The below information is intended to help you gain a full understanding of our security and data protection practices to aid with security and data protection audit requirements.
General Company Information
1 |
Company Name? |
Bright Interactive Limited |
2 |
Approximate number of employees? |
40 |
3 |
Is your organisation registered with your local data protection ‘supervisory authority’? |
Yes - we are registered with the Information Comissioner's Office |
4 |
Have you determined your lead supervisory authority and is this formally documented? |
The ICO is our supervisory authority - we only have UK based operations |
5 |
Has your organisation previously been issued with any enforcement notices from your data protection ‘supervisory authority’? |
No |
6 |
Are you a Controller or Processor in relation to your customer's data |
We are a Processor of the data that we access, store and support on behalf of our customers. We are a Controller of a small amount of data that we collect and manage for the purposes of managing our business, for example our client contact details. |
7 |
What programme of works have you undertaken to ensure compliance with GDPR by May 25th 2018? |
We have carried out an in depth organisation wide audit and gap analysis. This identified all the areas we needed to focus on, and actions to put in place to support our compliance We have mapped all of the data flows related to the processing of data, helping us set clear policies, records and standards about how data is managed We are putting in place wide ranging processes and procedures to manage the security and processing of data Our Asset Bank team completed an audit of our product functionality and are implementing changes to improve privacy features within the product, and we have made changes and improvements to the security of our hosting services We have been rolling out GDPR training and awareness for all our employees, making sure everyone knows our responsibilities under the GDPR and how it impacts their work. We have been working with all our suppliers to ensure we have appropriate contracts in place to meet GDPR requirements and we have a GDPR Data Processing Agreement that our customers can sign up to. |
The products and services we provide
1 |
Provide a brief description of the services or products that you provide |
Asset Bank is a software application that enables the storing, organising and sharing of digital assets - files such as images, pdfs etc. Asset Bank can be provided as a cloud hosted subscription in our shared or dedicated hosting environments. It can also be purchased by a customers and hosted directly by the customer, for example on a local internal server. We provide support for the use of the application as well as consultancy for digital asset management, both at product set up and on an ongoing basis. |
2 |
Have you undertaken a Data Protection Impact Assessment on the solution or service you are providing? |
Yes - a risk assessment against the GDPR principles has been completed for the services that we provide. Risk areas have been identified and addressed. This includes mapping the data flows through the customer life cycle, from trials through to production and including where data is removed from the main storage location for support or consultancy. |
3 |
Who operates your service’s underlying infrastructure and or data centres? |
Amazon Web Services (AWS) |
4 |
Will you be using additional sub-processors in providing the services to us? |
Additional sub processors are used for the provision of support services. These will be relevant when customers send us data through our support Help Centre, for example. We also have optional opt in products, such as integrations with other systems. |
4.1 |
If so, please give details of these organisations? |
The list of our sub processors can be found on our sub-processors page. This list will be kept up to date on our Help Centre and customers will be notified 30 days before any change to our sub processors. |
4.2 |
What contractual terms have been agreed with these organisations with regard to GDPR compliance? |
Contracts with our sub processors contain equivalent requirements to those we have offered to our clients with our own Data Processing Agreement. All contracts that involve transfer of data outside of the EU include appropriate safeguards to ensure the security of that data transfer, including the EU-US Privacy Shield and/or EU Approved Model Contract Clauses, as well as Binding Corporate rules where appropriate. |
5 |
In what countries will customer data be processed and or stored, including back ups and sub processors?
|
For European clients the main data data storage is in EU (Republic of Ireland), including backups. Other international data transfers are defined in 4.1 above. |
6 |
Are industry-standard encryption algorithms and technologies employed for transferring, storing, and receiving individuals' personal information? |
Asset Bank data is encrypted at rest and in transit, including backups, with AES-256. Our emails and data stored within our Help Centre (Zendesk) is encrypted in transit with SSL. We use Sendsafely as a secure file transfer service for the sharing of customer data in relation to support and consultancy services. |
7 |
How will our users interact with the service, for example via a Desktop application, Browser or API? |
Asset Bank is a browser based application |
8 |
Does Asset Bank verify a user’s access rights? (ACL’s, Group or Role Membership) |
Asset Bank allows for access to be checked against internal access control systems. It also allows for roles based access to the data stored within it, managed by customers administrators |
9 |
Does Asset Bank log events, such as login activity and the actions users have performed? |
There are several logs available to the administrators of Asset Bank capturing users actions on the site. |
Policies we have in place
1 |
Does your organisation have an Information Security Policy? |
YES - This includes the physical, logical, technical and operational measures that ensure the secure processing of personal data. |
2 |
Does your organisation have Acceptable Use Policy? |
YES - This covers the use of company systems, equipment and connectivity, including disciplinary actions that may result |
3 |
Does your organisation have a Data Protection Policy? |
YES - This details our commitment to compliance with the principles of the GDPR and how this is implemented across the organisation |
4 |
What other policies does your organisation have, related to data management, service delivery and security? |
