Have security-related job responsibilities, including oversight and accountability, been clearly defined and documented?

Yes, all jobs have detailed JD in place with attention to Information Governance and responsibility.  Chris Martin is currently accountable for Information Governance.

Are policies for information handling and labelling in place?

Yes.  TeamKinetic have policies for Information Governance, Continuity, Security, Personnel, Safeguarding, Data sharing and API use.

Are all third-parties vetted prior to being granted privileged access to data?

3rd party contractors do not have access to live data.  All data in encrypted at rest and in transit.

Do you maintain an inventory of all important information assets with asset owners clearly identified?

Yes, information assets are held in applications that are directly owned by customers. 

Describe the screening process for all users, employees, contractors, vendors, and other third-parties)?

Access to data is limited to the operational team.  These staff have all undergone IG training, DBS check and are part of the senior team here at TeamKinetic.  No other employees, contractors, vendors or other 3rd parties have access to user data.

Describe your hiring process and how a new employee is granted access to network resources and when these access rights are reviewed.

All prospective candidates are interview by a single team member and by then by a panel of at least 3 current employees.  All new starters are inducted and undergo a basic information governance session with Chris. Only staff with a specific requirement will ever be granted direct access to user data.

Do you conduct formal information security awareness training for all users, including upper management?

Yes, all staff undergo basic information governance training.

Describe the physical security mechanisms that prevent unauthorized access to your office space, user workstations, and server rooms/data centres?

All TeamKinetic sites enjoy the following physical security provision.

  • Security perimeter 
  • Proximity ID (smartcards) for Access control
  • Receptionist
  • CCTV cameras
  • Fire / Flood protection
  • Cables and network ports are protected from unauthorised access
  • On-site redundancy and engineering support

Controls are in place to secure access to networked services, This is available via a documented process.  Access to provision user accounts is reviewed at least annually.

Remote secure network access is granted using VPN with no Dual–homing / split tunnelling. Appropriate encryption methodologies are employed, documented, reconciled and monitored to AES 256 standard.

 

All systems in our internal and externally–facing and DMZ environments secured

Do you employ automatic locking screen savers when users’ workstations remain idle after set period of time?

All workstations are locked after a period of inactivity and require a password on resume.

How is the removal of equipment from the premises authorized and controlled?

All storage equipment is first comprehensively formatted and then physically destroyed before being removed.

How do you protect your systems against newly-discovered vulnerabilities and threats?

Our servers that control and serve TeamKinetic are patched with all zero day vulnerabilities and security patches as they are released

How do you prevent end users from installing potentially malicious software (e.g., list of approved applications, locking down the desktop)?

All workstations are operated under a lowest security clearance possible. Without administrator access it is not possible to install software on workstations.

Centralised virus and malware software is used to check workstations and isolate suspect items if necessary.

Do you scan traffic coming into your network for viruses?

Our email servers scan all incoming messages for viruses and quarantined accordingly

How do you dispose of computer media when they are no longer of use and are logs kept of media disposal activity?

All storage capable equipment is comprehensively formatted and then physically destroyed before being disposed of.

Describe how you protect information media (e.g., back-up tapes) that is shipped offsite.

Media and backups that are stored off site are protected by RSA encryption

Please describe your Access Control Policy.

Our access control policy is based on a minimal access level at all times.

Any users or systems that require access to our resources are first required to submit an access proposal explaining what access they require and why.

If successful the access request is then passed to our chief technical officer who will be responsible for setting up the minimal security level possible for successful access and the revocation of that access after the agreed time.

Any requests for access are logged. The revocation of access is checked by one other technical officer once the access date has lapsed to ensure access is not maintained.

Describe the process by which non-employee (e.g., contractor, vendor, and customer) is granted access to network resources and how often these are reviewed.

Only authorised systems engineers are allowed physical access to our remote servers. This access is logged via security card.

No third parties have standing access to the OS of our servers. Any access that has to be granted is provided via lowest possible security level users that are strictly time limited.

Any such permissions are revoked once access has been completed.

To what extent are user’s system use logged and monitored?

Full system logs of bother server and database access are stored for two weeks.

Is an information security incident log maintained?

Yes

Are incident reports issued to appropriate management?

Yes

Are audit logs or other reporting mechanisms in place on all platforms?

Yes

Are internal and external audits performed on regular basis?

Yes

Do you have documented business continuity plan?

Yes

Do you have documented disaster recovery policy?

Yes