InfoSec Controls

We have documented and deployed a comprehensive set of controls. A summary is  presented in the following seven control groups.

Control Groups

Organizational Controls
NameDescription
Administrative Access ControlsUsers with administrative access are approved and logged per SaaS Service or application.
Audit & Compliance ManagementAn audit management process is defined and implemented to support audit planning, risk analysis, security control assessments, conclusions, remediation schedules and report generation.
Audit RemediationA risk-based corrective action plan to remediate audit findings has been established, documented, and approved. Internal and External Audit findings and remediation actions are reported to the relevant stakeholders.
External Audit PolicyExternal Audit policies and procedures are in place for ISO 27001 compliance and reviewed at least annually. External Audits occur at least once per year.
External Audit PolicyInformation Security & Data Management policies and procedures, sponsored by the CEO are established, documented, approved, communicated, and reviewed at least annually.
InfoSec Role AssignmentsThe roles and responsibilities for planning, implementing, operating, assessing, and improving Information Security and Data Management processes are assigned.
Internal Audit PolicyInternal Audit policies and procedures are in place and reviewed at least annually. Internal Audits occur once per year.
Regular Policy MaintenanceAll relevant organizational policies and associated procedures are reviewed at least annually.
Regulation & Legal ClarityAll the relevant standards, regulations, legal/contractual, and statutory requirements have been identified and documented.
Risk Management PolicyA formal, documented company-wide risk management Policy and procedure has been established and proactively maintained to manage company risks. The Policy is sponsored by the CEO.
Operational Controls
NameDescription
Backup TestingBackups are tested at least annually to ensure the confidentiality, integrity, and availability of data.
BackupsData is backed up daily to a remote location physically and logically separate from the original cloud source.
Business Continuity PoliciesEffective Business continuity management and operational resilience policies and procedures have been established, documented, and approved in line with risk profiles. The policies and procedures are reviewed, updated and tested at least annually.
Change Management - ProcessThe risks associated with changing organizational assets (including applications, systems, infrastructure, configuration, etc.) are proactively managed and controlled throughout the change process.
Change Management - OrganizationalRisk management policies, procedures and guidance are updated and communicated when any significant organizational change occurs.
Cyber InsuranceEffective Cyber Insurance to mitigate the financial impact of a data breach.
Disaster Recovery PlanningA disaster response plan has been established, documented and approved to ensure recovery from natural and man-made disasters. The response plan is reviewed and tested at least annually.
Exception PolicyA procedure has been implemented to manage policy and process exceptions, including within emergencies.
Operational ResilienceOperational resilience strategies and capability results are incorporated to establish, document and maintain a business continuity plan.
Quality ManagementAn internal assessment process is conducted every year to confirm the conformance and effectiveness of standards, policies, and procedures.
Security Breach NotificationProcesses are in place to inform the relevant authorities or impacted customers within 48 hour of a security breach.
Security Incident ManagementPolicies and procedures for security incident management have been established, documented, and approved. They are reviewed and updated at least annually. The security incident response plan is tested and updated annually or upon significant organizational change.
Shared Security ModelA shared security responsibility model has been defined, showing the separation of responsibilities between cloud provider, other third parties, Strategic Blue and the customer.
Supply Chain ListAn inventory of all supply chain relationships, services and risks has been developed. It is reviewed and updated on at least an annual basis.
Supply Chain ManagementContractual and legal responsibilities for data / information handling and security within the supply chain are defined within the relevant contracts.
Supply Chain PolicyA risk-based process has been established and documented for introducing and assessing new suppliers into the supply chain.
Application Controls
NameDescription
Access ReviewsUser access reviews and re-validation for least privilege and separation of duties purposes is completed on at least an annual basis.
Administrative AuthenticationAdministrative authentication is controlled via an Authentication account, acting as a bastion authentication gateway.
Application Administrative AccessThe processes and procedures for the segregation of privileged access roles has been defined and implemented to maintain the separation of duties for administrative users.
Application Log AlertsA process has been established and implemented to review and take appropriate and timely actions on detected alerts and anomalies within log data.
