Security
Overview
Information Security is at the core of any professional software-as-a-service (SaaS) supplier’s offering. We’re transparent with our security program so you can feel informed and gain the assurances you require while using our products and services.
This document details the Information Security (IS) related obligations we assume as your supplier and aims to give you information about our Information Security Management System (ISMS).
Details related to personal information collection and processing are documented independently in our Privacy Policy.
Commitment
We have implemented and will continually maintain appropriate electronic, physical and organisational security procedures, measures and controls in order to protect against accidental, unauthorised or unlawful access, destruction, use, alteration, modification, disclosure or loss of Customer data. Without limiting the foregoing, we shall have in place and implement security practices and controls that comply with and are consistent with our ISO 27001 Certification.
Certification
ARKK holds ISO27001 certification from a UKAS certified body (Approachable) since 2016.
Our Information Security Management System (ISMS) covers the delivery of software and services that enable customers to transform internal financial data for submission to regulatory bodies, including managing clients’ data, from our London and Belfast offices.
Third party service providers (including information processing service providers) are beyond the scope, however assurance exists in the form of contractual agreements, security due diligence and the review of these is within scope.
The exclusive host of our infrastructure is Microsoft’s top-rated Azure platform. Microsoft holds ISO27001, HIPAA, FedRAMP, SOC 1 and SOC 2 certifications/attestations among others. See https://azure.microsoft.com/en-gb/overview/trusted-cloud/compliance/ for the full list. We review our engagement terms and information security conditions with key providers at least annually.
Logical Access Control
To ensure compliance with access security control requirements we:
- protect the confidentiality of all passwords or access codes assigned to us by you (passwords for user access are hashed one-way, but in addition you may wish to provide us with API keys or similar to pull in data on your behalf);
- have a robust password policy for all personnel and subcontractors to adhere to;
- promptly remove access privileges from our personnel, including subcontractors, who, whether through internal transfer or departure from our business, or where applicable subcontractors, become no longer involved in processing Customer information and data.
Implementation notes
We do not typically provide temporary passwords but rather use unique expiring reset tokens. Our password policy sets the complexity construction rules for passwords used on our systems.
We have procedures for onboarding, role reassignment and a termination process, to ensure access is provided when needed and revoked accordingly. In addition, we conduct annual access reviews of our assets.
Employee Devices
We certify that all devices used by our employees connected to our information processing environment, are and will continue to comply with the following requirements:
- the most current service pack and all security patches applicable to all operating must be applied and be up to date;
- devices must have industry-standard anti-malware software installed, running and updated with the latest signature file; and
- an industry-standard personal firewall product must be installed and active on the device.
Implementation notes
We use a combination of Windows group policy, centralized endpoint protection management, internet access gateway and enterprise mobility management (EMM) to enforce adherence and ensure current anti-malware, patching and firewalls are in effect.
Server Security
To ensure the confidentiality, Integrity and availability of all our servers and to mitigate the threat, risk and impact of external or internal misuse or abuse of server platforms, we:
- protect all server access, at a minimum, by two factors of authentication.
- change all factory pre-set server passwords before commencement of processing;
Implementation notes
As stated above all our servers are hosted by Microsoft Azure which holds ISO27001, HIPAA, FedRAMP, SOC 1 and SOC 2 certifications among others. Access to all our servers requires both network access rights as well as user credentials to access. Servers hosting Client data are accessible only through a Privilege Access Management (PAM) service which enforces fine grain access policy as well as session recording for audit purposes.
Software Development
In-line with industry best practices for secure coding, we:
- incorporate Dynamic Application Security Testing (DAST) security code analysis into software development lifecycle;
- mitigate security issues identified during DAST code analysis before promotion of the code into production environment;
- perform weekly web application vulnerability scanning to Identify any vulnerabilities and apply mitigating controls accordingly.
Change Control
To ensure compliance with industry best practices for change control, we develop, test and document each change according to change management and control standards, procedures and processes, while maintaining the continued logical integrity of data, programs and audit trails.
Security of Databases and Storage
To ensure the confidentiality, Integrity, availability and general security of all databases and data files used to store your data we:
- store Customer data within Microsoft Azure cloud services, which are geolocated in Republic of Ireland (primary) and Netherlands (secondary). In addition, ARKK utilises Software as a Service (SaaS) solutions as part of the provisioning of the service, further details on those services and storage locations are found in our subprocessors page;
- store Customer data in an encrypted form (AES 256-bit) at rest in accordance with industry best practice;
- restrict all physical and logical access to databases, data files and their resident information and/or data and any systems or network components relating to the processing of transactions on a need-to-know/need-to-use business-only and least privileged basis;
- protect all access to databases and data files using, at a minimum, two factors of authentication
- change all factory pre-set passwords for databases before commencement of processing;
- log all database and data file access activities and store this activity data in an appropriate manner for a minimum period of 12 months;
- harden all servers used to process, store and/or transmit Customer data and/or information with such hardening to include, but not be limited to, the removal of all privileges and services, except those that are essential for the performance of the operations for which the servers are installed;
- deploy server security scanning tools to periodically report on the status of each server and verify that all settings, parameters and options are in accordance with the agreed upon hardened state for that device and to detect unauthorised changes from the approved server configuration baseline;
- log all server access activity and store such activity data in an appropriate manner for a minimum period of 12 months; and
- review all server security controls defined above on a periodic basis (at least once per year) to ensure that they are still in effect.
