Hub-4 web security

Your data is as important to us, as it is to you.

We take every precaution to ensure your data is kept safe.

Describe your hosting environment in terms of servers, firewalls, disks etc

DSEasy is hosted on a HP rack server.
The server is located at Custodian Data Centre. http://www.custodiandc.com.
The server is protected by a managed Cisco firewall supported by Bailey NG. www.ngbailey.co.uk.
The server disks have RAID 1 redundancy.
The servers are monitored by IP Patrol for any downtime.

Explain resilience and redundancy built into the hosting environment

The Custodian data centre provides 2 power feeds and generator backup.
The data centre has multiple peer points on the internet backbone including Cogent, Virgin Media and Hurricane Electric.

Explain your security policy

The Hub-4 servers are in a Cluster managed by Footwork Solutions who develop and support hub-4.
Footwork are currently completing NHS Information Governance Toolkit Version 9 to Level 2 [IG9].
This is based on the ISO 27001/2 standards. Compliance to IG9 covers a wide range of security aspects from physical security, networks and development standards.
A high level overview is available. Information Governance Toolkit.pdf.
All traffic to hub-4 is over an encrypted SSL channel.

Do you perform regular independent penetration testing

What methods of authentication are used

What is the password strategy

Passwords are 12 character system generated alpha numeric.
Passwords can be reset by users or administrators and are emailed to the registered email address for the user.

Is intrusion detection in place

What confidentiality agreements are in place; how is our data segregated

Data segregation is managed by the application which isolates data by client, unique locality or user.

Describe your backup policy

The database is backup nightly.
Backups are stored locally and transferred securely to 2 off site locations for storage and failover stand in.

What is the maximum backup retention period

What virus protection software is used and what is the update frequency / policy

Describe your change control procedure in terms of patching, fixes and minor upgrades

Patches are tested on the development server and then uploaded to the production server

Describe your upgrade procedure

Minor and major updates are available on the production server as an optional updated code base.
Users can switch back to the current version whilst any fixes are made.
When the code base is stable it is released as the current version.
All minor and major updates are informed to assessors and admin users by email.

ISP security, confidentiality and backup procedures.

Custodian Data Centre is ISO 27001 certified. http://www.custodiandc.com/infrastructure/ISO27001.
Custodian do not provide any backup service; these are managed internally.

Explain in detail your philosophy and arrangements you have in place to deal with Disaster Recovery

The hub-4 server is monitored 24/7 with email and SMS alerts going out to a number of staff if any component causes the hub-4 application to be unavailable.
In this situation a protocol is followed to assess the point of failure and likely recovery times. Hardware is covered under a maintenance contract.
In the event that the live server cannot be brought back on line within a reasonable time then a failover server at an alternate location is brought on line.
Failover domain names are already in place for the backup servers.

Provide data encryption measures

All traffic is secured with 256bit encryption provided by Comodo and as registered Data Controllers we meet the ICO’s standards.