Information Security is at the core of any professional software-as-a-service (SaaS) supplier’s offering. We’re transparent with our security program so you can feel informed and gain the assurances you require while using our products and services.
This document details the Information Security (IS) related obligations we assume as your supplier and aims to give you information about our Information Security Management System (ISMS).
We have implemented and will continually maintain appropriate electronic, physical and organisational security procedures, measures and controls in order to protect against accidental, unauthorised or unlawful access, destruction, use, alteration, modification, disclosure or loss of Customer data. Without limiting the foregoing, we shall have in place and implement security practices and control that comply with and are consistent with our ISO 27001 Certification.
ARKK holds ISO27001 certification from a UKAS certified body since 2016.
Our Information Security Management System (ISMS) covers the delivery of software and services that enable customers to transform internal financial data for submission to regulatory bodies, including managing clients’ data, from the London and Belfast Offices.
Third party service providers (including information processing service providers) are beyond the scope, however assurance exists in the form of contractual agreements, and the review of these is within scope.
The exclusive host of our infrastructure is Microsoft’s top-rated Azure platform. Microsoft holds ISO27001, HIPAA, FedRAMP, SOC 1 and SOC 2 certifications among others. See https://azure.microsoft.com/en-gb/overview/trusted-cloud/compliance/ for the full list. We review our engagement terms and information security conditions with key providers at least annually.
Logical Access Control
To ensure compliance with access security control requirements we:
- protect the confidentiality of all passwords or access codes assigned to us by you (passwords for user access are hashed one-way, but in addition you may wish to provide us with API keys or similar to pull in data on your behalf);
- have a password policy whereby our personnel, including subcontractors, which may have access to systems or any Customer data change passwords immediately upon receipt and at set intervals or more frequently thereafter and to avoid trivial or obvious passwords;
- on a timely basis remove logical access privileges from our personnel, including subcontractors, who, whether through internal transfer or departure from our business, or where applicable subcontractors, become no longer involved in processing Customer information and data.
We do not typically provide temporary passwords but rather use unique expiring reset tokens. Our password policy sets the complexity construction rules for passwords used on our systems.
We have procedures for onboarding, role reassignment and a termination process, to ensure access is provided when needed and revoked accordingly. In addition, we conduct annual access reviews of our assets.
We certify that all devices used by our employees connected to our information processing environment, are and will continue to comply with the following requirements:
- the most current service pack and all security patches applicable to all operating systems and software resident on devices must be applied and be up to date;
- devices must have industry-standard anti-malware software installed, running and updated with the latest signature file; and
- an industry-standard personal firewall product must be installed and active on the device.
We use a combination of Windows group policy, centralized endpoint protection management, internet access gateway and enterprise mobility management (EMM) to enforce adherence and ensure current anti-malware, patching and firewalls are in effect.
To ensure the integrity, confidentiality and availability of all our servers and to mitigate the threat, risk and impact of external or internal misuse or abuse of server platforms, we:
- protect all server access, at a minimum, by a combination of user ID and secret password;
- change all factory pre-set server passwords before commencement of processing and change them thereafter at set intervals or more frequently;
- ensure that servers are housed in physically secured areas.
As stated above all our servers are hosted by Microsoft Azure which holds ISO27001, HIPAA, FedRAMP, SOC 1 and SOC 2 certifications among others. Access to all our servers requires both network access rights as well as user credentials to access. Servers hosting Client data are accessible only through a Privilege Access Management (PAM) service which enforces fine grain access policy as well as session recording for audit purposes.
In-line with industry best practices for secure coding, we:
- incorporate Static (including the OWASP top 10) and Dynamic security code analysis into software development lifecycle;
- mitigate security issues identified during Static and Dynamic code analysis before promotion of the code into production environment;
- perform weekly web application vulnerability scanning to Identify any vulnerabilities and apply mitigating controls accordingly.
To ensure compliance with industry best practices for change control, we develop, test and document each change according to change management and control standards, procedures and processes, while maintaining the continued logical integrity of data, programs and audit trails.
Security of Databases and Storage
To ensure the integrity, confidentiality and general security of any and all databases and data files used to store your data we:
- store Customer data in an encrypted form (AES 256-bit) at rest in accordance with industry best practice;
- store all database servers, data file servers and repository devices containing Customer data in a physically secured area;
- restrict all physical and logical access to databases, data files and their resident information and/or data and any systems or network components relating to the processing of transactions on a need-to-know/need-to-use business-only and least privileged basis;
- protect all access to databases and data files using, at a minimum, a combination of user ID and secret password;
- change all factory pre-set passwords for databases before commencement of processing and changing them thereafter at set intervals;
- log all database and data file access activities and store this activity data in an appropriate manner for a minimum period of 12 months;
- harden all servers used to process, store and/or transmit Customer data and/or information with such hardening to include, but not be limited to, the removal of all privileges and services, except those that are essential for the performance of the operations for which the servers are installed;
- deploy server security scanning tools to periodically report on the status of each server and verify that all settings, parameters and options are in accordance with the agreed upon hardened state for that device and to detect unauthorised changes from the approved server configuration baseline;
- log all server access activity and store such activity data in an appropriate manner for a minimum period of 12 months; and
- review all server security controls defined above on a periodic basis (at least once per year) to ensure that they are still in effect.
