Statement of Security
And Resilience Responsibilities
LawCloud is committed to build in information-security principles into everything it does. By working closely with our data centre, we can ensure that the highest security and resilience standards are met at all times within our fully managed and protected environment.
Does LawCloud implement an IS procedures for protecting the systems against vulnerabilities?
Yes, our data centre has an Information Security Manager who is responsible for managing and implementing security standards, policies and best practice. The Network, Infrastructure and Quality Assurance teams support the Information Security Manager. They have internal information security policies, which the Information Security Steering Committee governs.
Does LawCloud have a patch management process?
Our data centre prioritizes the patching of internal systems by role, importance and location in the network. It automatically deploys and manages patches where appropriate. In addition to this, we update each LawCloud server ourselves with updates released for Microsoft operating system and all application software used on the Cloud. These are tested on a test server before being rolled out to all servers. Assuming all updates pass our compatibility test, the update is applied within 3 days of passing the test. Microsoft releases these security updates at least monthly, other vendor’s timescales differ.
Is anti-virus software deployed on LawCloud systems and how often are virus definitions updated?
Yes, we deploy McAfee VirusScan Enterprise on all servers with definition updates applied daily.
Are firewalls used to protect LawCloud systems and data from the Internet and other untrusted networks?
Yes, all LawCloud server sit behind a Cisco Virtual Firewall (Cisco Adaptive Security Appliance operating on Cisco ASA5550)
Is penetration testing carried out and if so how often?
Yes our data centre uses Seven Safe to conduct penetration testing of the internal infrastructure on an on-going program on a risk based approach and on all new services prior to going live.
Security of Data Centres
Data centre policies and procedures ensure that the team:-
- Conduct annual physical security reviews to ensure it adheres with policies and best practices
- Escort visitors while they’re in data centres and signs them in and out of facilities.
- Restrict access to data centres with fences, gates, swipe-card-entry systems and role-based privileges.
- Protect facilities with out-of-hours security guards, CCTV monitoring and a reception that’s manned 24/7/365.
- Maintain operations during short-term power fluctuations with reserve power supplies, backups (e.g. uninterrupted power supply) and redundant generators, which are tested regularly.
- Maintain optimum environmental conditions in the data centres with air-conditioning systems, which are tested regularly.
- Provide fire detection and suppression systems, which are tested regularly.
The data centre team is responsible for maintaining optimum system performance in all data centres and:-
- Maintains redundant hardware to transfer services to in the unlikely event of an outage.
- Monitors business-critical hardware and resolves issues.
Security Testing of Infrastructure.
- Conduct regular security tests on its infrastructure.
- Manages the results of tests through incident/risk management processes to resolve issues quickly.
Confidentiality/Integrity/Availability of Services and Infrastructure
The team ensures confidentiality, integrity and availability of all data and:-
- Maintains confidentiality of data by preventing employees from accessing data.
- Uses the following to ensure confidentiality:
- Network security protocols
- Network authentication services
- Data encryption services
- Physical entry controls
- Ensures integrity of data by preventing employees from accessing it.
- Uses the following to ensure integrity:
- Firewall services
- Communications security management
- Role-based access control (RBAC)
- Ensures systems are available by implementing redundant internet connections, power supplies, generators, and network infrastructure and storage area network (SAN) disks.
- Uses the following to ensure availability:
- Redundant disk systems and internet connections
- Acceptable Logins and operating process performance
- Reliable and interoperable security processes and network security mechanisms.
Principal of Least Privilege
There is a responsibility for ensuring that the principal of least privilege applies in the data centres.
- Ensuring that only engineers who need access to servers, infrastructure and networks get it. Employees who don’t have a business requirement to access these can’t do so without authorized personnel.
Is responsible for maintaining 99.9% availability for all servers
Secure Destruction of Data, Hardware, Removable Media
The team is responsible for securely destroying its data, hardware and removable media.
- Uses accredited partners to securely destroy hardware such as hard disk drives and backup media.
- Cleanses hard disks before reusing them and tests samples to ensure data can’t be recovered. The company does this with software that adheres to HMG CESG standards.
Secure Data Communications on Data Centre Networks
The team is responsible for maintaining secure communications in its private network, backup and disaster-recovery services.
- Segments networks to prevent unauthorized access.
- Restricts communications to the Internet within managed firewalls.
- Encrypts virtual private network (VPN) tunnels with IPsec to protect traffic.
Incident Management on Data Centre Networks
The team is responsible for managing incidents on its network.
- Follows ITIL-based management processes to deal with incidents.
- Provides a dedicated incident manager, who is responsible for restoring services.
Internet Connections at Data Centre
The team is responsible for maintaining internet connections for servers.
- Uses multiple 10Gb/s connections to the Internet and diverse routing to ensure that connectivity is not lost due to one failure.
Notification of Planned Outages
The team is responsible for notifying partners of planned outages.
- Endeavours to provide at Least 24 hours’ notice of planned outages. In the majority of cases, it will provide notice earlier than this.
- May give Less notice for emergency maintenance needed to resolve high-risk security incidents that affect multiple partners.
Firewall and VPN Concentrator
The team is responsible for initially configuring VPN concentrators and firewalls.
- Network engineers will initially configure systems
Denial of Service Attacks
The team is responsible for mitigating denial of service attacks from the Internet.
- Reserves the right to remove service for the duration of an attack, or until it can deploy a compensating control, if an attack threatens the wider infrastructure.
If you require any further information or would like to arrange a guided tour of our UK based data centre, please get in touch.