Contact support

Networking & Infrastructure

General Information Security F.A.Q's

ISO 27002:2013 - A.5.1.1 - Policies for Information Security A set of policies for information security shall be defined, approved by management, published, and communicated to employees and relevant external parties. Synel UK operates a formal INFOSEC policy, annually reviewed, and distributed (copy included )

ISO 27002:2013 - A.5.1.2 - Review of Policies for Information security The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. Synel UK operates a formal INFOSEC policy, annually reviewed, and distributed (copy included )

ISO 27001:2013 6.1.1 - Information Security- Roles and Responsibilities All information security responsibilities shall be defined and allocated. All roles and responsibilities for individual roles within the organisation are defined and controlled in the job descriptions of each individual employee. The job descriptions are set out to describe the tasks and responsibilities within each role within the business. This includes sales, pre-sales technical and admin roles.

ISO 27002:2013 - A.6.1.2 -Segregation of duties Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets. Within the business each role and its responsibilities are clearly defined around areas of specific responsibility. These are reviewed annually as part of the business review and oversight process.

ISO 27002:2013 - A.6.1.3 Contact with authorities Appropriate contacts with relevant authorities shall be maintained. We do not have regular or routine contact with any INFOSEC organisation. We would fully engage when and if necessary. We do fully conform with the regulations and guidance issued by the governance organisations and associated stakeholders.

ISO 27002:2013 - A.6.1.4 - Contact with Special Interest Groups Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. We do not have any regular contact with any specialist groups or organisations as described. However, we do engage with customer and user forums and events to ensure we have a view over the guidance, best practice, market changes and customer requirement and expectation.

ISO 27002:2013 - A.6.1.5 -Information Security in Project Management Information security shall be addressed in project management, regardless of the type of the project. Synel UK uses ZOHO ONE cloud-based solution as the tool to manage our Projects and Customer Support, where all Projects are managed individually by an assigned project manager from our support team. All relevant information is stored and documented in the ZOHO Projects module as it acts as the main source of information to all project's activities. From a project management perspective, all Project Managers and implementers are required to use the ZOHO Project module to document and record all relevant information. Information is received by email directly from the customer to the project manager. Only authorised users and project members - set by the project owner - can access the project and its relevant information. The project manager can access that information and if required and appropriate, share it with other team members or escalate it to if further support is required. On project commissioning, the relevant information remains for the duration of the customer lifecycle. We hold a weekly Project review meeting, covering all active projects activities and information, to ensure all open tasks are undergoing, the project timeline is kept, and policies and procedures adhered to. Synel UK follows the principals, work process and workflows that are designed and set in ZOHO by Synel management. Synel UK keeps all records and information on its ZOHO ONE portfolio, which covers our CRM, Projects and Customer support and Service modules. Each user has different permissions to each module allowing only authorised users accessing the project and supporting information relatively.

ISO 27002:2013 A.7.1.1 - Screening Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. As part of our recruitment and engagement process we exercise enquiries of all prospective employees, including declarations of criminal records, references, evidence of training and qualifications. All it asks and checks are carried out in line with our documented recruitment policy.

ISO 27002:2013 - A.7.1.2 - T&Cs of Employment The contractual agreements with employees and contractors shall state their and the organization's responsibilities for information security. All relationships with employees, interns, contractors, suppliers, and customers are governed by contract actual documents and arrangements. All our contracts have specific clauses and terms relating to data security, Information protection and standards. These contracts are regularly reviewed and enforced when required.

ISO 27002:2013 A.7.2.1 - Management Responsibilities Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. As part of management oversight all employees are annually reviewed in line with their individual roles and responsibilities. This is reinforced through regular team meetings and ongoing training. The responsibilities of contractors (rarely used) is directly in line with the terms of data security within the contract document. These terms are managed by the appropriate manager or project manager.

ISO 27002:2013 - A.7.2.2 - Information Security awareness, education, and training. All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. All employees are specifically trained on the company InfoSec policies and procedures. This training is annually reinforced and when any changes to the policies or processes.