Application LoggingA secure, separate log of all changes and data requests is kept for our applications, with appropriate authentication and date/time stamp information.
Application PatchingApplication code is run on AWS serverless services which are automatically updated, patched and managed by AWS under their shared service model.
Application Security BaselineApplication baseline requirements are defined to secure different applications based on the sensitivity of the data they contain.
Application Security PoliciesApplication security policies and procedures are established, documented, and approved to guide appropriate delivery of our application security capabilities. Policies are reviewed at least annually.
Application TestingApplication and code testing is automated when applicable and possible.
Authentication PoliciesStrong password policies and multi-factor authentication (MFA) has been established and deployed for all applications.
IAM PoliciesIdentity and access management policies and procedures have been established, documented, and approved. The policies and procedures are reviewed and updated at least annually.
Key UsageKey lifecycle management events are logged and monitored to enable auditing and reporting on cryptographic keys' usage.
Key ManagementKey are securely controlled and monitored within an AWS system mangere parameter store
Least Privilege AccessLeast privilege principle has been employed when implementing information system access.
Password ManagementProcesses and procedures for the secure management of passwords have been defined and implemented.
Penetration TestingAnnual Penetration testing is used to review current Application & API security.
Roll-backA process to proactively roll back changes to a previously known "good state" is defined and implemented in case of errors or security concerns.
Secure Application DeploymentStrategies and capabilities have been established and implemented to deploy application code in a secure, standardized, automated and compliant manner.
Secure Application DevelopmentA secure software development lifecycle (SSDLC) process is defined and implemented.
Separation of DutiesThe separation of duties principle has been employed when implementing information system access.
Unique User IDProcesses and procedures have been established and deployed to ensure that users are identifiable through unique identification within each application. Shared User IDs are not allowed.
User Provisioning & De-provisioningA user access provisioning process has been defined and implemented which authorizes, records, and communicates data and assets access changes. The process to de-provision or modify access has also been defined and implemented.
Data Controls
NameDescription
Adopt Best PracticeSystems, products, and business practices based on security and privacy principles by design and according to industry best practices.
Data ClassificationPolicies and procedures have been established, documented and approved for the classification, protection, and handling of data throughout its lifecycle based on the data sensitivity and risk associated with the data.
Data FlowData flow documentation has been created to identify what data is processed and where it is stored and transmitted.
Data InventoryA data inventory has been created and is maintained for sensitive and personal information.
Data Management PoliciesCorporate Data Management Policies are established and deployed, enforced and endorsed by COO & CEO. Policies are reviewed on at least an annual basis.
Data ProcessingProcesses and procedures have been defined and implemented to ensure personal or sensitive data is processed in accordance with GDPR & applicable legislation.
Data RemovalAny Customer data ownership automatically reverts to the customer at the end of contract. Customer held data is held for the minimum required time for legal and regulatory compliance.
Data Security ReviewData security and privacy policies and procedures are reviewed and updated at least annually.
Encryption of DataCustomer-held data is encrypted. Data at-rest and in-transit are cryptographically protected using current standards (AES-256 & TLS 1.3).
Encryption PoliciesCryptography, encryption, and key management policies and procedures have been established, documented and approved. The Policies and procedures are reviewed and updated at least annually.
Environmental Control PoliciesProduction and non-production systems are maintained completely separately, with no copy of production data in non-production systems.
Key DeactivationProcesses and procedures to deactivate keys, where required, have been defined and implemented.
Key RotationAll Cryptographic keys are rotated on a regular basis.
Non-production (Test) DataNo production data is used or held within non-production environments.
Technology Controls
NameDescription
Anti-malwareAnti-malware software is installed on end user devices to mitigate malware attacks. Signature updates are updated automatically.
Application Network ManagementVirtual Private Clouds (VPC) and Access Control Lists (ACL) are used to secure information flows between virtually separate services.
Capacity ManagementCloud PaaS & SaaS platforms have an effectively unlimited capacity, so capacity planning is not required.
Default PasswordsAll default passwords supplied with hardware or software are changed upon installation.
Device EncryptionInformation is protected from unauthorized disclosure on managed endpoints via storage encryption.
Device Enforcement

