FyfeWeb Hosting - Security

Security at FyfeWeb

  • Encryption: We encrypt data in transit and at rest. For some services we also encrypt it in use.
  • Security Standards: We are compliant and certified to the UK Government's Cyber Essentials
    Standards and all data centre points of presence are ISO 27001 accredited
  • Vetting & Background Checks: Anyone working for or with us are required to undergo initial
    and spot vetting and background checks
  • Auditing, Logging & Alerting: We conduct regular internal audits and maintain logs for all
    our portals, systems and services as well as employing broad security and availablity
    alerting system.
  • Security Operations Centre: Operational 24 hours a day, our Security Operations
    Centre (or "SOC") continuously monitor and work to improve our security posture whilst
    preventing, detecting, analysing, and responding to threats, events & incidents
  • Policies & Procedures: We maintain a large number company-wide policies and procedures which
    govern how we operate and how we respond to different situations
  • And Much More...

We recognise that our infrastructure and information must be well managed, controlled and protected. To that end, We have a team that oversees FyfeWeb’s security program, which encompasses high-quality network security, application security, identity and access controls, change management and control, vulnerability management and third-party penetration testing, log/event management, vendor risk management, physical security, endpoint security, physical security, governance & compliance, and HR security, disaster recovery and a host of additional measures and controls.

Infrastructure Security

Our infrastructure is protected by many mechanisms and controls, including firewalls and access control, with scans performed regularly to prevent or ensure that any exposed vulnerabilities are quickly found and patched and complete penetration tests are performed regularly. Customer data is processed at locations throughout the UK, access to systems is restricted to specific individuals based on “need to know” and zero trust principles and monitored and audited for compliance. We use Transport Layer Security (TLS) encryption (also known as HTTPS) on all websites, for all customer data transfers, and customers can elect to have all their data encrypted at rest. Our Services are solely hosted and managed in-house, and data centres we use are independently audited to ISO 9001 & ISO 27001 and Tier III (3) Standards. To ensure that we maintain the highest possible levels of information security, FyfeWeb internally conforms to ISO 27001 & ISO 9001 and has procured auditing solutions from reputable third party auditors, whom audit our information security practices annually under the UK Government Cyber Essentials standards.

Physical (Data Centre) Security

Since the outset, we have worked with providers and internal members alike to ensure our data centres feature a "multi-layered security model" which encompasses granular levels of access control, to ensure access is granted on a "need to" or bona fide basis only and access is removed for anyone who does not require access to a specific level (or "layer"). A very limited number of people are on a pre-approved access list at any one time for data centre campuses, data centre buildings, plant rooms/facilities, data floors and individual racks.

In addition to our multi-layered approach to physical security, our data centres are equipped with video surveillance cameras (CCTV), automatic numberplate recognition (ANPR) systems, granular access control at all levels, biometrics, perimeter fencing and individual data floor and individual rack levels of access. Those that do have a bona fide reason to access our data centres, are pre-approved and access the data centres the only way possible; through security access corridors which implement multi-factor access control using security badges, government issued identification checks, access clearance checks and biometrics.

Customer Security

As a customer we ask that you ensure that your administrators of the Services ensure sound security practices in maintaining access credentials to your instance of the Solutions, including strong account passwords and access restrictions to your accounts to authorised persons. Where customers become aware of a compromise to any of their account credentials, we ask that you notify us immediately by contacting our Support Team.

We know that data stored in our cloud, collected through use of our services, submitted to your websites or in your emails, hosted on-net with us, is free-form and could contain all kinds of information about our customers and other people they correspond with, including data of the most confidential sort. Due to the nature of our business (hosting, cloud, email, communications, data centre services etc.) our systems process large amounts of potentially highly confidential data. For this reason, we treat all personal data belonging to our customers as Customer Confidential which is the highest level of classification for customers within our data classification and handling system.

All data transfers inside our data centres is encrypted. All data transfer between our datacentres is over encrypted tunnels which are solely managed by our team.

Incident Management & Response

Maintaining an incident response plan is essential for all businesses. This is a key aspect of the work in our security and privacy management systems. Our incident response and management plan incorporates personnel from nearly every department of our business, ensuring that resources are well managed and deployed where they are needed, when they are needed. Our Incident Response & Management Policy lists actions, escalations, mitigations, resolutions and notifications for any potential or actual incident which impact or erode the confidentiality, integrity or availability of internal or customer information. Following the successful remediation and resolution of an incident, the incident response team evaluates the lessons learned from the incident. When the incident raises critical issues, the incident commander may initiate a post-mortem analysis. During this process, the incident response team reviews the cause(s) of the incident and FyfeWeb's response and identifies key areas for improvement.

International regulations place significant emphasis on businesses knowing how they process data, who has access to data, and how security incidents will be managed. We have a team of security and compliance professionals who support internal and external customers in navigating their own regulatory compliance and risk management obligations. Our approach includes collaborating with customers to understand and address their specific needs. As new auditing standards are created, our team works to determine what controls, processes and systems are needed to meet them, while facilitating and supporting independent audits and assessments by third parties. In certain situations or circumstances, we also allow customers to conduct audits to validate our security and compliance controls.

Zero Trust

FyfeWeb has a "zero-trust" approach when it comes to networks and devices located on them. We enforce significant access controls based on information about a network, a device, its state, its associated user or company, location and more. This considers all networks, including internal and external, to be untrustworthy. This creates a concept of borderless compliance where we dynamically assert and enforce levels of access at the application layer. This enables FyfeWeb's security and compliance team to be as secure and effective during an emergency as they would be at any other time.

Asset Inventory Security

We employ a rigorous asset management and disposal system. We use a variety of asset tags and barcodes to closely track the location, status and more of all inventory assets used by the company, whether this be in our data centres, our office areas or our remote workers, from acquisition and delivery, installation, usage, retirement and destruction. We have in place a strict chain of custody system which ensures that no equipment leaves a data centre, or anywhere else it is authorised to be, without the appropriate clearance or authorisation. Our strict disposal procedure is adhered to at all times and any anomalies or variations are investigated without delay and are addressed immediately.

Email Security

We mandate all connections to our servers use Transport Layer Security (TLS) and Secure Sockets Layer (SSL) encryption, for all connections including webmail, services, and IMAP/POP/SMTP email client access. This prevents eavesdropping, tampering, and message forgery on any communication between your computer or phone and our servers. Whenever you send a message to someone outside of the FyfeWeb Network we have to send it across the open internet. Since the outset, we have fully encrypted all connections between us and the receiving server whenever the other server supports it, preventing passive eavesdropping, tampering or forgery. Similarly, we have accepted encrypted connections for mail delivery to our servers since the outset, and we encourage all servers connecting to us to use it.

Website & Interface Security

A Strict Transport Security header is sent with all of our webpages. This tells all modern browsers to only connect to us over an encrypted connection, even if you have a bookmark, click a link or type a URL to an insecure page at our site. Many unexpected forms of attack come from failing to close potential vulnerabilities, including database port access, SSH port access, and so forth. We use kernel-level firewalling to only allow connections to the services provided by each machine.

On-disk Encryption

All your data is stored on encrypted disk volumes, including backups. We believe this level of protection strikes the correct balance between confidentiality and availability.

Password Security

Where you are using a password to access our systems, we store that password in a non-reversible encryption scheme using current best practices.