Security by Design

Security

At HaloPSA data security and privacy are our highest priorities. Software development and service delivery are built around robust security and data privacy policies. By delivering a service focused on these principles, we are able to ensure high availability, confidentiality, and integrity of your data.

It is the policy of HaloPSA to maintain awareness throughout our organisation and supplier base of the importance of keeping information secure, whatever form that information may take. We will achieve this in part via regular Information Security (I.S.) training and awareness programmes.

Stay at the forefront of developments in relation to I.S. We will do this by remaining vigilant to the ever changing I.S. Environment by supporting a culture of Continual Improvement (C.I.). Thoroughly address any nonconformities in relation to I.S. We will ensure this is achieved by maintaining a robust nonconformance reporting system which will be regularly reviewed.

Provide necessary and proportionate resources in order to meet our I.S. obligations. We will maintain appropriate resources by regular measurement and monitoring of our I.S. Management System (I.S.M.S.).

Encrypt data and devices wherever possible and to maintain a pragmatic information classification scheme.

Adopt a risk-based approach to I.S. We will implement this by maintaining a current risk assessment and treatment plan which will be reviewed not less than once a year.

Set S.M.A.R.T. I.S. objectives annually and to review them regularly and at our I.S. Management Review mtgs. These objectives will be communicated to all employees via our training and awareness programmes.

Our Secure Hosting Provider

All HaloPSA cloud applications are deployed in Amazon Web Services (AWS), an industry leader in providing highly secure, scalable cloud infrastructure.

Physical Security

AWS leads the way in delivering state of the art data centres. Physical access is carefully restricted to only personnel that are required at the site and is then revoked when access is no longer required. Security staff utilise a mix of security cameras and ID badges, with multiple layers of two-factor authentication. Any access granted is restricted based on the role of the individual and to the relevant area of the data centre. AWS Security Operations Centres continuously monitor for unauthorised entry via access logs, video surveillance and intrusion detection.

AWS maintains and continues to enhance their SOC reports, certifications, including SOC, PCI, ISO and many more. Additional details are maintained on the AWS Compliance section of their website.

Business Continuity

All AWS data centres are carefully situated to mitigate environmental risks, such as flooding, extreme weather, and seismic activity. The data centres are fitted with automatic fire and flooding detection and suppression. HaloPSA utilises four AWS regions – London, North Virginia, Canada and Sydney. Each region has multiple availability zones, each physically separated from one another ensuring high availability.

Climate and temperature are precisely controlled by personnel and systems to ensure optimal performance of servers and other hardware. All systems and equipment are monitored and receive preventative maintenance to maintain continued operability of equipment.

Environmental security

Amazon’s infrastructure has a high level of availability and provides customers the features to deploy a resilient IT architecture. AWS has designed its systems to tolerate system or hardware failures with minimal customer impact. Data center Business Continuity Management at AWS is under the direction of the Amazon Infrastructure Group.

Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load balanced to the remaining sites.

Secure Product Build

Product Ownership

All products at HaloPSA have an owner that is responsible for the delivery and secure development of the application. The owner will regularly review the roadmap for the product and prioritise security fixes accordingly.

Version Control

A central repository is used to manage code and access to the repository is role based. This is integrated with the development environment and version controls. A record of any change to the code is maintained and available to the customer in the form of release notes.

QA

Every release goes through a strict QA procedure, which tests functionality, performance, configuration, user experience and stability. Only once it passes these tests is the version available for use.

Architecture

Data Backup

All data is backed up at regular intervals 24 hours a day. Backups are stored at different Amazon data centres and also off site in Google data centres. The backups are stored in access controlled containers.

Auto Scaling

Automatically distribute application traffic across multiple availability zones that supports high availability, auto scaling and robust security.

Incident Management

Robust incident management procedures allowing for reporting incidents and tracking them through to resolution. Following the ITIL framework, incidents are prioritised, and SLAs tracked.