Processes and procedures have been defined and implemented to enforce policies and controls for all endpoints permitted to access systems and/or store, transmit, or process organizational data.

Device InventoryAn inventory of all endpoints is used and maintained to store and to access company data.
Device ManagementUniversal endpoint management policies and procedures have been developed and enabled. MDM software is deployed. The policies are reviewed and updated at least annually.
Device PatchingDevice endpoint operating systems and applications patch levels are set to auto-update.
Environment ManagementThere is no communication between the different environments.
Environment PolicyProduction and non-production environments are fully separated and segregated.
EUC PolicyPolicies and procedures to protect against malware on managed assets are established, documented, approved, and applied. Policies are reviewed at least annually.
Infrastructure SecurityWe use PaaS & SaaS platforms for our applications, transferring responsibility for network & server infrastructure and virtualization security to our cloud provider.
Insecure Applications RemovedUnsupported or insecure applications are removed from user devices.
Lock ScreenAll relevant interactive-use endpoints are configured to require an automatic lock screen.
MDM Remote WipeProcesses are defined and implemented to enable remote company data deletion on managed endpoint devices.
Software FirewallsSoftware firewalls are installed and configured on managed endpoints.
Supply Chain Risk ManagementProcesses and procedures have been defined and implemented to identify and respond to third-party security threats or vulnerabilities, when informed by our supply chain.
Third-party AccessProcesses, procedures and technical and/or contractual measures are defined and implemented to maintain proper security of third-party endpoints with access to organizational data & services.
Vulnerability ManagementPolicies and procedures have been established, documented and approved to identify, report, and prioritize the remediation of vulnerabilities to protect systems against vulnerability exploitation. Threat and vulnerability management policies and procedures are reviewed and updated at least annually.
Physical Controls
NameDescription
Data Centre ManagementPhysical management and security of data centres is managed by our cloud vendors, who hold the appropriate validated certification for this responsibility.
Office SecurityDedicated office space is leased from FORA, for meetings and joint working. No data is stored on-site. Physical and logical security is provided by FORA.
Physical MediaPolicies and procedures for the secure use and transportation of physical media is established and documented. Physical media is to be used only in exceptional circumstances, via encrypted storage devices. Policies and procedures are reviewed at least annually.
Secure Disposal LaptopsPolicies and procedures for the secure wipe and recycling of end user computing devices have been established, documented, approved, and applied.
Secure Disposal of DC EquipmentSecure disposal of data center equipment, including storage media, is managed by our cloud vendors, who hold the appropriate validated certification for this responsibility.
People Controls
NameDescription
Acceptable Use PolicyAn Acceptable Use Policy (AUP) has been established, documented, approved and applied. All users sign the AUP. The AUP is reviewed and updated on at least an annual basis.
AI Acceptable Use PolicyA Generative AI Acceptable Use Policy has been established, documented, approved and applied. The AUP is reviewed and updated on at least an annual basis.
Background ChecksBackground verification policies and procedures of all new employees have been established, documented, approved and applied. Verification is to UK Government baseline (BPSS) standard. Administrators are cleared to UK Government SC Clearance.
Controlled Change of RolePolicies and procedures for the changing of roles and responsibilities have been established, documented, approved, and applied. Staff are given appropriate system access for their role, authorised by the line manager and HR.
Controlled OffboardingPolicies and procedures for the secure return of company assets have been established, documented, approved, and applied. System access is promptly revoked once a member of staff leaves employment.
Controlled OnboardingPolicies and procedures for the secure deployment of company assets for new starters have been established, documented, approved, and applied. Staff are given appropriate system access for their role, authorised by the line manager and HR.
Remote Access & StoragePolicies and procedures to protect information accessed, processed, or stored at remote locations has been established, documented, approved, and applied. Data is primarily stored in cloud storage.
Security AwarenessA comprehensive security awareness training program for all employees has been established, documented, approved and applied. Regular security awareness updates are provided, at least once per year.
 Staff Legal ProvisionAll employees are required to sign an employment agreement before gaining access to organizational information systems, resources, and assets. The contract includes adherence to established information and data governance policies, including a non-disclosure agreement.
Essential cookies

Essential cookies enable core functionality such as page navigation. The website cannot function properly without these cookies; they can only be disabled by changing your browser preferences.

Performance cookies

Performance cookies help us to improve our website by collecting and reporting information on its usage (for example, which of our pages are most frequently visited).

Marketing cookies

We use third party cookies on our site to serve you with advertisements that we believe are relevant to you and your interests. You may see these advertisements on our site and on other sites that you visit.

This website uses cookies for analytics and an improved browsing experience.
Click Ok to accept