We have a framework of policies to support Data Protection and Information Security including those below. For Data Protection: Privacy policy Fair processing Subject access requests Retention of records Breach notification Managing sub contracted processing For Information Security, this includes: Access control User access Data access control, classification and handling (includes sharing) IT acceptable use Incident management policies Data disposal Clear desk Home and mobile working/BYO device policies Business continuity and disaster recovery Infrastructure and application security policies HR policies for employee conduct and business standards |
5 |
How regularly are your policies reviewed and updated? |
All policies have a designated owner with responsibility for their implementation and compliance. All are reviewed at least annually, with an annual audit schedule. |
Organisation of Data Protection & Information Security
1 |
Does your organisation have designated information security roles and responsibilities? |
YES - We have a framework for responsibility for Information Security, including a designated Information Security Manager and Data Owners responsible for particular data streams. All employees have information security requirements as part of their role descriptions. |
2 |
Do you have a Data Protection Officer or equivalent contact for data protection and privacy-related matters? |
YES - We have a GDPR Owner role with responsibilities similar to a DPO. Please contact via support@assetbank.co.uk |
Staff Security, Data Protection Awareness & Training
1 |
Does your organisation conduct pre-employment screening / vetting in accordance with relevant laws, regulations and ethics? |
We source candidates both directly and through approved supplier agencies. We obtain valid references for all employees prior to employment with us. |
3 |
Does your organisation have terms and conditions of employment in place? |
YES - all our employees as well as contractors enter into formal contracts with us, which include confidentiality obligations |
4 |
Is there a formal disciplinary process in place, for action against employees who have committed an information security or data protection breach? |
YES - we have an established disciplinary procedure that would be triggered in the event of such a breach |
5 |
Does your organisation provide appropriate security & data protection training including regular updates to all employees? |
YES - training is provided to all employees Contracting staff are required to be aware of our processes and have contractual obligations that include confidentiality. We are reviewing this training and awareness program to look for improvements |
6 |
Have all staff processing customer data signed a confidentiality agreement or similar? |
YES - all contracts include confidentiality agreements |
Risk Management
1 |
Does the organisation maintain a risk register which assesses the confidentiality, availability and integrity for PII it processes? |
YES - a risk register is maintained with relevant risks related to PII which feeds in to our risk management framework The corporate risk register also includes data protection risks A risk assessment is completed for all data processing activities and an ongoing project is in place to manage the risks associated with PII processing |
2 |
How regularly are risks reviewed? |
Annually |
Asset Management
1 |
Does your organisation have policies and standards in place for the disposal or reuse of equipment? |
YES - we have a Data Disposal Policy which covers this and ensures the secure destruction of data or media to prevent unauthorised access to data. Data destruction methods are appropriate to the sensitivity of data |
2 |
Do you have policies and technical controls that restrict or prohibit the use of removable media drives? (Such us a USB sticks) |
YES - removable media must be authorised by the Information Security Manager and is always encrypted |
Physical & Environmental Security
1 |
Does your organisation have appropriate controls in place to secure work areas, and prevent unauthorised physical access to work area’s and information systems? |
YES AWS has extensive physical security which can be viewed here https://aws.amazon.com/security/ Our office physical security includes key fob entrance, CCTV, additional access controls on Bright infrastructure (restricted access to server locations), secure laptop storage for when not in use. |
2 |
Does your organisation implement a clear desk and clear screen policy? |
YES - screens must be locked when not in use and desks must be kept clear or personal information. Lockable draws are provided to securely store information and printing is kept to a minimum. |
Operational Security
1 |
Does your organisation deploy network security controls to protect your information systems from untrusted networks? |
YES Firewalls are in place, where any port to be opened must be explicitly set An IDS/IPS also runs on the VPC housing our cloud infrastructure |
2 |
Does your organisation deploy controls to protect your information systems from malicious code? |
YES Yes, we use modern coding techniques by following guidelines like bodies from OWASP |
3 |
How does your organisation address the threats faced from email and web traffic? |
Email scanning is in place from our email provider (Google) and our servers have DDoS protection |
4 |
Does your organisation log and monitor access to information systems that process or store personal, personally sensitive or other confidential information? |
YES Access logs are stored and kept for 14 days |
5 |
Does your organisation operate a technical vulnerability management program? If yes please additional information by answering the question below: |
YES We have a patch management policy and run quarterly pen tests against the server configuration |
6 |
Provide a brief explanation of your patching process? |
Must be applied at least every 28 days. Any patches to core packages will be deployed as a high priority. Rolling updates applied to test boxes to allow easy testing of newly released patches |
7 |
Has your organisation had an independent penetration test conducted within the last 12 months? (If yes then please provide brief details of what was within scope of the test and a summary of any critical or high findings.) |
We use Qualys WAS and Qualys VM quarterly. Any high and medium priority issues are prioritised and addressed. Recent changes have been to cipher suites to ensure SSL security and fixes applied to stop some XSS vulnerabilities |
Access Controls
1 |
Does the your organisation ensure that access to the network, servers and systems is only achieved by individual and unique logins that must require authentication i.e. passwords, smart cards, biometrics, or other recognised forms? |