- Data is stored encrypted at rest using AES 256-bit, keys are managed automatically by Azure.
- Under normal operations your data (customer data) will reside exclusively on servers within the Microsoft Azure data centres in Europe (ROI and Netherlands). Should you elect to send us files via email or through our support system, those files will be stored by our customer support and ticket system vendor within Europe.
- No member of our staff has direct access to your data unless you explicitly share it with them.
- Our IT administrators can access data only through a Privileged Access Management (PAM) system which audits access and records the sessions in a write-only vault.
- Our Asset Management policy addresses classifications, labelling and handling restrictions of data.
- Your data will be removed from our systems after termination except for the meta-data (information about your usage) or anonymised statistics as mentioned in the standard terms and conditions.
To mitigate the threat, risk and impact of system and/or network intrusion, abuse or misuse, we:
- install, configure and activate a comprehensive, industry best practice intrusion prevention & detection systems (network-based and host-based) to continuously prevent, detect and report the occurrence of unauthorised network attacks against its systems including, but not limited to, penetration attempts, denial of service attacks and excessive probing;
- install industry best practice network firewalls and Web Application Firewalls (WAF) between servers and public network facing gateways to screen out communication protocols not required for processing Internet traffic;
- log all firewall and gateway activity and store such activity data in an appropriate manner for a minimum period of 12 months;
- protect data from unauthorised disclosure while in transit through public networks.
- We do not have a Wi-Fi network with privileged access (we assume it is public despite its security protection)
Protection against Malware
To mitigate the threat, risk and impact of computer viruses, worms, Trojan horses and other malicious types of software, collectively called “malware”, we:
- install, configure, activate and maintain anti-malware program on any and all servers, devices, laptops and workstations;
- configure such anti-malware software to automatically invoke on start-up and on a continuous basis on all devices where installed; and
- all malware-related incidents are recorded and actioned upon in accordance with our incident response plan. Where this may affect customer’s data, they are informed within 24 hours.
Security Vulnerabilities and Installation of Security Patches
To mitigate the threat, risk and impact of system and network security vulnerabilities we:
- actively scan our exposed endpoints for vulnerabilities;
- receive advisories on emerging security vulnerabilities from reliable sources;
- identify specific vulnerabilities that may impact our operating environments or platforms;
- assess the criticality of the vulnerability to determine the appropriateness of installing the associated security patch; and
- test and install required security patches in a timely manner.
Back-up and Recovery
To ensure availability of data we:
- use cloud based redundant storage facilities (geo-replication);
- maintain a daily back-up, kept for 30 days; and
- maintain a documented Business Continuity Plan and test it annually.
We keep an active replication facility in a secondary Azure data centre. Our target is to resume critical operations regardless of cause within 6 hours (RTO).
Logging and Monitoring
Internal systems write log data to a centralised Security Information and Event Management (SIEM) system. The data Is retained for a minimum of 12 months.
Alerts are set up based on unusual, suspicious or potentially malicious activity and appropriate security personnel are notified to Investigate.
Data Resource Isolation
ARKK utilises a multi-tenant platform, whereby our supporting Infrastructure serves multiple customers. Each customer shares the software application and also shares a single database. Each tenant’s data is logically segregated/isolated and remains invisible to other tenants/customers.
Encryption in Transit Security
Access to ARKK web applications always uses Industry standard Transport Layer Security (TLS) to secure the connection between your browser and our services.
External Security Audits
We perform external penetration tests on our applications to ensure the security built in by design is Implemented effectively and correctly. The penetration tests are performed by an unbiased third-party security company. Any vulnerabilities are actioned appropriately with set time frames in accordance with the severity of the risk and CVSS score.
As part of ARKK ISO 27001 certification, we are independently audited each year in relation to the surveillance and recertification audits conducted by the certification body. In addition, our Information Security Management System (ISMS) undergoes an internal independent audit to ensure compliance with the ISMS framework.
While we implement safeguards designed to protect your information, no security system is impenetrable and due to the inherent nature of the Internet, we cannot guarantee that data, during transmission through the Internet or while stored on our systems or otherwise in our care, is absolutely safe from intrusion by others.