Availability, Privacy & Security; how we take it seriously and what we are doing to protect you & your data.
We take privacy, service availability and security incredibly seriously, which is why it is incorporated into every aspect of our business. We have a dedicated page which details some of the security mechanisms and methods we have in place, but I thought that I'd take the time to go indepth to outline how we secure our customers and their data a bit further.
1. Employee vetting and background checks
Before someone joins our staff, FyfeWeb verifies their education and previous employment, and performs internal and external reference checks. Where applicable laws or statutory regulations permit, FyfeWeb may also conduct identity, criminal, and credit checks and confirm immigration status, depending on the position.
2. Security awareness training
All FyfeWeb employees, including contractors and anyone else who works with us, undergo regular security awareness training as part of the induction process, and as part of their continued development throughout their time at FyfeWeb. During the induction phase, new employees also agree to our Code of Conduct, which highlights our commitment to keeping customer information safe and secure.
Depending on their role, employees participate in additional training which is tailored or covers aspects of security which is relevant for their role. For example, the information security team instructs contractors on topics like secure coding practices, product design and automated vulnerability testing tools. Engineers also attend technical presentations on security-related topics and receive a regular security and vulnerability threat intelligence bulletins and newsletters from a large range of sources that covers new threats, attack patterns, mitigation techniques and more.
3. Secure operating environment and adequate auditing
International data protection regulations place significant emphasis on businesses knowing how they process data, who has access to data, and how security incidents will be managed. We have a team of engineers and compliance professionals who support customers in navigating their own regulatory compliance and risk management obligations. Our approach includes collaborating with customers to understand and address their specific needs. As new auditing standards are created, our team works to determine what controls, processes and systems are needed to meet them, while facilitating and supporting independent audits and assessments by third parties. In certain situations or circumstances, we also allow customers to conduct audits to validate our security and compliance controls.
FyfeWeb has a "zero-trust" approach when it comes to networks and devices located on them. We enforce significant access controls based on information about a network, a device, its state, its associated user or company, location and more. This considers all networks, including internal and external, to be untrustworthy. This creates a concept of borderless compliance where we dynamically assert and enforce levels of access at the application layer. This enables FyfeWeb's security and compliance team to be as secure and effective during an emergency as they would be at any other time.
4. Engaging with staff and the wider security and privacy community
Security and privacy is an ever-evolving topic and FyfeWeb recognises that regular outreach with our partners, appropriate communities in the industry as well as other parties forms a key aspect of raising awareness. This includes outlining best practices staff should adhere to and habits & behaviours that they should avoid or refrain from doing. We truly believe that collaboration between companies and industry communities can be a factor which drives innovation and development.
5. Security Operations Centre
We employ a team of passionate and dedicated security and privacy professionals who form part of our Security Operations Centre (or "SOC"). Our Security Operations Centre is tasked with maintaining our defences, developing our security processes & procedures, implementing our security policies and proactively/reactively scanning for threats.
The Security Operations Centre are also responsible for the day-to-day and long term oversight, responsibility and management of our information security, cyber security, physical security, penetration testing, quality assurance (QA) and system, application and network security.
6. Privacy Operations
Privacy is a fundamental right and your privacy is important to us. We are committed to protecting our user's information whilst empowering them to reach their full potential. As such, we have developed an inter-departmental and cross-functional team, called the "Privacy Directorate" which enables us to monitor and remain up to date with current issues, legislation, regulation, events, judgements & more and ultimately being able to hold ourselves accountable to ensure the proper use and protection of personal information that we process.
7. Data Centres
In order for FyfeWeb, or any business in our industry in-fact, to maintain any form of security over the information we process, is to ensure that the we use data centres which are secure, controlled and accreditied. Since the outset, we have worked with providers and internal members alike to ensure our data centres feature a "multi-layered security model" which encompasses granular levels of access control, to ensure access is granted on a "need to" or bona fide basis only and access is removed for anyone who does not require access to a specific level (or "layer").
We pride ourselves on the fact of that the closer you get to the data center floor, the tighter the security measures become -- a very limited number of people have clearance to even enter the data centre campuses we use, nevermind data centre buildings, data floors or individual racks.
In addition to our multi-layered approach to physical security, our data centres are equipped with video surveillance cameras (CCTV), automatic numberplate recognition (ANPR) cameras, granular methods of access control at all levels, biometrics, perimeter fencing and individual data floor and individual rack levels of access. Those that do have a bona fide reason to access our data centres, are pre-approved and access the data centres the only way possible; through security access corridors which implement multi-factor access control using security badges, government issued identification checks, access clearance checks and biometrics.
8. Renewable energy sources
We are passionate about reducing the impact we have on the environment wherever we can and where it is possible we use renewable energy sources to power the data centres we use. Our data centre providers work to reduce waste by ensuring that data centres are designed to reduce unnecessary waste.
9. Hardware & Software
We pride ourselves on only using hardware from Tier 1 hardware providers, such as Juniper Networks, Dell EMC and HPE. This means that our equipment features energy efficiency advantages, equipment's feature-set is secure by design and much more.
10. Asset Management & Disposal
We employ a rigorous asset management and disposal system. We use a variety of asset tags and barcodes to closely track the location, status and more of all inventory assets used by the company, whether this be in our data centres, our office areas or our remote workers, from acquisition and delivery, installation, usage, retirement and destruction. We have in place a strict chain of custody system which ensures that no equipment leaves a data centre, or anywhere else it is authorised to be, without the appropriate clearance or authorisation. Our strict disposal procedure is adhered to at all times and any anomalies or variations are investigated without delay and are addressed immediately.
When a disk drive is retired, authorised personnel verify a given disk has been properly erased in compliance with the "DoD 5220.22-M" standard which requires:
- Pass 1: Overwrite all addressable locations with binary zeroes
- Pass 2: Overwrite all addressable locations with binary ones
- Pass 3: Overwrite all addressable locations with a random bit pattern
- Final Pass: Confirmation of data deletion and drive wipe
From this point, drives are either: (a) stored in our secure storage locations awaiting re-use, deployment or acquisition; or (b) they are destroyed using a range of methods, ensuring that all data bearing equipment is destroyed to a point where no data can be recovered.
With all of the above in mind, this ensures that services remain highly available and your data remains secure. To learn more about our compliance, security or business continutity processes, please visit www.fyfeweb.com/security.html. Otherwise, please visit: www.fyfeweb.com