Your data is as important to us, as it is to you.
We take every precaution to ensure your data is kept safe.
Hub-4’s hosting environment in terms of servers, firewalls, disks etc
Resilience and redundancy built into the hosting environment
Hub-4's security policy

  • The Hub-4 servers are managed by Footwork Solutions who develop and support hub-4.


  • Footwork are currently completing NHS Information Governance Toolkit Version 9 to Level 2 [IG9].


  • This is based on the ISO 27001/2 standards. Compliance to IG9 covers a wide range of security aspects from physical security, networks and development standards.

  • A high level overview is available. Information Governance Toolkit.pdf.


  • All traffic to hub-4 is over an encrypted TLS1.2 channel..

Regular independent penetration testing

  • Penetration tests have been run and the next is due in August 2017


Methods of authentication used

  • Hub-4 requires a unique email address and password to login.

  • User accounts are managed by nominated administrators.


Password strategy

  • Passwords are 12 character system generated alpha numeric.


  • Passwords can be reset by users or administrators and are emailed to the registered email address for the user.


Intrusion detection in place

  • In addition to the AWS Security Group firewall, the server has it’s own internal, managed firewall..


  • Both provide intrusion detection.


  • The server also runs Tripwire and Snort for intrusion detection and prevention.

    .


Confidentiality agreements are in place our data is segregated

  • Data segregation is managed by the application, which isolates data by client, unique locality or user.


Backup policy

  • Daily backups are held for 2 weeks.


  • Weekly backups are held for 2 months.


  • Monthly backups are held for 2 years


Backup retention period

  • Daily backups are held for 2 weeks


  • Weekly backups are held for 2 months


  • Monthly backups are held for 2 years


Virus protection software and update frequency / policy

  • Clam AV with nightly updates


Change control procedure in terms of patching, fixes and minor upgrades

  • Patches are tested on the development server and then uploaded to the production server


Upgrade procedures

  • Minor and major updates are available on the production server as an optional updated code base.


  • Users can switch back to the current version whilst any fixes are made.


  • When the code base is stable it is released as the current version.


  • All minor and major updates are informed to customers and their administrator users by email.


ISP security, confidentiality and backup procedures.
Disaster Recovery philosophy and arrangements

  • The hub-4 server is monitored 24/7 with email and SMS alerts going out to a number of staff if any component causes the hub-4 application to be unavailable.


  • In this situation a protocol is followed to assess the point of failure and likely recovery times. Hardware is covered under a maintenance contract.


  • In the event that the live server cannot be brought back on line within a reasonable time then a failover virtual server is brought on line.

Provide data encryption measures

All traffic is secured with 256bit encryption provided by Comodo and as registered Data Controllers we meet the ICO’s standards.