Under Frontdeskey data security policies, all of IT operations undergo regular risk, compliance and business continuity reviews. The reviews are driven from multiple assessment frameworks including but not limited to PCI-DSS and PII, and occur at least annually. For PCI-DSS we undergo an annual external audit by an independent auditor (currently BAE Systems) covering all relevant systems, risks and processes that fall under within the scope of the PCI-DSS certification. PCI-DSS Certification and Attestation of Compliance can be shared subject to appropriate confidentiality arrangements being in place. In addition to regular calendar review events there are multiple sources of real-time, semi- real time and recurring information sources that give data on compliance, risk and operations within Frontdeskey. These data points are used to aid decision making and ongoing operational controls.
Information security documents, procedures, policies and training materials are regularly updated, reviewed and audited. Audits are performed on representative sample sets to ensure reasonable coverage by staff across the aforementioned materials.
2.2 Access and authorisation
All accounts on Frontdeskey systems have role based privileges. An accompanying audit trail with active/disabled status uniquely identifies user accounts. Segregation of duties is an underlying principle used to design Frontdeskey processes. In the cases where the above is not a good representation (like "root" account of systems) relevant compensating controls are in place. Roles and privileges are granted via systems with equivalent audit trails and approval gates and are regularly reviewed. Where possible roles and privileges are stored in change control systems. All user accounts that can access sensitive data are managed by automated systems and policies that enforce PCI-DSS compliant password standards, as follows:
(a) Each person has an individual account that authenticates the individual’s access.
(b) Access to production administration systems utilize two-factor authentication over SSH and access to internal tools that access, store or process data.
(c) A quarterly review process is in place for those who have access to applications and systems where sensitive data is processed or stored.
(d) Any staff that are no longer working for SM have their access revoked as standard HR exit procedures.
2.3 Data storage location
Amazon Web Services (AWS) - Oregon region data centres house all production data and systems for Frontdeskey. No sensitive data is processed, managed, stored or archived outside of these locations. Physical security access is entirely managed by AWS with no input from Frontdeskey.
2.4 Physical data
Frontdeskey does not keep any data in physical form.
3.1 Production Assets
All production assets at Frontdeskey are changed managed through set policies, procedures, approval gates and audit trails. This approach covers the entire lifecycle of software development, testing, release and post release operations. Typically emergency changes are assessed on an individual basis and subsequent actions are decided upon post assessment of incident. Whilst there are documentation for emergency fixes, most are performed the same way as regular fixes to reduce risk and maintain integrity of production environment.
The methodology for how Frontdeskey manages change, ensures data integrity, data protection and asset security is documented and reviewed by each relevant area of the business and subsequently audited by external auditors. This is then socialised as part of staff on-boarding as well as subsequent operational updates and regular update compliance training. Frontdeskey has logically or physically separate environments from production for all development and testing. No sensitive production data will be transmitted, stored or processed in a non- production environment.
4.1 Production systems
Key metrics of production systems and the operational health of the Frontdeskey platform is monitored 24x7 and tiered with multiple on-call teams and escalation procedures. These metrics cover networks, backups, uptime and security points, as well as product specific data including integration availability, uptime and integrity.
4.2 Data backup and retention
Data backup and retention schedules are documented in line with requirements of Frontdeskey business operation requirements. Security event logs and application audit trails are kept for one year online. Periodic checks are performed to ensure backup integrity and procedure completeness.
4.3 Transmission and encryption
All data transfers with external parties are done over industry standard encryption channels. When sensitive data at rest it is encrypted by industry standard encryption and encryption keys are managed to satisfy PCI-DSS standards.
4.4 Breach and security incidents
Dedicated incident (breach and non breach) management documents are reviewed, audited and socialised on a periodic basis at least annually in accordance with Frontdeskey’s DataSecurity Breach Policy. Frontdeskey also conducts a yearly roundtable around the incident workflow to flesh out operational gaps. Relevant personnel are allocated and trained for incident specific scenarios. All security incidents are initially prioritised as critical, and then adjusted as the incident progresses and is assessed. Priority is given to containment. While active, all security incidents have dedicated resources applied until resolution of the incident is achieved. Following resolution, a post-event analysis is performed and all reasonably practicable steps are taken to implement measures to avoid recurrence and improve security for both direct and indirect related risks. All security incidents as well as known operational risks are recorded and managed from a central risk register. Frontdeskey will advise all relevant third parties of any security or data breach in accordance with applicable legal requirements. Frontdeskey may share a high level summary of the incident timeline, data impact and resolution taken once confidence has formed around scope, impact and resolution.
4.5 Vulnerability scanning and penetration testing
External vulnerability scans are performed monthly by an PCI approved scanning vendor. Internal vulnerability scans are performed monthly and are wholly managed within Frontdeskey. Penetration testing is done on an annual basis by another independent external entity. Security notices and vulnerabilities are automatically monitored from “Ubuntu Security Notices” and “AWS Vulnerability Reporting”. Any vulnerability flagged by notification services are recorded, prioritised and applied based on risk parameters including severity, likelihood, compensating measures and impact.
4.6 Security Patch Management.
Frontdeskey maintains and patches/remediates all systems, devices, operating systems, applications, and other software consistent with industry best practices. Security notifications like but not limited to USN and SANS are subscribed to as part of patch management process. Each vulnerability is then assessed on impact, likelihood, compensating measures and applied accordingly.
4.7 Network, host and endpoint security.
All production networks holding sensitive data has deployed dedicated firewall (AWS security groups), intrusion detection/prevention (IDS), file integrity management systems, systems hardening (CIS), and other network security technology in the operation of systems and facilities. Workstations will have anti-malware software deployed as of August 2018.
4.8 Data Encryption.
Frontdeskey uses cryptographically secure protocols that are generally accepted in the industry at all times to encrypt data when in transit or transported/stored via any physical media. Supplier will maintain an appropriate key management process, including, but not limited to, access controls to limit access to private keys, (both synchronous and asynchronous), key revocation processes, and key storage protocols.
Audit trails follow permanent changes to assist in reporting and auditing. The status and integrity of transactions can be determined by reporting and audit data trails. Reasonable efforts are undertaken to alert and proactively monitor transaction health and completeness.
Personally Identifiable Information (PII) and Personal Access Number (PAN) data are both protected to industry compliance levels and/or legislative compliance levels in the regions where Frontdeskey operates. Dedicated systems and procedures include but are not limited to:
- industry level encryption in transit and at rest where appropriate
- operating systems hardening security baselines and compensating measures
- vulnerability scanning, prioritisation and management
- penetration testing
- network intrusion detection
- network segmentation and proxies
- file integrity management
- key, password and secrets management
- certificate management system
- application level firewall restrictions
- limited role based access
- data scrubbing and decommissioning
- data sanitisation and provisioning
- events monitoring and detection
- security breach and incident management
- compliant change management and release pipelines