Technical and organisational measures
Information Security Programme
The Egress Software Technologies Group (the Group) has an Information Security Management System in place in line with ISO:27001 that undergoes annual auditing. More information on the Group, and the companies that form part of it, can be found at www.egress.com/about.
The Group will maintain this security programme in order to:
- protect the Content that the Group processes for and on behalf of its customers and users against accidental and unlawful loss, access or disclosure
- identify reasonably foreseeable risks to the security of the systems and infrastructure on which the Group’s services rely
- proactively identify risks and put in place risk treatment plans to avoid incidents
- respond to identified external threats through appropriate infrastructure and system management
- manage and control the Group’s response to suspected or identified security threats or incidents
- direct and advise upon appropriate management of the Group’s systems and infrastructure (including undertaking risk assessments, root-cause analysis investigations and regular pen-testing)
Security of Content
The Group takes measures to protect the confidentiality, integrity and availability of the services that it provides, and the Content that customers and users upload, share and store using them.
All Group employees involved in providing technical support and customer services support undergo regular security training.
The Group deploys technical measures to detect and react to unauthorised access to, or abnormal usage of, Group networks and infrastructure. Group infrastructure is patched in line with the Group’s patching policy and the Group uses vulnerability scanning tools to routinely scan both internal and external infrastructure and applications.
Third-party security specialists conduct external penetration testing and IT Check Tests of Group products and services in line with Group policies.
The Group ensures that its network is protected on ingress and egress of traffic. Outbound traffic is restricted on a user-based policy for authenticated users. All Egress network firewalls and core services are logged to a UK based Security Incident and Event Management system that is backed by a 24x7 Security Operations Centre for real time detection and event generation.
The Group has implemented processes to ensure that no malware is transferred to its services by its technical and customer services support teams as part of maintaining those services. Where appropriate, the Group’s services use malware detection and prevention to scan Content uploaded to, or transferred via, the service.
Where the Group is responsible for the design of data centres, or the procurement of equipment used for processing Content, it takes steps to protect it from physical and environmental threats to prevent interruption to the Group’s activities and accidental loss of Content.
The Group uses third-party cloud service providers who themselves provide highly resilient and secure environments. Details on these providers can be found at www.egress.com/subcontractors.
When the Group is responsible for building infrastructure, it creates availability sets/groups (e.g. servers with the same role are located in different racks). Equipment and/or media containing Content are maintained by third-party cloud service providers who take steps to limit physical access to that information (e.g. access control, CCTV, and intrusion detection systems; visitor entry control procedures; secure offices, rooms, and facilities; protecting against external and environmental threats; and controlling access points, including delivery and loading areas).
The Group ensures that access to networks and systems is only granted on a least-privileged basis to authorised employees and contractors who have a need to do so in order to perform their role with the Group. Access to systems and networks may also be subject to other controls (e.g. requirement to access only from Group office location or VPN; multi-factor authentication; logging in line with Group data retention policies).
Access to systems may be blocked after multiple unsuccessful attempts to gain access or in line with such other limitation that may be placed on access. Prior to reactivation of access or replacement of lost/forgotten authentication credentials, user identity must be verified.
The Group reviews authorisation of access to systems processing Content on no-less than an annual basis.
Pre-and Post-Hire Employment Screening
All Group employees undergo Baseline Personnel Security Standard (BPSS) checks. Specific individuals, or those working in certain areas of the business, may undergo additional post-hire checks (e.g. additional levels of security clearance, or financial or credit checks).
Back-up and Recovery
Processes and procedures shall be in place to ensure copies of customer and user Content are retained to facilitate retrieval or reconstruction following loss or destruction of primary production information. Back-up processes and procedures shall be conducted on a regular basis.
Back-ups will not be tested by or on behalf of the Group as part of the services it provides unless specifically requested and paid for by the relevant customer.
The Group has in place detailed retention policies for external customer and user data, the most up-to-date details of which can be found at www.egress.com/legal.