We encrypt all data when in transit and when at rest. In some instances, we encrypt it in use.
We recognise that our infrastructure and information must be well managed, controlled and protected. To that end, We have a team that oversees FyfeWeb’s security program, which encompasses high-quality network security, application security, identity and access controls, change management and control, vulnerability management and third-party penetration testing, log/event management, vendor risk management, physical security, endpoint security, physical security, governance & compliance, and HR security, disaster recovery and a host of additional measures and controls.
We encrypt all data when in transit and when at rest. In some instances, we encrypt it in use.
We are compliant and certified to Cyber Essentials Standards and ISO 27001 accredited data centres
Anyone working for or with us are required to undergo initial and spot vetting and background checks
We conduct regular internal audits & keep logs for all portals, systems & services. We also have a vast logging system.
Our SOC manages, monitors, prevents, detects, analyses, and responds to anomalies, threats, events & incidents
Our infrastructure is protected by many mechanisms and controls, including firewalls and access control, with scans performed regularly to prevent or ensure that any exposed vulnerabilities are quickly found and patched and complete penetration tests are performed regularly. Customer data is processed at locations throughout the UK, access to systems is restricted to specific individuals based on “need to know” and zero trust principles and monitored and audited for compliance. We use Transport Layer Security (TLS) encryption (also known as HTTPS) on all websites, for all customer data transfers, and customers can elect to encrypted their own data at rest themselves, in addition to our disk-level encryption. Our Services are solely hosted and managed in-house, and data centres we use are independently audited to ISO 9001 & ISO 27001 and Tier III (3) Standards.
To ensure that we maintain the highest possible levels of information security, FyfeWeb internally conforms to ISO 27001 & ISO 9001 and has procured auditing solutions from reputable third party auditors, whom audit our information security practices annually under the UK Government Cyber Essentials standards.
All your data is stored on encrypted disk volumes, including backups. We believe this level of protection strikes the correct balance between confidentiality and availability.
FyfeWeb maintains DDoS Mitigation via in-line corero scrubbing applicances and upstream mitigation. As well as our core-level and in-line Corero intelligent Anti-DDoS appliances, we work with a number of providers to provide 'always-on' dedicated clean inbound connections for all customer services. Whether you're considered at risk or just wish to exercise added service protection, our DDoS protected network offers peace of mind. By default, all FyfeWeb hosted VPS servers, websites, dedicated servers, and colocation are protected from DDoS attacks. For customer deployments that need additional protection, we can increase filtering sensitivity as and when required.
Since the outset, we have worked with providers and internal members alike to ensure our data centres feature a "multi-layered security model" which encompasses granular levels of access control, to ensure access is granted on a "need to" or bona fide basis only and access is removed for anyone who does not require access to a specific level (or "layer"). A very limited number of people are on a pre-approved access list at any one time for data centre campuses, data centre buildings, plant rooms/facilities, data floors and individual racks.
In addition to our multi-layered approach to physical security, our data centres are equipped with video surveillance cameras (CCTV), automatic numberplate recognition (ANPR) systems, granular access control at all levels, biometrics, perimeter fencing and individual data floor and individual rack levels of access. Those that do have a bona fide reason to access our data centres, are pre-approved and access the data centres the only way possible; through security access corridors which implement multi-factor access control using security badges, government issued identification checks, access clearance checks and biometrics.
As a customer we ask that you ensure that your administrators of the Services ensure sound security practices in maintaining access credentials to your instance of the Solutions, including strong account passwords and access restrictions to your accounts to authorised persons. Where customers become aware of a compromise to any of their account credentials, we ask that you notify us immediately by contacting our Support Team.
We know that data stored in our cloud, collected through use of our services, submitted to your websites or in your emails, hosted on-net with us, is free-form and could contain all kinds of information about our customers and other people they correspond with, including data of the most confidential sort. Due to the nature of our business (hosting, cloud, email, communications, data centre services etc.) our systems process large amounts of potentially highly confidential data. For this reason, we treat all data belonging to our customers as "Customer Confidential" which is the highest level of classification for customers within our data classification and handling system and has access restrictions and limitations.
All data transfers inside our data centres are encrypted. All data transfers between our datacentres are transferred over encrypted tunnels and links. Where you are using a password to access our systems, we store that password in a non-reversible encryption scheme using current best practices.
