Information Security
Our commitment
The primary objective is to ensure that BigChange fulfils all its information security obligations to customers and other interested parties.
Our information security management system provides the framework for identifying opportunities and controlling risks to information security through setting objectives, the implementation of operationa controls and continuous improvement, thus maximising our potential to fulfil all information security obligations to customers and other external parties, such as suppliers and business partners.
It provides all interested parties and customers with the confidence that their information and information processing facilities shall be kept appropriately secure whilst under the control of BigChange.
We recognise that our business relationships require ongoing commitment to achieving business excellence at every level of BigChange and its supply chains.
Richard Warley, CEO
Our certifications
ISO 27001 - Information Security Management
Through our continuous investment in this area we currently hold the following key industry standards, whilst also aligning to ISO 22301 Business Continuity Management & ISO/IEC27701 Privacy Information Management.
Our people
Our checks include:
- Right to work
- Address history
- Employment history
- Character reference
- Basic criminal record check
- Personal credit check
Our processes
- All employees, contractors and suppliers are managed through our certified ISO 9001 Quality Management systems.
- We protect business continuity through aligning and testing ourselves against ISO 22301.
Our systems
- This is ensured through our obsessive alignment and certification to ISO/IEC 27001 and continuous alignment to platform/provider standards
Our cloud provider
Our architecture
High level
By default production is operated Active/Active over multiple datacentres in asingle region country, with secure data archive in a second region
- Multiple datacenters
- Synchronous data replication
- Auto-scaling of processing (designed to mitigate component failures)
- Multiple regions (countries) for secure data archive
Security controls
Encryption
- Client connectivity
restricted to minimum TLS v1.2 - Data-at-Rest
all object and block storage is encrypted - Data-in-Transit
all external and internal connectivity within the environment is encrypted via minimum TLS v1.2
Networks
- Perimeter Network
all servers reside on private networks, with any internet ingress being traversed via Layer 4 or 7 Application Load Balancers
- Internal Network
all servers are assigned to a security group (controlled outside the host), therefore moving network security to a host level rather than at a subnet level. (e.g. Only the load balancers can connect to the web servers on a specific port etc.)
Authentication
- Multi-Factor Authentication Option
set up by default for all new customers (& mandatory for BigChange internal users)
- IP Restriction
BigChange customers’ administrators manage user access profiles restricting functionality & data groups, setting authorisation limits and (if required) limiting IP
Further controls
- Segregation
each customers’ data is logically
partitioned - Continuity
a comprehensive data backup regime is in place which includes full, incremental and continuous backups stored within the AWS environment and stored across multiple regions - Regular Penetration tests
conducted by independently accredited 3rd party testers - Continuous Vulnerability Scanning
using class leading software to detect and inform of vulnerabilities - 24/7 SOC across the full environment
Our app security
- ISO 27001 Information Security
Management includes a risk-based approach to the management of all data processing including BigChange mobile apps - Developers are screened on recruitment before access is given to our secure DevOps configuration management systems
- Apps are developed in compliance with the BigChange Secure Development Policy and non-functional risks to data confidentiality, integrity, availability are addressed, and mitigations specified and tested in each release
- Data communication with the app are encrypted using current security protocols
- BigChange tablets are managed and secured using mobile device management software to maintain security settings, avoid inappropriate software installations and provide a remote wiping capability of the device if stolen, lost or compromised
- BigChange uses a specialist thirdparty security testing company to perform security penetration tests; the results are evaluated and actioned with security improvement included in maintenance releases several times per year
- PIN codes protect the app.
Our privacy
- The BigChange leadership team is committed to personal information management aligned to ISO 27701
- Responsibilities for personal information management are defined for all employees.
- All employees are regularly briefed on personal information management
- A data protection officer is appointed
- Personal information is inventoried, flows, risk & the basis of processing are identified
- Regular privacy impact assessments & risk management
- Privacy by design
- Data subject request processes are implemented
- Processes are audited and improved
- Information security certified to ISO 27001