MyWorkPal

Describe Avantus' Information Security Procedures

INTRODUCTION

The Avantus Group recognises that Information Security is both an essential attribute of the product/service that we offer our clients and a continually developing aspect of our business. A strategic objective of Avantus is to maintain and develop its ISO27001 compliance to meet corporate and customer demands, with the aim of continually monitoring and improving our Information Security.

Avantus implements an Information Security Management System that is designed to be compliant with ISO27001. The ISMS is externally audited by an independent certification partner who regularly reviews it to ensure continuing improvement and ongoing compliance with the standard.

ROLES & RESPONSIBILITY

At Avantus, everyone has a responsibility for information security and our staff understand the importance of keeping themselves up-to-date when changes are announced & rolled out. All staff and contractors are required to read the Information Security company policy.

SCOPE & CONTEXT

Key metrics and targets include:

• Confidentiality: no repetitive security breaches year-on-year.

• Availability: 99.5% uptime for all production systems and applications.

• Integrity: Pre-approval of logical access for all new starters and timely revocation of logical access

   for all leavers

Missed targets will be analysed & treated and ongoing risk will be assessed for possible changes of controls and update/modification of policies. Annual reviews include the assessment of opportunities for improvement and the need for changes to the ISMS, including the Information Security Policy and associated objectives. 

OBJECTIVES

Information assets are protected from unauthorised access, use, alteration and loss.

Privileged access to restricted applications and networks shall only be granted to approved users.

The successful back-up of Information shall be reviewed and tested for recoverability on a regular basis.

The Disaster Recovery Plan shall be tested on an annual basis.

All IS incidents are reported to the Information Security Manager in a timely manner, in accordance with the IS Incident Procedure.

INCIDENT RESPONSE PROCEDURE

All staff have a responsibility for identifying and immediately reporting any weakness, vulnerability, event or breach of information security to the company’s Chief Information Security Officer [CISO] or his/her nominated representative. The CISO will take steps to engage the appropriate resources to ensure reporting, rectification and procedural improvements are undertaken in a timely manner.

All suspected security incidents will be entered into Avantus’ log and the CISO will assess the suspected incident to discover the root cause, to classify it according to predefined criteria, and to assess the impact and define the appropriate response.  This will ensure that the appropriate action has been taken. Evidence acquired during incident investigation and impact analysis will be collected together and preserved to enable consequential activities, which might include prosecution.  

Any breach of personal information may need to be reported to the Information Commissioner’s Office.

All staff are positively encouraged to report suspected incidents or ‘near misses’, where the benefit of hindsight suggests an incident was avoided. Using this information enables the company to strengthen its security system and avoid recurrence of incidents in the future.  

MANAGEMENT REVIEW

The ISMS is reviewed at least annually to ensure its continuing suitability, adequacy and effectiveness. The review includes assessing opportunities for improvement and the need for changes to the ISMS, as well as monitoring trends in customer satisfaction, and process performance and conformity of products and services.

Frequently Asked Questions

What is your approach to data and record retention?

Personal data and the length of time it is held on the system is the responsibility of the platform owner. Mechanisms are in place to extract all data associated with individual people along with the ability to fully delete user data. A setting is available at tenant level allowing the platform owner to define how long user data should be retained before permanent deletion after the account is closed. This setting is defined in months and runs on a daily scheduled task, removing all data where the user account is closed longer than the defined setting.

What processes are in place to ensure the return of all personal and sensitive data belonging to platform owners and how they would be returned on termination of the agreement.

The platform owner system administrator will have access to all data at all times in order to extract personal and sensitive data in spreadsheet format. Once data is destroyed Avantus can certify in writing that this has been done.

Do you have processes to ensure personal data is adequate, relevant and not excessive?

Responsibility of the scope of, and risk associated with data held on a MyWorkPal platform is the responsibility of the platform owner.

What type of personal data will the system be processing?

The scope and extent of personal identifiable data held and managed on the platform is controlled by and the responsibility of the platform owner / licensee of MyWorkPal. User accounts require at the very minimum a valid and distinct email address for each user, all other details such as name, date of birth, address, national insurance number, employment and job details can be stored and used on the system, but the scope of data managed is determined by the platform owner. 

Personal and employment data fields can be extended further than the standard fields supported by MyWorkPal via metadata, again this is the responsibility of the platform owner. Whilst email address is the minimum requirement, any further mandatory requirements are governed and determined by the platform owner  

Who will be processing the data?

The platform owner and/or the tenant owner is responsible for processing data. Avantus Systems can advise on correct and efficient methods of processing data but are not responsible for the data.

Do you have procedures for data production in the event data is needed for litigation purposes or for subject access requests?

All personal data can be extracted from MyWorkPal via the report builder system. Platform owners have full control of, and access to, the data, and can extract data in bulk or at individual user level for SAR purposes.

Does MyWorkPal process or hold Protected Health Information (PHI or ePHI)?

The cope of data held on the MyWorkPal platform, including PHI, is the responsibility of the platform owner as they are the data controller / data processor.

Do you have a privacy policy?

Avantus has a privacy which has been approved and audited as part of our ISO27001 certification. The policy is reviewed annually and externally audited.

Do you have a Data Protection Policy?

Avantus has a data protection policy which has been approved and audited as part of our ISO27001 certification. The policy is reviewed annually and externally audited.

Do You have a policy or procedure restricting access to personal or sensitive data only to employees who have a need access in order to perform services under the relevant services agreement?

