Securing your data

18 January 2022

As we move into 2022, cyber security (and the associated issues and concerns) play a prominent role in our day to day lives, both business and personal. We all need to be aware of the part we play and how we can keep our information safe in this ever-changing vulnerable world.

You need to be assured that your IT partners are aware of their responsibilities and that they implement the proper controls to keep your data safe.

finao uses the CIA triad principles for information security - these being the principle of data Confidentiality, Integrity and Availability. These principles form the cornerstone of our security infrastructure.

Confidentiality makes sure that only certain users can access, edit and update data. From a database perspective we implement strict POLP policies (permission of least privilege). If the employee doesn't need access they don't have access. We also use strict IAM policies to segregate and restrict access to our infrastructure.

Our systems achieve this through custom permissions for each and every form and workflow. The system administrator can decide what data each user can access (ie. from a project, job, contractor or geographic area perspective), what they can update (ie. what stages or workflow in a form) and what fields can be edited. The permissions also allow the admin to control who can download the data in the system and in what format. Access to the system is through a username and (secure) password coupled with 2FA. Finally, all data is encrypted.

Integrity and protection of data is key. Data integrity is achieved through a number of ways. Where possible our systems do not allow the entry of "free form" data. This is where users type in what they want. Where possible we use dropdowns (of predetermined data), radio buttons or switchers which restrict what value a user can select. If we do rely on free form entry we restrict a field to only allow alphas or numerics and where possible restrict the number of characters that can be entered. We use inline validation to check the data as it is entered. Permissions allow Admin to restrict who can edit data, additionally form rules can be implemented to not allow data to be edited at all once it has passed certain stages or workflows. If data is to be edited, a clone of the original form can be created therefore keeping all data (version control) for audit purposes. All forms also include a full 'form history', who did what and when with a date / time stamp for each action. All data is encrypted and a number of automated countermeasures (such as monitoring) are implemented to protect the data at all times. Finally all data is backed up with back-ups retained for 30 days.

Availability is key to finao performing its duties. All client systems have a dedicated private cloud in Amazon using multiple servers, load balancers and hourly back-ups (with N+1 redundancy). We perform software patching and system upgrades as available and as required. A robust disaster recovery (DR) plan and a business continuity plan (BCP) is key to keeping our systems available 24/7. But simply having a plan is never enough, we regularly test our plans to make sure they work.

This is a quick overview of how we keep your data secure and available. If you have any questions on cyber security or require more information on the policies, guidelines, frameworks and regulations we use then please don't hesitate to get in touch.

Remember, system and data security is everyone's responsibility.