ASOSH System Security
Introduction
The ASOSH system hosts a significant amount of data for our clients which needs to be kept safe and secure. is has to be balanced with the need to allow employees to access data, often from mobile devices and whilst working in locations away from fixed offices. This increasingly includes homeworking and the use of Wi-Fi networks that may not be secure.
We provide an overview of the data security infrastructure we have in place to ensure that our system meets not only meets all regulatory requirements, but also extends to provide a high level of data security for our clients.
Overview
ASOSH uses a range of industry best practices to ensure data security. This includes:
- Using suppliers to our system who are ISO27001 certified – the international standard for data security
- Auditing our systems to ensure that we comply with the GDPR (General Data Protection Regulation) and Data Protection Act
- Industry leading encryption
- Network Controls to ensure that only authorised ASOSH employees are able to access client data
- A comprehensive internal data security programme which is based on the UK government backed Cyber Essentials programme
- Vulnerability scans to test IT systems and control processes to ensure the compliance with these practices
- Security arrangements for our physical locations
- A software development team that is equipped with tools to help them build secure apps from the very beginning of the software development life cycle
Data Encryption
Clients access the ASOSH system over the Internet, including via dedicated mobile apps on both Apple and Android devices. To ensure that data links maintain system security, the ASOSH system uses industry leading encryption to protect our data and connections. The technical term for this encryption is known as TLS 1.1-1.2) using 2048-bit, SHA-256 certificates. Each interaction with the ASOSH system is protected by what is called unique session tokens – these enable us to check that each person who uses the system is properly protected and that there is a verifiable way of checking that this is occurring.
Network Access Controls
Access to the backend of our system, including the actual servers, is strictly controlled and limited to selected employees within our organization.
The servers that actually deliver our service are separated from those which we used for development and testing. This insulates them from any new developments until they have been thoroughly tested and also limits of our employees who need to actually access the live servers.
All access to our system servers is closely monitored and there is an ongoing log of all interactions so that we are able to go back and check who accessed the system, what they did and what data was transferred. All passwords are highly secure and changed regularly.
Administrative Controls
We are using strict administrative controls. Access to customer data is restricted to authorized personnel. Access to production servers is limited to only Senior Level employees based on need and All access is limited, logged and tracked for auditing. Employees in engineering, operations, and developer roles with access to production data have background checks as a condition of employment.
All employees are trained on information security and privacy procedures. At no time is any user data removed from ASOSH-owned computers, and ASOSH machines use appropriate technical measures, including full-disk encryption and VPN (Virtual Private Network) access, to ensure that user data remain secure.