Data protection and security

Pupil Asset is hosted in geographically separate UK data centres. Our cloud hosting provider is ISO 27001 accredited. ISO 27001 is an international standard that is recognised globally for managing risks to the security of information. ISO 27001:2013 is the latest version. This standard specifies the requirements for an information security management system (ISMS). Our cloud hosting provider is part of the iomart group and holds additional certifications, all of which have supplemental security components including:

• ISO 9001:2015 - an internationally recognised standard demonstrating quality management. It signals that a company’s products/services are consistently improved to meet customers’ needs
• ISO 22301:2012 - provides a standardised framework companies can use to plan, establish, implement, operate, monitor, review, maintain and continually improve a business continuity management system (BCMS). Receiving this accreditation demonstrates that operational requirements are being met successfully
• ISO 20000:2011 - is a global standard for IT service management. It demonstrates that a company is fulfilling agreed service requirements. It covers the design, transition, delivery and improvement of services
• ISO 14001:2015 - serves as a global framework for auditing environmental performance. Accreditation demonstrates that a company is committed to effective waste management
• ISO 50001:2011 - is an accreditation for energy management systems (EMS). It validates that a company has met the specified requirements for establishing, implementing, maintaining and improving an EMS. This, in turn, demonstrates a commitment to improving energy efficiency
• PCI DSS - compliance offering Payment Card Industry’s Data Security Standard (PCI DSS) compliant hosting environments, Cloud solutions and dedicated traditional infrastructure. iomart work with you to ensure that your service meets PCI DSS requirements.

In addition to these accreditations, our cloud hosting provider is also quality assured for the following security aspects

• ISO/IEC 27017:2015 Cloud Service Information Security Controls defines an extended control set of additional security controls specific to cloud services. It is based on a model of collaboration between the cloud service provider and their customers
• ISO 17789:2014 Cloud Computing Architecture specifies the cloud computing reference architecture (CCRA) when scoping cloud compute services, which outlines best practice on cloud computing functional components and their relationships with the various cloud computing aspects
• ISO/IEC 27018:2014 Protection of Personal Identifiable Data in the Cloudis a code of practise with commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment
• ISO 38505:2017 Governance of IT Data applies to the governance of the current and future use of data created, collected, stored or controlled by IT systems, and influences the management processes and decisions relating to data. It defines the governance of data as a subset of governance of IT and corporate governance
• ISO 27032:2012 Cybersecurity Techniques which outlines “Cybersecurity” or “Cyberspace security” controls to preserve the integrity, confidentiality, and availability of information in the Cyberspace” using complex, highly variable cloud computing and virtualization technologies
• BSI 10012:2017 Data Protection – Personal Information Management System (PIMS) The BS 10012:2017 provides a best practice framework for a personal information management system, aligned to the principles of GDPR and the DPA. It outlines core requirements for which the provider reference when collecting, storing, processing, and retaining or disposing of personal records related to individuals
• ISO 27040:2015 IT Security Storage Guidelines guidance to design, control and manage threat aspects associated with storage security and technology utilised in order to protect information where it is stored or being transferred across networks and those associated with the storage service
• ISO 31000:2009 Risk Management Principles to guide effective management and corporate governance, to determine the adequacy of the controls already in place, any associated risks and how they could affect the achievement of objectives, to improve the identification of opportunities or threats and how the business effectively allocates and uses resources.

Pupil Asset data in transit and data at rest are secured to industry standards using SHA-256 encryption with RSA-2048 signing

Passwords and other sensitive information are either encrypted or MD-5 hashed (with salt to prevent rainbow-table based attacks)

Off-site overnight back-ups run daily to ensure that no data is lost in the event of failure at the primary data-centre and a geographically separate UK data centre is available for warm failover

The Pupil Asset system itself has a mechanism for secure file transfer, ensuring encrypted end-to-end transmission of data to the system and/or our support team when necessary.