The following information relates to the operational environment of client systems and the application they are hosted on.
These are hosted exclusively in the UK on a private cloud system operated by and in the premises of Rackspace Ltd.
Rackspace support operations are certified to ISO 9001:2008 proving their commitment to the end-to-end delivery of customer service. Their certificate number is FS 636167
They are certified in the UK to the international information security standard ISO 27001:2013 which also provides a basis for managing other controls such as PCI-DSS and is subject to on-going external assessment by BSI with a full re-assessment every three years. The certificate number is IS636168.
The Rackspace data centres are PCI-DSS compliant and have SSAE16 Type II, SOC1 SOC2 and SOC3 audits on file. Policies are enforced to prevent unauthorised physical access damage or interference in their premises.
Rackspace UK data centre and offices are certified to the international environmental management standard, ISO 14001, which provides a framework for managing environmental responsibilities, including energy and waste management. This is subject to on-going external assessment by BSI (British Standards Institution) and the current ISO 14001 certificate number is EMS 581182.
There is a corporate commitment to security as detailed below:
Boundary Firewalls and Internet Gateways
The firewalls are managed by Rackspace and provides the highest level of security earning ICSA Firewall and IPsec certification and Common Criteria EAL4 status. Any action taken by IndiCater to modify the firewall rules is vetted against agreed limitations and is filtered by a Rackspace application which authenticates the individual, documents the actions and creates an audit trail.
All services are blocked by default and only corporately approved ports are opened.
Although the delegated parts of the firewall can be accessed by authorised nominated individuals on an encrypted SSL link via the Rackspace portal, the core firewall configuration is not accessible over the Internet.
Secure Configuration
Physical access to the hosted servers and firewalls is not available to IndiCater staff.
All staff PCs and laptops are equipped with up to date firewall software and anti-malware software.
Access Control
Client users are not given user ids and passwords for servers deployed in Rackspace running the IndiCater application. All such user access is controlled by and within the IndiCater application and this is managed by the Client.
All IndiCater staff have personal logins. There are very few such logins and the complete set are reviewed each time a new team member is added or leaves. Users are forced to reset their passwords on initial login and the passwords must meet the complexity rules.
Malware Protection
Rackspace operates a fully managed anti-virus solution offering proactive sustained protection against viruses, worms, trojans, spyware and other malware for our servers. This features Behavioural Genotype Protection (from Sophos) which is a powerful technology that is able to detect malicious behaviour even before the usual specific signature-based detection has been built and distributed. Malicious code is deleted before it executes or reaches endpoint computers on the network.
Browsers are not used on the Rackspace servers.
All staff PCs and laptops are equipped with firewall software and anti-malware software.
Patch Management
All Windows patches for servers within Rackspace are released by Microsoft to the public on the second Tuesday of every month. Rackspace tests these patches against their own server builds before including them for updates to our production servers. The patches are then deployed three weeks after Microsoft releases them.
IndiCater can also manually install updates ahead of this schedule as our servers are configured to check daily for updates but this is not normally done.
GDPR
Please refer to separate GDPR Company Statement
Mike Day
Managing Director