04 Oct 2017

LawWare statement of cyber-security responsibilities

LawWare is committed to building strong information security safeguards into all its software and everything it does. By working closely with our datacentres, we ensure that the highest standards of security and resilience are met at all times within our fully managed and protected environment.

Our  key security protection measures are described in the following points.

Procedures, maintenance & testing.

LawCloud information security procedures for protecting systems against vulnerabilities.

Our data centre partners have designated Information Security Managers who are responsible for managing and implementing security standards, policies and best practice. The Network, Infrastructure and Quality Assurance teams support the Information Security Manager. They have internal information security policies, which their Information Security Committees govern.

LawWare patch management process.

Datacentres prioritise the patching of internal systems by role, importance and location in the network. It automatically deploys and manages patches where appropriate. In addition to this, we update each LawCloud server ourselves with updates released for Microsoft operating systems and all application software used on the cloud. These are tested on a test server before being rolled out to all servers. Assuming all updates pass our compatibility test, they are applied within 3 days of passing the test. Microsoft releases these security updates at least monthly, other vendor’s timescales differ.

Deployment and updating of anti-virus software.

We implement a robust, industry leading anti-virus software on all our servers. Virus definition updates are applied daily as a minimum and hourly where required.

If you have an email subscription through us under Office 365 then you are protected in addition by Microsoft Exchange Online Protection EOP (anti-spam and anti-malware).

LawCloud is also a member of CISP (Find out more about CISP) Helping us to keep a watchful eye on securty.

CISP is the Cyber-Security Information Sharing Partnership, a joint, collaborative initiative between industry and government to share cyber threat and vulnerability information to increase overall situational awareness of the cyber threat and therefore reduce the impact upon UK business.

Use of firewalls to protect systems and data from the internet and other untrusted sources.

All LawCloud servers sit behind the strongest and most secure firewalls that we are able to implement. For VMware platforms, we use Edge Gateway and for Hyper-V, we tend to favour Cisco Virtual Firewall (Cisco Adaptive Security Appliance operating on Cisco ASA5550).

Windows Firewall is enabled on each individual server.

Use and frequency of penetration testing.

Our data centre partners conduct penetration testing of the internal infrastructure on an ongoing program on a risk based approach and on all new services before going live.

Security of datacentres.

Data centre policies and procedures ensure that our team:

• Conducts annual physical security reviews to ensure it adheres with policies and best practices
• Escorts visitors while they’re in data centres and signs them in and out of facilities.
• Restricts access to data centres with fences, gates, swipe-card-entry systems and role-based privileges.
• Protects facilities with out-of-hours security guards, CCTV monitoring and a reception that’s manned 24/7/365.
• Maintains operations during short-term power fluctuations with reserve power supplies, backups (e.g. uninterrupted power supply) and redundant generators, which are tested regularly.
• Maintains optimum environmental conditions in the data centres with air-conditioning systems, which are tested regularly.
• Provides fire detection and suppression systems, which are tested regularly.

Where is your data held and how is it protected?

At LawWare, the security and safety of your data is our paramount concern. We have invested a great deal of resource and technical expertise to make sure your data meets industry safety and compliance standards and we partner with the UK’s most secure and robust data centres to host your data.

LawCloud uses a number of hosting providers who all offer state-of-the art security solutions.

Our hosting providers offer:

• A >99.9% uptime SLA
• Monitoring services
• Unlimited bandwidth (network traffic)
• Automatic failover
• SSL certificate
• RAID protected storage

Part of the ISO 14000 family of international standards covering environmental impact and the reduction of greenhouse gas emissions, ISO 14001 is the standard that covers the design and implementation of an Environmental Management System. This is a framework designed to measure and improve the way natural resources are used and disposed of by an organisation.

 

ISO 9001 – Quality Assurance.