The technical measures are taken to restrict access to electronic systems are governed by the concept of segregation of duty as defined in out ISO 27001 statement of applicability control 6.1.2. Avantus has implemented clear division of roles and responsibilities, in order to provide an adequate segregation of duties. The primary mechanisms used to enforce segregation of duties are the physical and logical access controls in place to control access to the data and assets. 

All employees who have access to personal or sensitive data are bound by the privacy and data protection policies as set out in their contract of employment.

What controls are in place to to ensure that only those users who need access to personal data in order to perform agreed obligations will have access to it.

The platform owner has full control over which admin users have access to personal and sensitive data. An extensive role / permission security principal is in place to define which admins have access to tenants and the scope of permission they have.

Avantus support individuals have access to the system and database to provide ongoing support and platform updates.

What controls are in place to train employees in data protection laws and ensure they are aware of both the confidential nature of the data and obligations

Our Data Protection policy ensures adherence to the requirements of the Data Protection Act, with staff undergoing annual assessment and training to remain current.

Do you have document data retention and destruction policies and/or procedures?

Avantus has document and data retention and destruction policies in place which have been documented and audited as part of our ISO 27001 certification. Compliance with these policies is set out by of the Chief Information Security Officer and the responsibility of directors within the business.

Data retention within the MyWorkPal platform is managed by and the responsibility of the platform owner. Mechanisms are in place to delete personal data immediately or after a scheduled period of time if required.  

Will any of Third Party Service Providers Process personal or sensitive data?

Third party service providers such as discount schemes, health club membership, salary sacrifice car schemes or savings schemes can be connected to users via SAML2 Single Sign On (SSO), passing user data to the provider. The configuration of SSO and scope of data passed to the provider is the responsibility of the platform owner. It is also the responsibility of the platform owner to complete its own due diligence on the third party provider and satisfy themselves of compliance and suitability.

Data could also be passed to a third party provide via automatic data transfer to a secure external location. Protocols supported by the system are SFTP, Google Drive and Dropbox. Configuration of this data transfer is managed by and the responsibility of the platform owner. Avantus do not provide a separate secure location for this use.

Does the application contain any accounts that are shared among multiple users?

All user accounts in MyWorkPal are intended to be allocated to single users. Each account is associated with an email address which cannot be duplicated within a tenant. Concurrent authenticated sessions on each tenant is disabled. Users attempting to log in to an account on different locations will automatically log other sessions out.

How is data loss prevention managed such that it may protect data in motion, at rest and in use, and prevent it from being leaked inappropriately?

Data on the MyWorkPal system does not leave the system without express action by an authenticated user. All traffic to and from the application is run over HTTP secure protocol and any bulk data extracted is limited to administrator with appropriate privileges. Data is not set by the system by email unless configured to do so by the platform owner.

Does the system audit activity of users and administrators?

Activities of administrator or tenant users of the application can be identified and made audit-able in system logs. 

All system and user activity is saved to a system event log and made available to view where appropriate.

System event logs are made available to platform administrator with appropriately permissions. Event logs are read only and cannot be modified or deleted by any user.

This is a list of specific items which are currently being audited with additional information (all other items have some level of auditing history):

How is customer data segregated?

MyWorkPal is provided as a multi-tenanted application on a single platform database. Each platform hosts its own database providing physical separation between platform owners.

Data segregation is controlled through logical segregation to the tenant in the database for all user records. On the tenant view the host header locks access to that user and data available to the tenant.  Company and system administration level access is tightly controlled through separate admin portal. 

Company level tenants are segregated and accessed through individual host header domain names. A top level domain name (e.g. website.com) is assigned to the platform and distributed to each tenant company through subdomains (e.g. companyname.website.com). Traffic to the website across all tenants is forced to run over an SSL secure connection.

When the tenant is created by a system administrator, the URL for the tenant is assigned a unique identity (as well as use of the wildcard SSL certificate for HTTPS). This identity is used to interrogate only data related to its own tenant. A user within a tenant cannot access data from other tenants. This process is rigorously tried in our regular pen tests.

HOST or A records for each of the tenants must point to the single IP address of the website. The wildcard address allows all subdomain names to  come through to the IP address so any valid domain address would come through to the website.  For example, broker-proposistion.com platform hosts tenant sites for Company 1, Company 2 and Company 3. These are all stored on a single broker-proposition database and provided to the clients via third level DNS https://company1.broker-proposistion.com, https://company2.broker-proposistion.com, https://company3.broker-proposistion.com. MyWorkPal manages which tenant domains are valid addresses, returning an error message when visitors attempt to access domains that are not set up.

A single application is configured on the the IIS web server to manage traffic to the site. A wildcard SSL certificate is associated with this application. A non secure port 80 instance is included in the application which will be automatically routed through to https by the website configuration file. This is recommended to capture users who do not specify https in the address bar of their browser. 

If a client does not wish to be on a multi-tenanted platform, it will require its own dedicated instance. This will still reside within Avantus’s account on Microsoft Azure Cloud, but with its own database and server.  The hosting cost would be based on your requirements, in addition to the usual licence fees. Note: It will require twice the effort on terms of support from both Avantus and you, as duplication will be needed in many areas – negating the benefits of multi-tenancy.

Do Avantus Systems staff have access to user data within MyWorkPal platforms?

Nominated individuals within Avantus have System Admin access to client platforms for essential support purposes on a Least Privileged access approach. Avantus admin users are clearly marked on the system and agreed with the platform owner. Admin users are deleted immediately should they leave Avantus. Access to the SQL database catalogue is limited to senior level developers and the deployment / testing manager. 

User Access Control policies are defined in our ISMS system and audited as part of our ISO 27001 certification