This page outlines the information security policies that are followed within Essentia Analytics and the processes in place to ensure the confidentiality, integrity and availability of data. All Essentia client data is classified as “highly confidential.” Essentia is compliant with EU GDPR and UK GDPR. The following sections provide an overview of our information security controls at Essentia.
TRAINING AND AWARENESS PROGRAMS
All Essentia employees undertake mandatory information security training as part of the new joiner onboarding process. Additional role-specific information security training is also provided. Further, a periodic training across the entire company is undertaken on a yearly basis.
ACCESS CONTROL
Essentia employee access is provided to new starters based on their requirements and must be authorized by their manager before being allocated. The principles of least privilege and need-to-know are strictly adhered to. Access changes are raised via our internal system, and periodic reviews prevent access creep. Access is removed before an employee leaves the business. Authentication is managed via Auth0, for which accounts must have MFA and passwords at least 20 characters long.
PRIVILEGED ACCESS CONTROL/ROLE BASED ACCESS
Administrative access to production applications, databases and operating systems is restricted to personnel who need such access for operational purposes. Each application has distinct role-based access that is configured to perform explicit functions. Each developer accesses the database using their individual ID, thereby inheriting the privileges defined as part of the Identity and Access Management policy. User access is reviewed periodically.
DATA SEGREGATION AND TRANSFER CONTROL
All client data are stored with physical segregation so that there is no possibility of data crossing or sharing between repositories. Access to the data is limited using secure internet protocols (VPN, SFTP, HTTPS) which will provide access to the cloud environment where the data is stored. Any transfer of data requires a valid business justification along with the approval of the DPO (Data Protection Officer). Data retention and disposal policies are in place to manage the integrity and hygiene of data.
ENCRYPTION
Client data is classified as “highly confidential” and is encrypted both “in transit” and at “rest.” We enforce volume-level encryption throughout and where applicable we include object-level encryption. All encryption uses either 128 Bits or standard AES256 encryption.
SECURE DEVELOPMENT PRINCIPLES
Essentia has a change management process in place which includes reviews by senior technical staff and the relevant product owner. We have a promotion process between environments that has QA and review gates. We use a work package tracking tool to understand the pipeline of changes and the completed packages for a history of production system change. These are supported by our own internal documentation and client-visible online help. We can also track changes to our codebase using our own private GitHub repositories — these repositories are copied to an offsite repository securing all our application code.
DATA BACKUP AND RESILIENCY
We leverage cloud-based applications like Google’s G-Suite and Amazon’s AWS, which are both industry frontrunners in cloud technology. All backup processes are encrypted using the standards mentioned in the section above and the coverage is “in transit” and at “rest.”
INFORMATION ASSET DISPOSAL POLICY
Client data that are stored in the cloud environment follow international standards of secure data destruction (HMG IS5). No confidential data are destroyed “in house” — only public information.
INTERNAL AND EXTERNAL AUDIT
As an ISO 27001 and SOC 2 certified firm, we conduct regular internal audits with defined scopes. We conduct annual penetration testing to assess and improve our infrastructure, as well as to iterate our incident response plan.
BUSINESS CONTINUITY
We have defined and tested incident response, disaster recovery and business continuity plans. Scenarios are based on risks from the ISMS risk register in order to address the most likely scenarios, and we perform testing annually. Test results form a feedback loop for continual improvement in these processes.
PHYSICAL ENTRY CONTROL
While on Essentia Analytics premises, all visitors are required to sign in and then be accompanied by an Essentia staff member at all times. All Essentia staff have individual access cards that are used to gain entrance to the office. Access logs are available and maintained for a rolling period of three months.
No physical access to the DC is available, as it is managed by the cloud provider. More detailed information about our provider access controls can be found here.
For further information, please contact Jimmy Ward, Essentia Security Officer: [email protected]