ISO 9001 sets out the steps necessary to adopt a quality management system. It is designed to help organisations ensure they meet the needs and expectations of both customers and other parties, based on internationally recognised quality management principles set out by the International Standards Organisation (ISO). The Certification shows that our quality processes have been audited against ISO 9001 and that our hosting providers’ meet the requirements.

 

Data Centres:

• Provides electricity to data centres through two high-voltage power cables.
• Maintains and tests power systems with built-in N+1 redundancy

Taking precautions by ensuring it has:

• Backup power via UPS, which can provide up to 15 minutes of power
• Redundant onsite power generators, which ensure operations continue during short-term power fluctuations or local utility failures
• 24 hours’ worth of fuel to power generators
• Maintains and tests redundant (N+1) air-conditioning systems to ensure optimum environmental conditions in its data centres.
• Maintains and tests fire detection and suppression systems to protect its data centres and offices.
• Our data centres audit their facilities regularly and is a founder member of the Cloud Industry Forum setting the standard in Cloud computing.

Rest assured, at Lawware we leave nothing to chance – your data will always be secure and will be readily recoverable even should a catastrophic failure scenario arise.

Hardware maintenance.

The data centre team is responsible for maintaining optimum system performance in all data centres and:

• Maintains redundant hardware to transfer services to in the unlikely event of an outage.
• Monitors business-critical hardware and resolves issues.

Security testing of infrastructure. 

Our team:

• Conducts regular security tests on its infrastructure.
• Manages the results of tests through incident/risk management processes to resolve issues quickly.

Confidentiality, Integrity and availability of services and infrastructure.

The team ensures confidentiality, integrity and availability of all data and:

• Maintains confidentiality of data by preventing employees from accessing data.
• Uses the following to ensure confidentiality:
  • Network security protocols
  • Network authentication services
  • Data encryption services
  • Physical entry controls
• Ensures integrity of data by preventing employees from accessing it.
• Uses the following to ensure integrity:
  • Firewall services
  • Communications security management
  • Role-based access control (RBAC)
• Ensures systems are available by implementing redundant internet connections, power supplies, generators, and network infrastructure and storage area network (SAN) disks.
• Uses the following to ensure availability:
  • RBAC
  • Redundant disk systems and internet connections
  • Acceptable Logins and operating process performance
  • Reliable and interoperable security processes and network security mechanisms.

Principal of least privilege.

There is a responsibility for ensuring that the principal of least privilege applies in the data centres.

This means we ensure that only engineers who need access to servers, infrastructure and networks get it. Employees who don’t have a business requirement to access these can’t do so without authorized personnel.

Secure Destruction of Data, Hardware, Removable Media.

The team is responsible for securely destroying its data, hardware and removable media.

• Uses accredited partners to securely destroy hardware such as hard disk drives and backup media.

• Cleanses hard disks before reusing them and tests samples to ensure data can’t be recovered. The company does this with software that adheres to HMG CESG standards.

Secure Data Communications on Data Centre Networks.

The team is responsible for maintaining secure communications in its private network, backup and disaster-recovery services.

• Segments networks to prevent unauthorized access.

• Restricts communications to the Internet within managed firewalls.

• Encrypts virtual private network (VPN) tunnels with IPsec to protect traffic.

Incident Management on Data Centre Networks.

The team is responsible for managing incidents on its network.

• Follows ITIL-based management processes to deal with incidents.
• Provides a dedicated incident manager, who is responsible for restoring services.

Internet Connections at Data Centre.

The team is responsible for maintaining internet connections for servers.

• Uses high performance connections to the Internet and diverse routing to ensure that connectivity is not lost due to one failure.

Notification of Planned Outages.

The team is responsible for notifying partners of planned outages.

• Endeavours to provide at Least 24 hours’ notice of planned outages. In the majority of cases, it will provide notice earlier than this.
• May give Less notice for emergency maintenance needed to resolve high-risk security incidents that affect multiple partners.

Firewall and VPN Concentrator.

© LawWare Limited 1995-2021