buffer-overrun attacks and other remote malicious actions taken against the programs and services working with the network.

Input Controls

XSS
Cross Site Scripting (XSS) controls are configurable to prevent specific characters from being input into fields, while protection against SQL Injection attacks is enforced. Additionally, the site can be prevented from running in iFrames.

Passwords
Password validation rules are configurable alongside expiry settings to prevent users from creating easy to guess passwords. A password lockout policy is available as an optional feature to prevent brute force attacks on user and administrator accounts.

Data Backups

Data recovery procedures are in place in the unlikely event of a disaster. Any recovery of data due to user error is an additional chargeable service.

Disaster Recovery Plan
The disaster recovery plan is continuously reviewed and approved by executive management.

The plan is regularly tested to identify changes in the environment and to include any new situations, most recently in September 2020 and will be tested in September 2021.

Disaster Recovery Objectives
The standard maximum tolerable period in which data might be lost in the event of a disaster, also known as the Recovery Point Objective (RPO) is 24 hours.

The standard maximum tolerable period in which normal business operations must be restored in the event of a disaster, also known as the Recovery Time Objective (RTO) is six working days. The time taken to restore a system from backup depends on the size of the application and the severity of the disaster.

Data Retention
GFS (Grandfather-Father-Son) retention policy is in operation which is a backup rotation scheme intended for long-term archiving.

Data Replication
Data is replicated off-site every five minutes to ensure continuation of service.

Data Segregation

Dedicated databases are utilised to separate customer data, while dedicated servers are used to isolate types of data at a file system level.

Application and file permissions are used to maintain separation of data.

Encryption

In Transit
All data in transit (between the service and end user) is SHA256 - RSA encrypted.

Encryption was last assessed in April 2021. The assessment analyses the certificate, protocol support, key exchange and cipher strength.

Protocols and ciphers are continuously reviewed to ensure those with known vulnerabilities are removed from the environment.

At Rest
All data at rest is encrypted using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant.

All data is encrypted and managed with Microsoft-managed keys. Key rotation responsibility and key control is managed by Microsoft.

Incidents

The Computer Security Incident Response Team (CSIRT) objective is to minimise and control the damage resulting from incidents, provide effective guidance for response and recovery activities, and work to prevent future incidents from happening.

Audits

Security audits are performed annually to identify and mitigate security risks.

Independent specialist security companies are contracted to conduct 3rd party audits and penetration tests to improve security controls and processes.

For security reasons, each audit is not publicly accessible however, an assessment is available upon request.

Security assessments commissioned by clients are permitted, however, due to the different types of security assessments, a test plan and scope are required before approval.

Security Updates

Security updates are applied to protect data from known vulnerabilities.

Updates are tested in a separate test environment before release to assess compatibility. Software is periodically checked to ensure security updates are applied in a timely manner.