ISMS and ISO 27001
Kurtosys has implemented an ISMS (Information Security Management System) since inception and we adopted the ISO 27001 standard with external certification in 2013. The certification applies to all our employees and offices. We incorporate all of the controls in the standard in our policy as well as some additional controls for compliance and data protection.
Our security policy incorporates:
- A robust Risk Management Program and we continuously monitor our applications and other IT assets, test for vulnerabilities and monitor emerging Threats and Exploits.
- Incident and Change Management which form a central part of our operational processes. We are committed to minimising the number and impact of any operational or security related incidents on our platform.
- A Business Continuity plan to ensure that we have procedures to manage contingencies and Disaster Recovery, particularly as it applies to our SLA and Datacentre operations.
It is a fundamental objective to ensure that our Customers’ sites and services are properly protected, and ISO 27001 provides the best mechanism for implementing controls that ensure we operate with adequate protection, monitoring and improve our posture on an ongoing basis.
Our ISO 27001 implementation has been externally certified and is audited annually by QMS International (Citation). Certificates and audit details are available on request.
Datacentre protection is the cornerstone of our security proposition. It forms the basis for best practice, for our operations and for our infrastructure design, architecture and procurement. These are fundamental in the delivery of a world class solution for our enterprise customers.
Datacentre protection has a primary purpose of avoiding, preventing and detecting the traditional, external Threats and hacking attempts on our platform. As with most Internet facing infrastructure, we experience a constant scanning of IP addresses and ports which occasionally escalate into more invasive attempts to compromise our systems. Our protection is designed to prevent this traffic from resulting in security breaches.
The primary concerns of our Datacentre protection include:
- DDoS and WAF mitigation services
Firewall, network segregation, log aggregation and IDS
- Monitoring of devices and incidents using Threat Management tools
- Physical controls and redundancy within the datacentre
Security Partner Assurance
In addition to a full time Security Officer and other qualified staff within Kurtosys, we also recognise the need to include specialist external support to assist our organisation with expertise and experience in the following areas of security:
- Specific systems for protection of our platform. These include external services for DDoS and WAF as well as internal tools such as IDS and Threat Management.
- Consultation in the event of a security incident. We acknowledge that in the event of a security breach, we will need the support and assistance of experts in helping to analyse and remediate issues.
- Training and assistance with the development of security posture. We have a continuous program of employee development and training in security incident handling.
Vulnerability Scanning and Penetration Testing
We run annual penetration tests on the whole platform by an independent tester. We also support Customers wishing to do their own specific tests on their own sites. Customer testing is subject to appropriate consent and approval and we will assist and cooperate in any findings these produce.
In addition, we run monthly vulnerability scans on all our production end points and have a vulnerability program for remediation of these findings. We have real time monitoring systems (IDS, Threat Management and WAF) which provide further mitigation of exploitation and automatic shunning of malicious activity.
Application Architecture and Software Development Processes
Kurtosys provide a multi tenanted architecture designed to scale elastically and provide resilience and flexibility to accommodate growth and performance load. Environmental deployments provide Dev, Staging, UAT, pre-Production and Production systems which segregate user activity and secure customer data. They include failover and rollback strategies for applications and application servers.
Kurtosys development practice is based on producing an API using microservices where each service does one thing really well. By breaking the application into smaller services, it makes it easier to update and scale the services, which are key for a modern cloud-native application. These services and applications are engineered for scale and resilience.
Security features heavily in the development processes and includes:
- Secure environments and software development methodology.
- Controlled design, QA and analysis.
Security checkpoints within the project milestones.
- Managed repositories, patch management and version control.
- Training, peer review, code analysis.
- Change management and authorisation procedures.
- Evaluation and testing of third party components.
Application Hosting, Network and Infrastructure
Kurtosys applications, the Products and Services we offer to customers, are hosted using infrastructure services provided by the most reputable vendors using the highest standards of security features available. We use both Public and Private Cloud infrastructure from the following vendors:
- Rackspace: Private Managed Cloud for APIs and data services.
- Amazon Web Services: Public Cloud for web sites and storage of data backups and documents.
- Microsoft Azure: Replication, backup and Disaster Recovery.
All of our Production environments are fronted by Cloudflare’s external DDoS and WAF services for protection against first line cyber attacks. This also includes DNS protection and certificate issue.
We ensure that Load Balancing, Firewall and Reverse Proxy rules are applied to application endpoints. All data is encrypted in transit and at rest.
These hosted services are administered directly by Kurtosys employees with no 3rd party intervention.
As Data Processors, we are committed to the Confidentiality, Integrity and Availability of our customers data and content. Through our own compliance we are fully qualified to support our customers’ compliance issues.
Kurtosys is not a financially regulated company nor does it hold payment card data. Kurtosys adheres to all applicable laws, regulatory and contractual requirements in all jurisdictions, all requirements are monitored for change, currently these are:
UK Data Protection Act 2018 which supplements the EU General Data Protection Regulation (GDPR) (registration: ZA019966)
- Client data
- Employee data
California Consumer Privacy Act 2018
- Client data
US-EU Privacy Shield (replacing by the US-EU Safe Harbour)
- Client data
- Employee data
Massachusetts Data Privacy Laws
- Client data
- Employee data
Copyright, Designs and Patents Act 1988
- Kurtosys IP
- Software licences
The Computer Misuse Act 1990
- Information Systems
Modern Slavery Act 2015
- Sub-contractors and vendors