The following security measures detail a summary of the measures in place to protect any personal data processed by Konfir.
Operational Security Measures
To monitor and detect the security of the relevant systems, and in the event a vulnerability is detected, to manage any remediation and provide for a way to recover such data in the short and long term.
Monitoring
- Real-time monitoring of local networks
- Monitoring of hardware and software configurations
- Integrity monitoring of stored data
- Monitoring all access and use of the data
Vulnerabilities detection
- Ability to detect anomalies in access / downloads
- Identifying risks to data servers or the data itself
- Logging all activity to identify potential vulnerabilities
Data Recovery
- Backup procedures
- Management of backups
Updates and patches
- Regular system updates and version updates to remedy any bugs
- Provision for short term and long term "fixes"
Technical Security Measures
To use electronic and technological systems to protect the data from unauthorised access, disclosure, transmission or loss.
Network, device and software security
- Authentication measures for access to all networks and devices, including where appropriate two factor authentication
- Use of encryption or other suitable measures for access to the application
- Password policy including automatic blocking of access (e.g. through a timeout)
Access controls and privileges
- Differentiated access rights including role based access restrictions and ability to edit, download or copy
- Access always on a "need-to-know" basis
- Regular review of the access controls in place
- Approval process for access rights and process for removing access
Data transmission and storage
- Appropriate level of encryption for data in storage and in transit
- No passwords to be stored or transmitted in plain text
- Prohibition of use of unprotected or non-encrypted storage or file sharing solutions
- Data to be segregated for different processing purposes
- Data classification controls
Back-ups
- Regular back-ups shall be automatically maintained
- All back-up data to be encrypted
Organisational Security Measures
To ensure our company's policies and processes are sufficient to protect the data and that the individual's within our organisation protect such data in accordance with those policies.
Policies and Procedures
- Implementation of policies and procedures to protect and maintain the security of our systems and the data within our systems
Management responsibility and accountability
- Senior management oversight of information security standards
Compliance records
- Management of records pertaining to the information security standards applied and implemented
- Regular reviews of the information security standards and the organisation's compliance against such standards
Information Security Standards
- To build and operate in line with standards set by professional accredited bodies and as accepted as industry standard such as ISO 27001
Employee education and training
- All staff and personnel to be bound by a duty of confidentiality
- Disciplinary processes for breaches of the information security policies and procedures in place
- Role-based access controls and use information barriers where appropriate
- All staff and personnel to be trained on the appropriate security policies, data protection and on the company security standards
- A designated data privacy contact
Supply chain management
- Appropriate due diligence with respect to suppliers
- Contractual arrangements which provide appropriate security controls and measures
Penetration testing
- Regular performance of penetration tests on the application
Physical Security Measures
To protect unauthorised access to premises, facilities, equipment and systems where data is processed or used.
Access controls
- Use of access control systems such as card/ID readers
- Use of surveillance facilities such as CCTV and alarm systems
- Visitor protocol and process for entry to the premises including a visitor log
Physical information storage
- Use of lockable cabinets and doors
- Maintenance of an inventory for IT equipment and supplies
Waste disposal
- Confidential waste disposal procedures
- Policies around printing, copying and removing information from the premises