TABLE OF CONTENTS

• Introduction
• Certification
  • Data Protection Register
  • ISO Certification
  • Cyber Essentials
  • Data Security & Protection Tool Kit Assessment
• UK GDPR
  • Statement of Compliance
• System Details
  • Software
  • Hardware
  • Data
  • System Design
• System Security
  • Countermeasures
  • Information Sharing 
• System Access
  • Password Management
  • Access Profiles
  • Leavers/Inactive Users
  • Timeout
  • Access Logs
• Operational Processes
  • Data Storage
  • Data Processing
  • Data Quality
  • Data Backup
  • Audit Arrangements
  • Change Control
  • Security Incident Reporting
  • System Risks
• System Protection
  • Business Continuity
  • Disaster Recovery
  • Penetration Testing
• Staffing
  • Confidentiality
  • Training
  • Recruitment Screening
• Data Centre
  • Location
  • Network/Servers
  • Security
    • Physical
    • Technical
    • Access Controls
  • Encryption
  • Encryption Keys

Introduction

As a software company delivering hosted services, Giltbyte fully acknowledges its responsibilities as custodian of customer data.  As you would expect of an ISO 27001 certified company, we have robust information security policies and procedures to safeguard the data we hold.  The physical and technical measures employed are designed to provide our customers with peace of mind.

This document is intended to answer the information governance questions that we have been asked, thereby giving you the assurance that all reasonable measures are taken to protect your data and our practices ensure business continuity.

Certification

Data Protection Register

We are registered on the data protection register; our registration number is Z2585430. 

ISO Certification

Our Quality Management System has been certified as meeting the ISO 9001 standard.  Likewise, our Information Security Management System has attained the ISO 27001 accreditation.

Cyber Essentials

We comply with the requirements of the Cyber Essentials Scheme

Data Security & Protection Tool Kit Assessment

UK GDPR

Statement of Compliance

Giltbyte Limited complies with the provisions of the UK GDPR both in our capacity of Data Controller of our customers’ personal data and as Data Processor for customers of our EASY System.

• All customer data is stored within UK data centres that are ISO27001 compliant, with data on our production servers encrypted at rest
• All our sub processors to whom we transfer, and who store, personal data are UK GDPR compliant.  
• We have in place a Data Protection Officer, a Breach Notification Process and policies for Right to Erasure & Data Portability
• All our staff are subject to our Confidentiality Policy enforced in their employment contracts

System Details

Software

The EASY software programs are web based applications accessed by W3C standard compliant web browsers, such as Microsoft Edge, Google Chrome, Mozilla Firefox, Opera or Safari.  

Hardware

The EASY system is underpinned by the cloud computing resources of Amazon Web Services (AWS).  This is based on virtual server architecture, configured and managed by Giltbyte as part of our Hosted Service.

Data

The following categories of data may be stored in the EASY database according to the applications licenced to the User Organisation:

• Employee Personal Details, including: 
  • person identifiable
  • sensitive data (EASY eForms Only)
• Employment Details
• Absence Details (EASY Time & Attendance Only)
• Vehicle Details
• Expense Claim Details
• Pay and Deduction Details (EASY Payslip Only)

System Design

The following is high level diagram showing the data flows in and out of the system.

System Security

Countermeasures

The EASY Software Services are delivered via a secure cloud services platform. Physical access to the data centre is strictly controlled both at the perimeter and at building entry points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. 

Authorised staff must pass two-factor authentication a minimum of two times to access data centre floors.  Network administrators can only access the server from an authorised IP address via the SSH protocol.

Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network.

Users connect to the EASY Software Services with a W3C standards compliant web browser via HTTPS using TLS version 1.2 or version 1.3 with the sha256 hash algorithm.  User access is controlled through the use of a username and password from an authorised IP address.

Information Sharing 

Information is exchanged between ESR and EASY using the ESR standard outbound and inbound interface files. The files are securely transferred between the two system using the SSH File Transfer Protocol (SFTP).

System Access

Password Management

The password management of the system is controlled by the User Organisation’s System Administrator who can apply the following configuration settings:

• minimum password length
• inclusion of:
  • mixed case alphabetic
  • numeric
  • special characters
• expiry period (in days)
• password reuse

The system can also be set for how many attempts at entering a password a user may have before their account is locked.

Users are required to change password when they first log into the system, and set their own password that meets the 

password policy settings specified in the system.

Users are also required to create a security word that is used as an electronic signature when staff submit claims for reimbursement or when managers authorize payment.

Access Profiles

The user access profiles have three elements:

1. system activity – this determines what screens and activities are made available to the user.  For example, the “eForms.Appointments” activity will give the user access to the New Appointments, Additional Post and Appointment Transfers screens accessed through the Management > eForms menu.
2. type of access – the type of access options depends on the activity.  In the case of the “eForms.Appointments” activity the user may be allocated:
   1. View Only
   2. Data Entry – the user may complete the appointment form details and submit it to the manager for authorization
   3. Authorisation – enables the manager to view/amend and approve the form contents.
   4. Data Acceptance – this is normally undertaken by HR/Payroll who acknowledge final acceptance of the form once it has been entered in ESR.
3. area of access – this determines which employee records may be accessed.  The area of access specified may be the organisation, cost centre, position, local group, assignment etc.

Leavers/Inactive Users

The EASY system receives a daily feed from the Employee Staff Record (ESR) that includes the date that employees are leaving the NHS Organisation.  Where the employee has a user account in the system, the leaving date is added to the user account deactivation date field to prevent users accessing the system after that date.

