Security at CyberSmart

 

CyberSmart is dedicated to not just empowering and improving the security of our customers, but for ourselves – we take our own security very seriously. Our highly-trained security experts work alongside external professionals to ensure a robust and adaptive security program that extends throughout the organisation and into our customers.

We practice what we preach by maintaining Cyber Essentials and Cyber Essentials Plus certification and have also achieved the global information security benchmark, an independently certified ISO 27001. Our Information Security Management System (ISMS) focuses on the confidentiality, availability and integrity of our data and products of our company, our people and our customers.

If you have any questions or would like to responsibly disclosure a possible security finding please reach out to us at security@cybersmart.co.uk

ISMS Security Values  

Confidentiality 

We make sure your information is always kept secret and private.

Integrity 

We ensure the completeness, consistency, and accuracy of the data over its lifecycle.

Availability 

We ensure the right information is available to the right person at the right time.

People

Background Checks 

All CyberSmart employees undergo thorough background and identification checks from previous employers. We seek to minimise human risk and maintain the trust of our customers and partners. 

Training 

All CyberSmart employees undergo a regular internal security awareness training program which is delivered and monitored by our security experts.

Security Expertise

In order to design and operate our platform, we utilise qualified security professionals with recognised certifications in technical security architecture as well as governance, risk, and compliance.

Minimised Access 

We utilise segregation of duties alongside the principle of least privilege for employees so we can confidently ensure access is limited to only those that need access to data and systems, for a specified purpose and duration. 

Process

Information Security Management System 

Our Information Security Management System (ISMS) requires us to determine information security risks and then choose appropriate controls to handle them. 

As a security company, we maintain the highest standards of information security and thus we apply controls across all 14 domains of ISO 27001, namely:

  • Information security policies
  • Organisation of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development, and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity management
  • Compliance

Cyber Resiliency, Business Continuity, and Disaster Recovery 

We utilise the most secure and resilient infrastructure from AWS which ensures servers are always patched and up to date.

Web servers store no sensitive information – this is retrieved from an AES-256 encrypted database accessible only within the virtual private cloud. Automated security tests are performed internally across the codebase on every commit. External automated web application security testing is performed daily. 

In addition, we undertake annual third-party security audits with certified security auditors including web, desktop and mobile application penetration tests to ensure comprehensive coverage.

Customer Data, Contracts and Agreements 

Our policies on customer data, contracts and agreements can be found below: 

Terms & Conditions: End-user license agreement

https://cybersmart.co.uk/terms/

Privacy Policy

https://cybersmart.co.uk/privacy/

Partner SLA

https://cybersmart.co.uk/partner-sla/

Application Data (CyberSmart Active Protect)

https://help.cybersmart.co.uk/portal/en-gb/kb/articles/what-data-does-the-cybersmart-software-collect

Technology 

Secure by Design 

We adopt principles of Secure by Design, including: 

  • Peer-reviewed security architecture and in line with industry standards such as AWS Well-Architected Framework ref https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.pillar.security.en.html.
  • This ensures a robust security architecture including pillars covering Identity & Access Management (IAM), traceability as well as defence in depth.
  • Our REST APIs utilise authentication and authorization to ensure data minimization and prevent unauthorized access to data.
  • Our password policy for users ensures only strong passwords are allowed and are stored hashed using the PBKDF2 algorithm with a SHA256 hash, a mechanism recommended by NIST.

Encryption 

We use encryption in all of the following scenarios:

  • In transit using modern protocols (TLS only) and secure ciphers (both internally within the VPC and externally with users & applications)
  • At rest using AES-256 encryption
  • We cryptographically sign CyberSmart Windows desktop and server applications (CyberSmart Active Protect) using a FIPS 140-2 certified Hardware Security Module (HSM).

Data Centers

We host data in multiple availability zones/regions in order to maximise availability. Within the UK production environment, this includes the UK and Ireland regions. For European production environments, this is hosted within the country if available and within the nearest EU data centre if not. The exception to this is Cyber Essentials data, which is hosted exclusively within the UK.

Where possible, we deploy a High Availability (HA) architecture to ensure resilience with automated failover to provide uninterrupted service.

Development, Security & Operations (DevSecOps) 

We operate a mature secure software development life cycle (SDLC), which includes but is not limited to:

  • Separation of keys for each environment and robust key management processes
  • Regular dependency and package management audits and remediation 
  • Logical separation of production, staging, test and development environments including isolated databases
  • Static code testing to ensure code is free from known vulnerabilities
  • Dynamic code testing to ensure applications do not expose vulnerabilities
  • Automated security testing (daily external web application scanning)
  • Manual security testing (annual penetration test)

This is an overview of the security measures we take to assure our customers and ensure we maintain the integrity, confidentiality and availability of data. If you have any further questions, please reach out to us at security@cybersmart.co.uk