Maintaining an incident response plan is essential for all businesses. This is a key aspect of the work in our security and privacy management systems. Our incident response and management plan incorporates personnel from nearly every department of our business, ensuring that resources are well managed and deployed where they are needed, when they are needed. Our Incident Response & Management Policy lists actions, escalations, mitigations, resolutions and notifications for any potential or actual incident which impact or erode the confidentiality, integrity or availability of internal or customer information. Following the successful remediation and resolution of an incident, the incident response team evaluates the lessons learned from the incident. When the incident raises critical issues, the incident commander may initiate a post-mortem analysis. During this process, the incident response team reviews the cause(s) of the incident and FyfeWeb's response and identifies key areas for improvement.
International regulations place significant emphasis on businesses knowing how they process data, who has access to data, and how security incidents will be managed. We have a team of security and compliance professionals who support internal and external customers in navigating their own regulatory compliance and risk management obligations. Our approach includes collaborating with customers to understand and address their specific needs. As new auditing standards are created, our team works to determine what controls, processes and systems are needed to meet them, while facilitating and supporting independent audits and assessments by third parties. In certain situations or circumstances, we also allow customers to conduct audits to validate our security and compliance controls.
International data protection regulations place significant emphasis on businesses knowing how they process data, who has access to data, and how security incidents will be managed. We have a team of engineers and compliance professionals who support customers in navigating their own regulatory compliance and risk management obligations. Our approach includes collaborating with customers to understand and address their specific needs. As new auditing standards are created, our team works to determine what controls, processes and systems are needed to meet them, while facilitating and supporting independent audits and assessments by third parties. In certain situations or circumstances, we also allow customers to conduct audits to validate our security and compliance controls.
FyfeWeb has a "zero-trust" approach when it comes to networks and devices located on them. We enforce significant access controls based on information about a network, a device, its state, its associated user or company, location and more. This considers all networks, including internal and external, to be untrustworthy. This creates a concept of borderless compliance where we dynamically assert and enforce levels of access at the application layer. This enables FyfeWeb's security and compliance team to be as secure and effective during an emergency as they would be at any other time.
We employ a rigorous asset management and disposal system. We use a variety of asset tags and barcodes to closely track the location, status and more of all inventory assets used by the company, whether this be in our data centres, our office areas or our remote workers, from acquisition and delivery, installation, usage, retirement and destruction. We have in place a strict chain of custody system which ensures that no equipment leaves a data centre, or anywhere else it is authorised to be, without the appropriate clearance or authorisation. Our strict disposal procedure is adhered to at all times and any anomalies or variations are investigated without delay and are addressed immediately.
When a disk drive is retired, authorised personnel verify a given disk has been properly erased in compliance with the "DoD 5220.22-M" standard which requires:
- Pass 1: Overwrite all addressable locations with binary zeroes
- Pass 2: Overwrite all addressable locations with binary ones
- Pass 3: Overwrite all addressable locations with a random bit pattern
- Final Pass: Confirmation of data deletion and drive wipe
From this point, drives are either: (a) stored in our secure storage locations awaiting re-use, deployment or acquisition; or (b) they are destroyed using a range of methods, ensuring that all data bearing equipment is destroyed to a point where no data can be recovered.
We mandate all connections to our servers use Transport Layer Security (TLS) and Secure Sockets Layer (SSL) encryption, for all connections including webmail, services, and IMAP/POP/SMTP email client access. This prevents eavesdropping, tampering, and message forgery on any communication between your computer or phone and our servers. Whenever you send a message to someone outside of the FyfeWeb Network we have to send it across the open internet. Since the outset, we have fully encrypted all connections between us and the receiving server whenever the other server supports it, preventing passive eavesdropping, tampering or forgery. Similarly, we have accepted encrypted connections for mail delivery to our servers since the outset, and we encourage all servers connecting to us to use it.
A Strict Transport Security header is sent with all of our webpages. This tells all modern browsers to only connect to us over an encrypted connection, even if you have a bookmark, click a link or type a URL to an insecure page at our site. Many unexpected forms of attack come from failing to close potential vulnerabilities, including database port access, SSH port access, and so forth. We use kernel-level firewalling to only allow connections to the services provided by each machine.