Security Policy & Statement
Table of Contents
Hedgehog take the security of our and our client’s information extremely seriously and we have in place a series of checks and measures to ensure a high level of security is maintained around our and our client’s information. This paper highlights key areas of controls in place.
Our internal Information Security Program is aligned to, and audited, against the GCHQ’s Cyber Essentials program and ISO27001:2013. Our program is a comprehensive program of risk-driven practises and polices with supporting procedures, guidelines and audits supported by a quarterly audit program run from the office of the CISO. The Information Security Program covers all aspects of the firm and its services as well as client, supplier and third-party security management which ensures a dynamic and robust controls environment for all of Hedgehog’s global operation
Responsibility for Security
Our founder, Peter, and our CISO, Rose-Marie are jointly responsible to maintaining our Information Security Program. Peter has more than 26 years of Information Security experience with more than 10 of those years in FTSE 250 sized businesses. Rose-Marie has over 20 years Information Security experience with more than 15 years as a CISO in highly regulated markets.
Over the last few years we have focused on the security culture which is based on individual responsibility for security of information at all levels, from the Directors who are ultimately responsible for defining, implementing and monitoring the Information Security program within the firm, to the operators on the ground. All guided by our CISO team.
Hedgehog follows industry best practice guidelines in the design and implementation of our network security program. We have been ISO27001, ISO9001 certified since 2010 and Cyber Essentials Plus certified since 2014.
At Hedgehog we operate out of two cloud-based Infrastructure as a Service providers, Microsoft Azure and Digital Ocean. Using IaaS allows us to scale our service offerings in line with each individual client and permits us to maintain our 99.999% service availability SLA. Our primary datacenter is within the UK with our secondary datacenter in the Netherlands.
By leveraging the flexibility of our two chosen IaaS providers we are able to offer localised applications in almost every country.
We only use Windows 2019 server within Azure and Ubuntu 18.04 LTS within Digital Ocean. All operating systems have been hardened in accordance with the CIS Level 2 hardening guidelines and are actively monitored on a 24x7x365 basis for system issues and signs of attack and/or compromise.
Patching & Maintence
All of our systems, internal within our operations centre or customer facing within our data-centers, undergo weekly patching and maintenance. We operate our systems at 45% maximum utilisation so that we are able to bring systems out of service for maintenance without affecting the operational status.
There are four primary networks in operation within Hedgehog: Development, Test, Staging and Production. We use complete segmentation to separate our development networks from all other networks and Logical segmentation to separate Test, Staging and Production environments. Each environment is an isolated IaaS account with no connectivity between them.
Backups and Redundancy
We operate two complementary backup schedules. Within the offices we run a live snapshot of servers every six hours. These snapshots are stored within the each of the Iaas environments. The internal office storage runs in RAID 5 and is live mirrored to the Digital Ocean environment.
The servers in both IaaS environments are backed up every 6 hours with a differential backup and weekly with a full backup.
All backups are AES256 encrypted with a unique key per machine.
From the outset we have taken a unique approach to the encryption of data.
Email: All our emails are PGP signed and we fully embrace any PGP encryption requests. Our email servers operate TLSv1.3 encryption and will alway as start with encryption first on all email exchanges.
Data at Rest: We use AES256 as our default encryption. For every client we have a unique 64bit salt and then a further 64bit salt for each dataset. If a client sends us three files, each file has its own unique salt. All of this is managed through our internal PGP key service.
Data in Transit: Our standard for data in transit is TLSv1.3 using a 265bit cipher length. We appreciate that not all clients are able to support this so we have the capability to reduce this to an encryption level mandated by the client, with once caveat. We will never go lower than TLSv1.2.
Bespoke Client Requirements : Dealing with a number of financial and medical institutions means having to deal with a number of different encryption mechanisms. Natively, NGS is able to support the following: PGP and GPG encryption, TLSv1.2, Veracrypt containers, All forms of PKI and BCrypt.
Vulnerability Scanning & Penetration Testing
All of our environments undergo vulnerability scanning on a weekly schedule by our CISO.
We engage with two CREST member companies to perform all scheduled penetration tests on a six-monthly rotation. When a new version of our software or new product moves from the Test environment into the Staging environment, it undergoes a full penetration test against the PTES and OWASP methodologies.
We partner with Bug Crowd to provide a perpetual Bug Bounty program. In this way, we ensure finding all of the bugs and security issues. The bug bounty environment is a completely isolated environment that contacts an identical mirror of the production systems.
Key components of the Information Security program are the policies and procedures that define our security controls and our security practises. Our CISO team is responsible for the policies and procedures and for working with all our teams to ensure that the procedures allows them to accomplish their tasks while protecting our and our clients’ information. A current listing of our Policy and Procedure library is available on request.
We have an integrated security, data protection and privacy awareness in all aspects of employee communications, beginning with required non-disclosure and confidentiality agreements, the setting of expectations of conduct, mandatory information security, data protection and privacy awareness training and testing upon hire and ongoing annual awareness.
Our CISO maintains a formal program for Security Incident Reporting and Security Incident Response. Policies define our standards and guidelines of program, with documented procedures that detail handling, communication and reporting to clients, regulators and law enforcement. Our IRP (Incident Response Program) is directly linked to our Data Protection program to address all aspects of global data protection regulation.
We have in place a global Data Protection Policy which takes into account the regional data protection acts from each principle jurisdiction in which we operation. These include the UK, the EU (with GDPR), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and for the US regions, Gramm Leach Bliley Act (GLBA) along with Health Insurance Portability and Accountability Act (HIPAA). With the demise of the Internal Safe Harbour Privacy Principles in 2015, NGS adopted the above policy to address the security and confidentiality of personal information throughout its business.
Any personal data which is collected, recorded or used in any way whether held on paper, computer or other media, will have appropriate safeguards applied to it to ensure that we comply with the Data Protection Act. We endorse the rights of data subjects, including the statutory right to request personal data relating to them. Personal information will never be disclosed, shared, exchanged or sold with any third party.
We have enacted a comprehensive risk management program designed to intelligently focus resources and efforts on the assessment of our corporate and information security risk profiles.
Our risk management program, driven by the Directors and consists of formal risk assessments at the firm and service level. In addition, risk management is incorporate in all facets of our processes, including integration with application development, information technology, business operations and internal security processes. Our firm wide Risk Management Program ensures that the necessary information is available for our Risk and Compliance committee to make effective risk-based decisions.
Hedgehog Security is audited annual by DAS and had been ISO27001 certified since 2010. Our ISO27001 audit is every April.
Hedgehog Security is audited annual by DAS and had been ISO9001 certified since 2010. Our ISO9001 audit is every April.
Cyber Essentials Plus
Hedgehog Security is Cyber-Essentials Plus certified. Copies of our certificate are available on request. Our Cyber Essentials audit is every February.
Hedgehog Security has been a CREST member company since 2012 and is audited every March.