Information Security

In a world where data is one of your most valuable assets in the business, BigChange is committed to operating, continually improving and implementing appropriate information security management systems, policies, processes and controls to maintain the confidentiality, integrity and availability of your data.

Our commitment

The primary objective is to ensure that BigChange fulfils all its information security obligations to customers and other interested parties.

Our information security management system provides the framework for identifying opportunities and controlling risks to information security through setting objectives, the implementation of operationa controls and continuous improvement, thus maximising our potential to fulfil all information security obligations to customers and other external parties, such as suppliers and business partners.

It provides all interested parties and customers with the confidence that their information and information processing facilities shall be kept appropriately secure whilst under the control of BigChange.

We recognise that our business relationships require ongoing commitment to achieving business excellence at every level of BigChange and its supply chains.

Richard Warley, CEO

Our certifications

ISO 9001 - Quality Management System
‍
ISO 27001 - Information Security Management
BigChange believes security is much more than just process, we embed security into our culture, in all areas of the business. This allows us to comfortably serve your needs whilst growing and developing the business.

Through our continuous investment in this area we currently hold the following key industry standards, whilst also aligning to ISO 22301 Business Continuity Management & ISO/IEC27701 Privacy Information Management.

Our people

We believe the key to every successful business is its people.
We are meticulous about who joins us on our journey at BigChange. All staff are externally vetted before having access to systems, and more importantly your data.

Our checks include:
  • Right to work
  • Address history
  • Employment history
  • Character reference
  • Basic criminal record check
  • Personal credit check

Our processes

Our objective is to transform your internal processes; therefore we believe in leading the way with our own.
  • All employees, contractors and suppliers are managed through our certified ISO 9001 Quality Management systems.
  • We protect business continuity through aligning and testing ourselves against ISO 22301.

Our systems

BigChange is an innovative technology business, where the security, resilience and scalability of our systems is a top priority.
  • This is ensured through our obsessive alignment and certification to ISO/IEC 27001 and continuous alignment to platform/provider standards

Our cloud provider

As BigChange leads the way in Mobile Workforce Management, it was essential that we partner with the leader in cloud platforms.

AWS

AWS allows BigChange to offer worldwide coverage on a platform that caters for the standards of not only the most advanced start-ups but the most secure financial services and public sector organisations.

Datacentre Physical Controls

BigChange benefits from AWS’ investment in a comprehensive compliance programme.

Cloud Security Services

BigChange benefits from a vast array of industry leading cloud security services provided by AWS.

Our architecture

High level

Our cloud architecture provides a multi-region (geography), multi datacentre solution, that leverages automation and “designing for failure” from inception.
Data and processing are replicated across multiple datacentres synchronously and asynchronously to provide the perfect balance of performance and resilience.

By default production is operated Active/Active over multiple datacentres in asingle region country, with secure data archive in a second region
  • Multiple datacenters
  • Synchronous data replication
  • Auto-scaling of processing (designed to mitigate component failures)
  • Multiple regions (countries) for secure data archive

Security controls

Our security controls include but are not limited to:

Encryption

  • Client connectivity
    restricted to minimum TLS v1.2
  • Data-at-Rest
    all object and block storage is encrypted‍
  • Data-in-Transit
    all external and internal connectivity within the environment is encrypted via minimum TLS v1.2

Networks

  • Perimeter Network
    all servers reside on private networks, with any internet ingress being traversed via Layer 4 or 7 Application Load Balancers
  • Internal Network
    all servers are assigned to a security group (controlled outside the host), therefore moving network security to a host level rather than at a subnet level. (e.g. Only the load balancers can connect to the web servers on a specific port etc.)

Authentication

  • Multi-Factor Authentication Option
    set up by default for all new customers (& mandatory for BigChange internal users)
  • IP Restriction
    BigChange customers’ administrators manage user access profiles restricting functionality & data groups, setting authorisation limits and (if required) limiting IP

Further controls

  • Segregation
    each customers’ data is logically
    partitioned
  • Continuity
    a comprehensive data backup regime is in place which includes full, incremental and continuous backups stored within the AWS environment and stored across multiple regions
  • Regular Penetration tests
    conducted by independently accredited 3rd party testers
  • Continuous Vulnerability Scanning
    using class leading software to detect and inform of vulnerabilities
  • 24/7 SOC across the full environment

Our app security

Our security controls include but are not limited to:
  • ISO 27001 Information Security
    Management includes a risk-based approach to the management of all data processing including BigChange mobile apps
  • Developers are screened on recruitment before access is given to our secure DevOps configuration management systems
  • Apps are developed in compliance with the BigChange Secure Development Policy and non-functional risks to data confidentiality, integrity, availability are addressed, and mitigations specified and tested in each release
  • Data communication with the app are encrypted using current security protocols
  • BigChange tablets are managed and secured using mobile device management software to maintain security settings, avoid inappropriate software installations and provide a remote wiping capability of the device if stolen, lost or compromised
  • BigChange uses a specialist thirdparty security testing company to perform security penetration tests; the results are evaluated and actioned with security improvement included in maintenance releases several times per year
  • PIN codes protect the app.

Our privacy

BigChange understands the challenges with ensuring UK and EU Data Protection and GDPR compliance, therefore we ensure our customers benefit from the following:
  • The BigChange leadership team is committed to personal information management aligned to ISO 27701
  • Responsibilities for personal information management are defined for all employees.
  • All employees are regularly briefed on personal information management
  • A data protection officer is appointed
  • Personal information is inventoried, flows, risk & the basis of processing are identified
  • Regular privacy impact assessments & risk management
  • Privacy by design
  • Data subject request processes are implemented
  • Processes are audited and improved
  • Information security certified to ISO 27001