Implementation notes
- Data is stored encrypted at rest using AES 256-bit, keys are managed automatically by Azure.
- Under normal operations your data (customer data) will reside exclusively on servers within the Microsoft Azure data centres in Europe (ROI and Netherlands). Should you elect to send us files via email or through our support system, those files will be stored by our customer support and ticket system vendor within Europe.
- No member of our staff has direct access to your data unless you explicitly share it with them.
- Our IT administrators can access data only through a Privileged Access Management (PAM) system which audits access and records the sessions.
- Our Asset Management policy addresses classifications, labelling and handling restrictions of data.
- Your data will be removed from our systems after termination except for the meta-data (information about your usage) or anonymised statistics as mentioned in the standard terms and conditions.
Network Security
To mitigate the threat, risk and impact of system and/or network intrusion, abuse or misuse, we:
- install, configure and activate a comprehensive, industry best practice intrusion prevention & detection systems (network-based and host-based) to continuously prevent, detect and report the occurrence of unauthorised network attacks against its systems including, but not limited to, penetration attempts, denial of service attacks and excessive probing;
- install industry best practice network firewalls and Web Application Firewalls (WAF) between servers and public network facing gateways to screen out communication protocols not required for processing Internet traffic;
- log all firewall and gateway activity and store such activity data in an appropriate manner for a minimum period of 12 months;
- protect data from unauthorised disclosure while in transit through public networks.
Implementation notes
- We do not have a Wi-Fi network with privileged access. We assume it is public despite its security protection and use VPN clients at all times to gain access.
Protection against Malware
To mitigate the threat, risk and impact of computer viruses, worms, Trojan horses and other malicious types of software, collectively called “malware”, we:
- install, configure, activate and maintain anti-malware program on any and all servers, devices, laptops and workstations;
- configure such anti-malware software to automatically invoke on start-up and on a continuous basis on all devices where installed; and
- all malware-related incidents are recorded and actioned upon in accordance with our incident response plan. Where this may affect customer's data, they are informed within 24 hours.
Security Vulnerabilities and Installation of Security Patches
To mitigate the threat, risk and impact of system and network security vulnerabilities we:
- actively scan our exposed endpoints for vulnerabilities;
- receive advisories on emerging security vulnerabilities from reliable sources;
- identify specific vulnerabilities that may impact our operating environments or platforms;
- assess the criticality of the vulnerability to determine the appropriateness of installing the associated security patch; and
- test and install required security patches in a timely manner.
Back-up and Recovery
To ensure availability of data we:
- use cloud based redundant storage facilities (geo-replication);
- maintain a daily back-up, kept for 30 days; and
- maintain a documented Business Continuity Plan and test it annually.
Implementation notes
We keep an active replication facility in a secondary Azure data centre. Our target is to resume critical operations regardless of cause within 6 hours (RTO).
Logging and Monitoring
Internal systems write log data to a centralised Security Information and Event Management (SIEM) system. The data Is retained for a minimum of 12 months.
Alerts are set up based on unusual, suspicious or potentially malicious activity and appropriate security personnel are notified to Investigate.
Data Resource Isolation
ARKK utilises a multi-tenant platform, whereby our supporting Infrastructure serves multiple customers. Each customer shares the software application and also shares a single database. Each tenant's data is logically segregated/isolated and remains invisible to other tenants/customers.
Encryption in Transit Security
Access to ARKK's web applications always uses industry standard Transport Layer Security (TLS) to secure the connection between your browser and our services.
External Security Audits
We perform external penetration tests on our applications to validate the security built in by design is Implemented effectively and correctly. The penetration tests are performed by an Independent third-party security company. Any vulnerabilities are actioned appropriately with set time frames in accordance with the severity of the risk and CVSS score.
As part of ARKK's ISO 27001 certification, we are independently audited each year in relation to the surveillance and recertification audits conducted by the certification body. In addition, our Information Security Management System (ISMS) undergoes an internal independent audit to ensure compliance with the ISMS framework.
Disclaimer
While we implement safeguards designed to protect your information, no security system is impenetrable and due to the inherent nature of the Internet, we cannot guarantee that data, during transmission through the Internet or while stored on our systems or otherwise in our care, is absolutely safe from intrusion by others.