Security at FyfeWeb
- Encryption: Data is encrypted in transit and at rest
- Vetting & Background Checks: Anyone working for or with us is required to undergo regular
vetting and background checks
- Auditing, Logging & Alerting: We conduct regular internal audits, maintain access logs for all
portals, facilities, systems and services as well as employing a broad security and availablity
- Access Control: Sophisticated Physical & Digital Access Control is employed throughout
our data centre points of presence, websites, databases, data storage facilities,
systems and services.
- Policies & Procedures: We maintain company-wide policies and procedures which
govern how we operate and how we respond to different situations
- And Much More...
We recognise that our Customers’ information must be well managed, controlled and protected. To that end, We have a team that oversees FyfeWeb’s information security program, which encompasses high-quality network security, application security, identity and access controls, change management, vulnerability management and third-party penetration testing, log/event management, vendor risk management, physical security, endpoint security, physical security, governance & compliance, and HR security, disaster recovery and a host of additional controls.
Our infrastructure is protected by many mechanisms and controls, including firewalls and access control, with scans performed regularly to prevent or ensure that any exposed vulnerabilities are quickly found and patched and complete penetration tests are performed regularly. Customer data is processed at locations throughout the UK, access to systems is restricted to specific individuals based on “need to know” principles and monitored and audited for compliance. We use Transport Layer Security (TLS) encryption (also known as HTTPS) on all websites, for all customer data transfers, and customers can elect to have all their data encrypted at rest. Our Services are solely hosted and managed in-house, and data centres we use are independently audited to ISO 9001 & ISO 27001 and Tier III (3) Standards. To ensure that we maintain the highest possible levels of information security, FyfeWeb internally conforms to ISO 27001 & ISO 9001 and has procured auditing solutions from reputable third party auditors, whom audit our information security practices annually under the UK Government Cyber Essentials standards.
Data Centre Security
Since the outset, we have worked with providers and internal members alike to ensure our data centres feature a "multi-layered security model" which encompasses granular levels of access control, to ensure access is granted on a "need to" or bona fide basis only and access is removed for anyone who does not require access to a specific level (or "layer"). A very limited number of people are on a pre-approved access list at any one time for data centre campuses, data centre buildings, plant rooms/facilities, data floors and individual racks
In addition to our multi-layered approach to physical security, our data centres are equipped with video surveillance cameras (CCTV), automatic numberplate recognition (ANPR) cameras, granular methods of access control at all levels, biometrics, perimeter fencing and individual data floor and individual rack levels of access. Those that do have a bona fide reason to access our data centres, are pre-approved and access the data centres the only way possible; through security access corridors which implement multi-factor access control using security badges, government issued identification checks, access clearance checks and biometrics.
As a customer we ask that you ensure that your administrators of the Services ensure sound security practices in maintaining access credentials to your instance of the Solutions, including strong account passwords and access restrictions to your accounts to authorised persons. Where customers become aware of a compromise to any of their account credentials, we ask that you notify us immediately by contacting our Support Team.
Incident Management & Response
Maintaining an incident response plan is essential for all businesses. This is a key aspect of the work in our security and privacy management systems. Our incident response and management plan incorporates personnel from nearly every department of our business, ensuring that resources are well managed and deployed where they are needed, when they are needed. Our Incident Response & Management Policy lists actions, escalations, mitigations, resolutions and notifications for any potential or actual incident which impact or erode the confidentiality, integrity or availability of internal or customer information. Following the successful remediation and resolution of an incident, the incident response team evaluates the lessons learned from the incident. When the incident raises critical issues, the incident commander may initiate a post-mortem analysis. During this process, the incident response team reviews the cause(s) of the incident and FyfeWeb's response and identifies key areas for improvement.
International regulations place significant emphasis on businesses knowing how they process data, who has access to data, and how security incidents will be managed. We have a team of security and compliance professionals who support internal and external customers in navigating their own regulatory compliance and risk management obligations. Our approach includes collaborating with customers to understand and address their specific needs. As new auditing standards are created, our team works to determine what controls, processes and systems are needed to meet them, while facilitating and supporting independent audits and assessments by third parties. In certain situations or circumstances, we also allow customers to conduct audits to validate our security and compliance controls.
FyfeWeb has a "zero-trust" approach when it comes to networks and devices located on them. We enforce significant access controls based on information about a network, a device, its state, its associated user or company, location and more. This considers all networks, including internal and external, to be untrustworthy. This creates a concept of borderless compliance where we dynamically assert and enforce levels of access at the application layer. This enables FyfeWeb's security and compliance team to be as secure and effective during an emergency as they would be at any other time.
Asset Inventory Security
We employ a rigorous asset management and disposal system. We use a variety of asset tags and barcodes to closely track the location, status and more of all inventory assets used by the company, whether this be in our data centres, our office areas or our remote workers, from acquisition and delivery, installation, usage, retirement and destruction. We have in place a strict chain of custody system which ensures that no equipment leaves a data centre, or anywhere else it is authorised to be, without the appropriate clearance or authorisation. Our strict disposal procedure is adhered to at all times and any anomalies or variations are investigated without delay and are addressed immediately.