In order to ensure that the platform was built and maintained with security in mind, we chose to follow and be certified in the global standard for information security: ISO 27001 and ISO27018. Whilst most clients understand the rigour needed to meet this standard, we are always willing to provide the documented policies and procedures which underpin our security programme.
We also made an early decision to outsource the management of the physical servers to a partner who specialises high quality and availability. We selected Amazon Web Services because they offered:
- a Tier 1 hosting facility which has completed an examination in conformity with the SSAE 16 Type II Service Organization Controls
- physical security, including access control and environmental security
- data centres in the locations which best suit our clients, specifically in the United States, Europe (Ireland), Hong Kong and China
- basic server management, such as anti-virus and backup support
On top of the basic services that Amazon Web Services offer, we add:
- firewall protection, which reduces the available network access to the minimum necessary to run the applications
- hardened servers, where all unnecessary software is removed or configured securely
- intrusion detection as a service where dedicated personnel review all threats in real time and provide alerts and guidance when issues arise
- Web application firewall stopping malicious attacks like SQL injection, cross-site scripting, etc.
- full disk encryption to ensure that if the servers are compromised the data on them is not found in a usable format
- encrypted remote site backup to ensure that the service can be built in an alternate site and that no more than 24 hours’ worth of data is lost in a complete site disaster-recovery situation.
Our application development team then further enhance security by including:
- secure web transport (https) by default
- password encryption in the database and in flight
- daily site scanning using the McAfee Secure service to protect against recent threats
- Application penetration testing using third party providers to assess weaknesses in the system before every release.
In addition to self-certification, The Red Flag Group has received third-party verification of our privacy practices through TRUSTe, a leading Internet privacy services provider (http://www.truste.com). The TRUSTe badge on our website lends extra assurance that The Red Flag Group takes privacy issues seriously. It also provides our customers with an unbiased mediator if there is a complaint regarding our privacy practices.