Timeout

The system timeout period is a system configurable, the default is 15 minutes.  Where there has been no user activity within the timeout period, the user is automatically logged out of the system.

Access Logs

A record is kept of users logging into the system and the IP address where they logged in from.

In addition, the database audit tables records who has viewed or changed data.  A report of user usage is available on request.

Operational Processes

Data Storage

Data is imported into the EASY System via the ESR outbound interface files and other ESR files.  Data is also collected manually through the e-Expenses and e-Forms screens.  All data is stored in the EASY database.

Data Processing

Data may be processed manually through the EASY application screens.  The EASY system electronically processes claims data when producing the inbound interface file that is transferred to ESR to facilitate the payment of staff.

Data Quality

Wherever possible, the EASY System presents users with selection lists to ensure consistent data is input into the system.  The system will perform validation checks on the data during input based on the User Organisation’s policies.

Data Backup

The EASY database is backed up daily.  The backup files are retained for seven days, with a weekly and monthly backup being retained for a period of one year.

Our database servers have an automated backup feature that allows for a point in time restore of the database at any point within the last 35 days.

Audit Arrangements

A monthly internal audit of the Giltbyte Information Security Management System is conducted to ensure adherence to our ISMS policies and procedures.  An annual external audit of our ISMS is conducted by Certified Quality Systems Limited.

Change Control

A Change Request is submitted to the User Organisation’s System Administrator giving full details of the changes to the EASY software, the extent of the change (e.g. Major, Minor) and the impact on end-users.  An installation date is proposed, normally over a weekend, with an estimate of the system downtime.  The System Administrator either approves or disapproves the change request.  The System Administrator will be responsible for communicating the changes to end-users.

Security Incident Reporting

Any suspected security incidents are to be reported at the earliest possible stage with the Giltbyte Service Desk.  The Giltbyte Information Security Officer is immediately notified to undertake an assessment of the incident.  The ISO submits their findings to the Senior Information Risk Owner to ascertain if an incident occurred.  Where an incident has occurred, this will be reported to the User Organisation’s System Administrator and to the NHS Digital.

The full details of procedure to be followed is documented in the Information Security Incident Management policy.

System Risks

An analysis of the potential risks affecting the system has been undertaken, and these are reviewed at least annually.  The assessment considers the probability and impact of such risk, and what measures are in place to mitigate the risk.

System Protection

Business Continuity

We have business continuity plans in place to ensure continuity of customer services, including the hosted platforms and business services.  The service desk is managed from more than one location, so there is an automatic switch over should there be any communications problems in a location.  In the event of a problem with the hosted platform, we can switch over to a new server in another data centre within a matter of hours.  The business continuity plans are exercised at least annually.

Disaster Recovery

Disaster recovery arrangements are in place to recover all components of the hosted service, including switch over to a backup data centre.  In the event of a server failure, our recover procedures mean that a new server with all relevant files restored can be back on line within 4 hours.  The disaster recovery plan is exercised at least bi-annually.

Penetration Testing

Penetration testing of the EASY System is conducted annually by an external specialist assessor.

Staffing

Confidentiality

Staff, temporary staff and contractors are required to read our Confidentiality policy, and sign the Confidentiality Declaration form.  In addition, staff contracts include confidentiality clauses.

Training

Staff receive regular training in confidentiality, data protection and information security matters.

Recruitment Screening

All new employees are fully screened before the commencement of employment with previous employer references obtained and checked, and a DBS check is undertaken.

Data Centre

Location

The main data centre we use is located in London, and we also use Dublin, Ireland as a standby data centre.  In accordance with the Data Protection Act and the NHS Information Governance guidelines, data is not transferred outside of the UK or EU.

Network/Servers

The diagram below is a schematic of the connections with the data centre.

Security

The AWS data centre security is state of the art and has been approved and audited by many major and respected bodies.  Of particular note are:

• UK government G-Cloud framework https://www.digitalmarketplace.service.gov.uk/g-cloud/framework https://blogs.aws.amazon.com/security/post/Tx31CWNXWOP2J09/Using-AWS-in-the-Context-of-CESG-UK-s-Cloud-Security-Principles
• EU Data Protection Directive https://aws.amazon.com/compliance/eu-data-protection/
• ISO 27017 certification https://aws.amazon.com/compliance/iso-27017-faqs/
• ISO 27018 certification https://aws.amazon.com/compliance/iso-27018-faqs/

More information about security controls in place at AWS can be found on their Data Centre Controls page:

https://aws.amazon.com/compliance/data-center/controls/

Physical

The following is an extract from the AWS security white paper describing how physical Access to the AWS data centres is strictly controlled:

AWS’s data centres are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centres. This experience has been applied to the AWS platform and infrastructure. AWS data centres are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

AWS only provides data centre access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centres by AWS employees is logged and audited routinely.

Technical

Please refer to the AWS Data Centre page:

Access Controls

Please refer to the AWS Data Centre Controls page:

https://aws.amazon.com/compliance/data-center/controls/

Encryption

Data in transit is always encrypted by TLS version 1.2 or version 1.3.  Data at rest (including server OS) is encrypted at using AES 256 bit keys.

Encryption Keys

Transit TLS (version 1.2 or version 1.3 supported) keys are stored on the server encrypting the data.  At rest keys are held securely by AWS, and strict procedures ensure that AWS staff do not have both logical and physical access.