What screening or background checks are performed on all new staff before employment commences?

1. Candidates are interviewed face to face on at least two different occasions during the selection process;


2. Any candidate who is made an offer of employment is required to supply at least two references covering their recent employment history which may be followed up in writing and, if appropriate, by telephone;


3. On joining the company all members of staff are required to produce photographic proof of identification (valid passport  or driving licence, a copy of which is retained), work permit (if appropriate), Proof of address (bank statement, utilities bill or council tax bill), National Insurance number, full contact details (including next of kin) and bank details for salary;


4. Staff may be subject to various additional levels of security checks and clearance - e.g. full screening and this will be dependent upon the level of data and access they may be expected to hold responsibility for.  

Is there an individual responsible for information security within your organisation?

Yes. Mike Futerko, Chief Technology Officer.

Is there a separate group within Maytech responsible for managing Information Security? What is the structure of the Information Security Group?

Yes, there is a dedicated ISMS team who meet weekly.  This is chaired by the CEO and consists of the CTO who is responsible for the security of systems and software, the operations manager who is responsible for the secure development process and the HR manager.

Does your Company have an internal audit group?

What is the frequency of Internal Audit Reviews?

Have they performed reviews on the processing areas which will process or manage the Customer's information assets?

Yes. Internal audits are conducted every two weeks.

22  Internal Audit Reviews were held in 2017.

23  Internal Audit Reviews are planned for 2018.

Do you have a formal security awareness program for staff?



The security policies and procedures are shared with all employees and included in staff induction training. Formal staff awareness training is carried out twice a year.

What process is used to grant your staff access to your systems that would collect, process, or house Customer's  Data.?

Do your staff and client users have a unique login ID?

Administration of production servers containing customer data is restricted to named individuals. Access is restricted to SSH2 and locked to specific Maytech's IPs. Authentication is two factor - public key and Time Based one Time Password (TOTP).

Which controls would prevent staff or visitors from downloading our data onto a mobile device and leaving with it?

Where support staff need to access customer accounts in response to customer support tickets, temporary access is granted by support management with a one-time authentication token. Access is limited to filesystem navigation and does not include rights to read or download files.

Questions about employee workstations:


Are the hard drives fully encrypted?


Is customer data ever downloaded to these computers?


Are employees enforced to enable firewall with company managed rules? How do you enforce it?


Are workstations centrally managed? What software/mechanism do you use to centrally manage them?


Are Operating System updates: managed centrally? installed automatically?



Yes.


No.


Firewalls are enabled in restricted mode on each of the workstations in addition to the corporate firewall.


No.



Installed automatically.

Do you develop the application using the Customer information in-house or through a third party?

In-house.

Describe the development /enhancement methodology (high-level)

Development follows the Agile Development methodology and OWASP security principles.

Do you store credentials to internal systems in a secured fashion?

All access must be authenticated by password encrypted SSH-keys and 2FA.

Can each system only access to its own credentials or is the credential store open to all internal systems?

All systems require independent authentication.

Do you use separate keys and certificates in production vs other environments?

Yes, separate keys.

If a machine (who has access to customer data) of your internal system is hacked, how do you ensure the hacker cannot access customer data?

2FA code generated by the h/w device (Yubikey).

What are your security controls for product development lifecycle, e.g. secure coding standards, change control, secure code scans, segregation of environment, etc.?

Peer code reviews are enforced and are performed for every source code pull request in Develop and Master repository branches.


SonarQube security code scanning is enabled for main repositories and Quality Gate is enabled for the most of them.


Every software release or production configuration change is documented in the Change request and it goes through the Change Management process in JIRA.

What processes ensure the code does not include any malware?

This is integrated into the development and development review process as part of ISMS OP 35: Software Development Policies and Procedures.


Secure Coding

The development team follow OWASP Secure Coding Practices and OWASP Security by Design Principles To ensure malware has not been introduced we use a code quality scanner as recommended by OWASP.  

Code Review

Every source code change goes through the code review process of another team member who has to review and confirm code changes. Development team follows the OWASP Code Review Guide.

Does the solution provide staging, test & development environments?

Maytech can provide staging, test & development environments on request.

Are any third party or contract staff in the development area? If so are they vetted?

There is no third party staff.

Do individuals (either permanent employees or working on a temporary basis) sign a confidentiality agreement on joining the organisation?  

Yes.

What are your policies for any staff found to have breached the Information Security policies?

Appropriate sanctions including dismissal.

What are your policies regarding portable processing or storage equipment (copying and removal from office locations) that may contain Customer's information assets (laptops, USB storage devices, CD, DVD)?

All customer data is hosted at secure data centres and is not accessible by portable devices.