YES Either public key or MFA to key systems. The principle of least privilege always applied |
2 |
How does your organisation ensure that authentications are not shared, written down or recorded in unrestricted media, files or documents? |
Yes - This would be a breach of our internal policy. Employees would be subject to disciplinary action |
3 |
Do you have a process for managing accounts, including the creation, monitoring and deleting or disabling of accounts? |
YES We use an automated provisioning system to create/remove user accounts. |
4 |
Is approval required before accounts are provisioned? |
YES Including approval for modification - all inline with our Access Control Policy. |
Communications Security
1 |
Does your organisation physically or logically segregate information systems and end user devices on your networks based on your chosen trust model? |
YES We have an approved and unapproved device classification. No unapproved device (e.g a personal mobile phone) is allowed on the internal network. |
2 |
Does your organisation have policies and technical controls in place to ensure secure communication of sensitive or confidential information? |
YES - Secure file transfer system with additional encryption being implemented. |
3 |
Does your organisations connections to the internet go through a firewall secured connection point to ensure the entire network is protected? |
YES |
Data Protection/Security Incident Management
1 |
Does your organisation have documented procedures and response plan to ensure personal data breaches are detected, reported and investigated effectively? |
YES - we have a breach notification procedure, as well as an incident management policy that ensures timely and thorough responses. |
2 |
When did your organisation last test the plan? |
Plans are tested annually. |
3 |
Have you trained all staff to recognise a data breach or security incident? |
YES - security awareness training and communications have been rolled out and are ongoing. |
4 |
How and when would you notify your customer in the event of a data breach? |
Within 24 hours of becoming aware. We will notify the main account contact as well as any other contacts provided by the customer. Dependant on the nature of the breach this would be via email, with a follow up phone call when appropriate. |
5 |
Do you maintain a register of security incidents and breaches? |
YES - an internal breach register is maintained. |
6 |
Please provide contact details to be used in the event of a security incident or breach. |
Our main phone line is 01273 923150 |
Disaster Recover and Business Continuity
1 |
Does the organisation have an formalised Disaster Recovery solution that can restore both the availability and access to personal data? |
Yes - Our backup system means we can recover client data in the event of a disaster. We also backup all internally hosted systems so they too can be restored easily We also have a business continuity plan in place to ensure the smooth running of business operations in the event of a serious incident. |
2 |
How frequently is this tested? |
Disaster recover and restoration of client data is regularly tested and we can usually restore a site with a few hours at a worst case. |
Compliance
1 |
Is your organisation ISO27001:2013 certified, or to a comparable security standard for information security or privacy? |
YES Our hosting services are provided through Amazon Web Services who also have ISO27001 certification, as well as a broader suit of compliance certifications. |
2 |
Does your organisation maintain Records of Processing detailing all the requirements under GDPR (Article 30)? |
Yes - we maintain a data inventory of all our processing activities, both as a data controller and a data processor, which includes all required information under Article 30.
|
Transparency
1 |
Are individuals provided with a Privacy Notice explaining the organisation’s internal Privacy Policy and practices? |
YES - available on the Asset Bank website |
2 |
Have you reviewed the distinct types of processing your organisation carries out, identified your lawful basis for your processing activities and documented this? |
YES - all contained in an internal data inventory and our privacy policy where relevant |
3 |
Have you explained your lawful basis for processing personal data in your privacy notice(s)? |
YES - available on the Asset Bank website |
4 |
Have you agreed a schedule to review current privacy notices contracts for compliance with GDPR? |
YES - will be reviewed 6 monthly |
Retention
1 |
Has your organisation drawn up a retention schedule which lists different record types and the period of time that they should be kept? |
YES - we have a Record Retention Procedure which details how we manage data, including retention guidelines and data disposal methods. |
2 |
Are systems checked regularly to ensure retention schedules are adhered to? |
YES - we are in the process of implementing our retention schedules. Reviews will be annual, or more frequent for sensitive data. |
3 |
Does your organisation have processes in place to ensure customer data is securely returned or destroyed once the service delivery is no longer active |
YES - we have a policy to retain customer data in an Asset Bank for 4 months after a customer cancels their subscription, after which date the data will be securely destroyed. A copy of the data can be provided to the customer upon termination of the contract, as a chargeable service. |
Individual Rights
1 |
Does the organisation have a process to ensure that is passes, without undue delay, any requests from your customers wishing to exercise their data subject rights? |
YES - for our customers we have processes in place to allow the exercising of data subjects rights, including: Right to Subject Access Right to Rectification Right to Erasure Restriction of Processing Right to Portability Right to object to Profiling/Auto decision making All requests from end users are logged with our support system. All employees are aware and able to pass the request directly to a system administrator. |
2 |
Does Asset Bank allow customers to enact the data subject rights should they wish to enact them? |
YES - Asset Bank has a range of features to support administrators in carrying out data subject rights. Support is available via our Help Centre, or administrator training. |
3 |
Does the organisation provide a mechanism that is clear, conspicuous, and accessible to individuals for privacy-related questions and/or complaints about itself or its clients? |
YES Individuals can contact us via the Help Centre and requests will be handled appropriately. |
Comments
0 comments
Please sign in to leave a comment.