Security at CyberSmart
CyberSmart is dedicated to not just empowering and improving the security of our customers, but for ourselves – we take our own security very seriously. Our highly-trained security experts work alongside external professionals to ensure a robust and adaptive security program that extends throughout the organisation and into our customers.
We practice what we preach by maintaining Cyber Essentials and Cyber Essentials Plus certification and have also achieved the global information security benchmark, an independently certified ISO 27001. Our Information Security Management System (ISMS) focuses on the confidentiality, availability and integrity of our data and products of our company, our people and our customers.
If you have any questions or would like to responsibly disclosure a possible security finding please reach out to us at [email protected]
ISMS Security Values
We make sure your information is always kept secret and private.
We ensure the completeness, consistency, and accuracy of the data over its lifecycle.
We ensure the right information is available to the right person at the right time.
All CyberSmart employees undergo thorough background and identification checks from previous employers. We seek to minimise human risk and maintain the trust of our customers and partners.
All CyberSmart employees undergo a regular internal security awareness training program which is delivered and monitored by our security experts.
In order to design and operate our platform, we utilise qualified security professionals with recognised certifications in technical security architecture as well as governance, risk, and compliance.
We utilise segregation of duties alongside the principle of least privilege for employees so we can confidently ensure access is limited to only those that need access to data and systems, for a specified purpose and duration.
Information Security Management System
Our Information Security Management System (ISMS) requires us to determine information security risks and then choose appropriate controls to handle them.
As a security company, we maintain the highest standards of information security and thus we apply controls across all 14 domains of ISO 27001, namely:
- Information security policies
- Organisation of information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development, and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
Cyber Resiliency, Business Continuity, and Disaster Recovery
We utilise the most secure and resilient infrastructure from AWS which ensures servers are always patched and up to date.
Web servers store no sensitive information – this is retrieved from an AES-256 encrypted database accessible only within the virtual private cloud. Automated security tests are performed internally across the codebase on every commit. External automated web application security testing is performed daily.
In addition, we undertake annual third-party security audits with certified security auditors including web, desktop and mobile application penetration tests to ensure comprehensive coverage.
Customer Data, Contracts and Agreements
Our policies on customer data, contracts and agreements can be found below:
Terms & Conditions: End-user license agreement
Application Data (CyberSmart Active Protect)
Secure by Design
We adopt principles of Secure by Design, including:
- Peer-reviewed security architecture and in line with industry standards such as AWS Well-Architected Framework ref https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.pillar.security.en.html.
- This ensures a robust security architecture including pillars covering Identity & Access Management (IAM), traceability as well as defence in depth.
- Our REST APIs utilise authentication and authorization to ensure data minimization and prevent unauthorized access to data.
- Our password policy for users ensures only strong passwords are allowed and are stored hashed using the PBKDF2 algorithm with a SHA256 hash, a mechanism recommended by NIST.
We use encryption in all of the following scenarios:
- In transit using modern protocols (TLS only) and secure ciphers (both internally within the VPC and externally with users & applications)
- At rest using AES-256 encryption
- We cryptographically sign CyberSmart Windows desktop and server applications (CyberSmart Active Protect) using a FIPS 140-2 certified Hardware Security Module (HSM).
We host data in multiple availability zones/regions in order to maximise availability. Within the UK production environment, this includes the UK and Ireland regions. For European production environments, this is hosted within the country if available and within the nearest EU data centre if not. The exception to this is Cyber Essentials data, which is hosted exclusively within the UK.
Where possible, we deploy a High Availability (HA) architecture to ensure resilience with automated failover to provide uninterrupted service.
Development, Security & Operations (DevSecOps)
We operate a mature secure software development life cycle (SDLC), which includes but is not limited to:
- Separation of keys for each environment and robust key management processes
- Regular dependency and package management audits and remediation
- Logical separation of production, staging, test and development environments including isolated databases
- Static code testing to ensure code is free from known vulnerabilities
- Dynamic code testing to ensure applications do not expose vulnerabilities
- Automated security testing (daily external web application scanning)
- Manual security testing (annual penetration test)
This is an overview of the security measures we take to assure our customers and ensure we maintain the integrity, confidentiality and availability of data. If you have any further questions, please reach out to us at [email protected]