Information Security Policy (Updated 25.05.2017)
1. Policy Overview
1.1 Policy Name
Electronic Information Security Policy (ISP)
As a regulated payment service provider, Eazy Collect Services Limited (Eazy Collect) regards information security as critical to its own and its Clients’ business integrity and therefore has procedures in place to protect and monitor data security.
This document outlines the procedures in place to maintain data security at all times on our network and within our business.
This document defines how Eazy Collect secures electronic information and data.
- Legislation and Policies to which our services are bound
- Security of information held in electronic form on our storage devices
- Allocation of Information Security Officer (ISO) and Data Protection Officer (DPA)
- Location of Eazy Collect’s Electronic Information Assets
- Authorised personnel and access control
- Backup procedures
- Information Security review procedure
- Action in the event of a breach of the policy or data disclosure
- End-user responsibilities
- Contacts for further information
2. Legislation and Policy
Eazy Collect has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory requirements. These include:
Computer Misuse Act 1990
The Copyright Designs and Patents Act 1988
Data Protection Act 1998
Obscene Publications Act 1959
Telecommunications Act 1984 and Communications Act 2003
BACS Approved Bureau
Financial Conduct Authority
Anti-Money Laundering Legislation
2.3 International Law
Where service or data is being provided outside of the UK, the data or act of transmission must not contravene any international laws or treaties.
3. Monitoring, Review and Reporting
3.1 Allocation of Information Security Officer (ISO) and Data Protection Officer (DPO)
Eazy Collect has allocated Matt Harris (IT Manager) as the Information Security Officer (ISO) and Andy Stalsberg (Director) as the Data Protection Officer (DPO).
The ISO is responsible for overseeing all aspects of Information Security at Eazy Collect.
3.2 Reporting of Incidents Procedure
Any incidents relating to Information Security are to be recorded by the Information Security Officer (ISO). In the unlikely event of information owned by another party or customer has been exposed due to a fault, the affected party will be notified as soon as possible.
In the event a customer has exposed information considered confidential or has created a security problem, the customer should notify Eazy Collect as soon as possible so that action can be taken.
3.3 Review of Information Security Policy
This ISP document will be reviewed by the ISO every 12 months or less if a legislation or industry events require.
4. Backup of Data
The servers have daily snapshots automatically stored plus there is real-time storage of transaction logs. This ensures the system can be restored to any point in time on any one of three data centres.
5. Location of Data and Security Measures
All data available for access via the Internet is stored in our secure data centre facility. The service is based in Dublin Ireland and is mirrored in three data centres which are on separate power and telecoms networks. If one becomes unavailable, the service switches to one of the other two to maintain availability. We also hold a separate copy of the data in Frankfurt and this can be deployed and running in one hour.
5.2 Data Centre Physical Security
- ISO27001 Approved Data Centre
- Key card access to facility and individual data centre halls
- 24‐hour manned security with perimeter fence, electrically controlled gates and CCTV
- Fully Redundant power with backup UPS for all systems and diesel generators for continued operating during power outage.
- Automatic Smoke & Fire Detection and Suppression Systems
- On‐site technical support staff and network monitoring
5.3 Our Network Security
- All aspects of the network are monitored 24x7 and engineers are automatically notified of any problems
- We employ a third party security vendor to independently test our security/vulnerability. This comprises daily delta testing, quarterly vulnerability testing and annual penetration testing.
- Hardware firewalls protect the connections between the public Internet and our local network within the data centre
- All traffic must pass through the hardware firewalls and be filtered before it even gets to the servers and data storage
- Hardware firewalls allow filtering of specific types of data, services, ports and source/destination IP addresses so that only specific communications are allowed
- Additional Automated processes protect the network from intrusion or attack
- Data in the network is held within a Virtual Private Cloud; databases are in a separate subnet which are not publicly accessible and we can only access it via a Virtual Private Network. Data between machines is encrypted using a 128bit cipher.
6. Access to Data
6.1 Authorised Personnel
The Client is responsible for managing access control to the Eazy Collect DD management system. An account administrator will be allocated at the point of order who will have full access to data and the management of users / access control. Eazy Collect’s staff members are only allocated access to data where specifically necessary for their duty. Some of this access is to perform administration tasks and does not require viewing of data, unless requested by the customer or authorised party. In the case where a member of Eazy Collect staff has access to data, a non-disclosure agreement (NDA) will be in place for that staff member. All staff members with any access to data are made aware of the critical importance of data security to Eazy Collect and its customers.
6.2 End User Responsibilities
All users of services provided by Eazy Collect are responsible for ensuring their end-user computers and networks are of a secure and functional state to access our systems.
Use of our services and access to data is bound by UK law (and International Law where data is being accessed or transmitted outside the UK), as per section 2.
Therefore the following (not an exhaustive list) precautions should be made by Customers and end-users.
- Computers accessing our network should be free of viruses, malware or any malicious software
- Your network should be secure from external attack or instruction
- Use only secure passwords to prevent unauthorised access
- Do not access confidential data from shared computers
- Do not provide anonymous access to your data
- Comply with the legislation and policies outlined in section 2.1