Information Assurance Statement
This policy applies for both: Happl Ltd (UK registered company) and Happl Inc (registered in the United States of America) for here in known as ‘the business’.
This statement is reviewed annually and approved by the board before issue
Tahora Ltd has voluntarily achieved Cyber Essentials Plus accreditation continuously since incorporation. This means that tests of Tahora’s IT systems have been carried out by an external professional certifying body using a range of tools and techniques. Cyber Essentials Plus offers a higher level of assurance compared to the base level Cyber Essentials accreditation through the external and internal testing of the effectiveness of Tahora’s policies and approach to IT security.
A copy of the certificate provided by the certifying body is available upon request
Cyber Essentials Plus accreditation concerns itself with five key controls of IT security:
The good setup of these devices in hardware and/or software form is important for them to be fully effective. All endpoints are protected with endpoint-level web scanning technology to complement gateway systems. All internet-facing services undergo regular vulnerability scans.
As well as designing and configuring all systems with security in mind (changing default passwords, turning off unneeded services, controlling configuration changes), passwords are set to expire routinely, to ensure regular password changes. No generic/shared accounts exist, and non-IT staff have no administrative-level credentials; all installations and configuration changes require such credentials.
Only those who should have access to systems to have access and at the appropriate level. Access to confidential and/or personal data is restricted to members of the relevant teams only, with senior managers personally verifying any changes. Staff have access only to those parts of Tahora’s IT systems that they need to enter in order to carry out their normal duties.
Staff with Tahora email on their smartphone or tablet have additional security (including enforced 6+ digit codes with data encryption and remote wipe functionality). Remote access to Tahora’s IT systems will shortly require the use of a two-factor system to prevent login credential abuse, to complement existing account lockout policies.
It is imperative to ensure that virus and malware protection is installed and kept up to date on all devices, regardless of the sensitivity of the data they access. This protection includes ransomware prevention systems, encryption guard/prevention, and zero-day signature-less behavioural monitoring of processes to prevent exploits. Multiple layers of ingress and egress protection ensure no threat vector is unmonitored. These systems provide real-time alerts to IT staff.
The latest version(s) of applications are used, with a strict supported-only-versions policy; all necessary security and feature patches supplied by vendors are applied in a timely manner, typically under 14 days for security issues with a CVSS score >7. This patching includes plug-ins and freeware utilities as well as updates from key vendors such as Microsoft, Adobe, and Bitdefender.
In addition to these areas, Tahora takes further precautions to ensure the security, integrity, and availability of IT systems. These include:
In the event of the failure of any one part of Tahora’s IT systems, secondary copies of all data are held securely in environments that provide geographical, electrical, and connectivity resilience. These copies are replicated at least hourly, with pro-active monitoring and alerting setup. In many cases these replica copies can be made live within minutes.
Remote access tools and portable devices (laptops, tablets, etc.) permit staff to work anywhere should any office become inaccessible. This is tested and reviewed regularly. Tahora has a full business continuity plan which includes how separate functions would operate in the event of different types of incidents; this is tested at least annually and all improvements reported and actioned within agreed timeframes.
All IT systems are thoroughly documented and setup according to vendor and/or industry best practices, making support and administration straightforward. No single person has sole access to any system, and a nominated third party provide reactive support services on a one hour SLA should it be necessary.
Helpdesk and monitoring tools identify where services are not performing as expected, allowing additional resources to be assigned proactively, and routine and reactive maintenance and health check efforts prevent technical issues from becoming services affecting.
Tahora voluntarily enforce a highly-structured and logical system for the storage of data, to prevent human error and make the security of systems easily manageable.
Policies cover the use of all IT systems and these are covered as part of induction training for all staff joining the company, as well as policies covering the administration of Tahora’s IT systems. These policies are reviewed regularly to ensure they provide relevant guidance to staff.
Tahora employs industry leading tools to monitor both the availability and integrity of all IT systems, as well as constantly checking activity and logs on these systems for risky or unusual processes, likely malicious activity, and indicators of compromise. This monitoring is linked to a 24x7 SOC (security operations centre) run by an ISO27001 and CREST certified organisation. They have SLAs that guarantee responses in under 15 minutes to all high risk alerts, initiating protective measures and full incident response processes where deemed necessary.
Tahora also uses industry leading tools to frequently scan all IT systems on a frequent basis for possible issues that could affect the security, reliability, or availability of the services. This ensures all patching gaps can be remediated proactively, and the surface area for malicious attackers reduced to the smallest possible footprint.
In particular, no data is left unattended in the office if it could be considered confidential, personal, or otherwise covered under any contractual or legal obligations. All physical copies of data are securely disposed of when no longer required.
Access cards act as both as a visual pass to enter the building, and as a “swipe card” to open doors locked using electronic access control and identify the user at printers, preventing print jobs being seen or taken by the wrong individuals. In other offices deemed lower-risk, PIN-based access control prevents opportunistic access to office areas. Separate PINs are used to identify users at printers.
This gives full traceability in the event of a security incident, and sensitive areas have out of hours proactive alerting should motion be detected. Other offices where risks are lower benefit from landlord CCTV covering entry and exit points to the premises.
All staff receive induction and routine training on how to handle data, and this is refreshed wherever the need is identified. Staff are also trained on other IT and non-IT systems; they are encouraged to report any concerns about IT, office, operational or client practices openly and promptly.
All employees must immediately report any knowledge of or suspicion of suspicious activity to the board.
Once the matter has been reported to the board, the employee must follow the directions given to them and must NOT make any further enquiry into the matter. The employee must NOT voice any suspicions to the company and or person(s) whom they suspect, as this may result in the commission of the offence of “tipping off”. They must NOT discuss the matter with others or note on the file that a report has been made to the board in case this results in the suspect becoming aware of the situation,
Customer details must be collected in accordance with the Data Protection Act 2018. This data can be “processed” as defined under the Data Protection Act 2018 to prevent money laundering and terrorist financing.
Customer identification evidence and details of any relevant transaction(s) for that customer must be retained for at least 5 years from the end of any business relationship with that customer.