ISO 27002:2013 - A.7.2.3 - Disciplinary Process There shall be a formal and communicated disciplinary process in place to act against employees who have committed an information security breach. The disciplinary process is a formal policy, issued to all employees at the commencement of their employment. In addition to this the full policy is available in the employee handbook. The policies apply to all breaches of company policies and procedures.

ISO 27002:2013 - A.7.3.1 - Termination or change of employment responsibilities Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor, and enforced. There are specific clauses within the employee's contract relation to data security upon leaving the organisation. An employee's obligation is clearly defined. In the event of any breach of the contract, enforcement action would be applied.

ISO 27002:2013 - A.8.1.1 - Inventory of Assets Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. The company maintains an assets list through the stock control system. Stock control audits are carried out on a quarterly basis, any discrepancies are reported and investigated.

ISO 27002:2013 - A.8.1.2 - Ownership of Assets Assets maintained in the inventory shall be owned. The data, stock and assets of the company are the responsibility of the CEO. The CEO is also the nominated data controller and acts as the DPO for matters concerning security of data both for internal and customer operations.

ISO 27002:2013 -A.8.1.3 - Acceptable Use of Assets Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented, and implemented. Rules for acceptable use are detailed in both the employee handbook and the company fair use policy. This policy is reviewed annually or at any point a policy is changed or updated.

ISO 27002:2013 - A.8.1.4 - Return of Assets All employees and external party users shall return all the organizational assets in their possession upon termination of their employment, contract or agreement. Company assets in terms of devices, tools, equipment, and product are all recorded upon issues to each employee as required. The maintenance of this list is, and any amendments or changes are the responsibility of the Manager. A full stack take is undertaken every 1/4, employee is required to submit a list of all company assets retained. Any returned assets are signed back and in and processed for replacement or reissues, this includes the deletion of any personal or commercial data.

ISO 27002:2013 - A.8.2.1 - Classification of Information Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. There is very little by way of hardcopy information within Synel UK, most of the data is held securely electronically and only those whose job it is to have access to that information can access it. Hardcopy waste is disposed of via a shredding company that collects from the office.

ISO 27002:2013 - A.8.2.2 - Labelling of Information An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. We do not use labelling of document classification as the requirements.

ISO 27002:2013 - A.8.2.3 - Handling of Assets Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization. The way we handle asset is covered in the clear desk policy

ISO 27002:2013 - A.8.3.1 - Management of Removable Media Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. The use of removable media is actively discouraged within the organisation. All data and resources that may be required are available through the company's servers. They are categorised by access rights both between departments and employees. Remote workers have access provided by a secure VPN which only enables access to the specific data available to them.

ISO 27002:2013 - A.8.3.2 - Disposal of Media Media shall be disposed of securely when no longer required, using formal procedures. The decommissioning, recycling, and destruction of any devices removable or otherwise must be carried out in line with the infosec policy and procedures. This is a central function carried only by employees authorised to do so. All items are referred to the main inventory for tracking and audit.

ISO 27002:2013 - A.8.3.3 - Physical Media Transfer Media containing information shall be protected against unauthorized access, misuse, or corruption during transportation. All data is encrypted whilst in transit between server, application, or device. The data is also encrypted at read on the devices, this a core principle of our data security model. All data from obsolete or damaged devices and hardware is deleted prior to disposal of the physical equipment. All replacement hardware is dispatched; "clean" data is only downloaded to a new or replacement device once installed on the client or company network.

ISO 27002:2013 - A.9.1.1 - Access Control Policy An access control policy shall be established, documented, and reviewed based on business and information security requirements. Access control measures both physical and logical are in place to secure the security of the data, hardware, intellectual property, and safety of the employees.

ISO 27002:2013 - A.9.1.2 Users shall only be provided with access to the network and network services that they have been specifically authorized to use. From a physical perspective, access control clearance is required to enter the building. It is also required to access the Synel areas (biometric fingerprint).there is a secondary access control to sensitive areas for authorised Synel employees only (Biometric fingerprint). Our data hosting centre has similar security both physical and logical and I IRAP compliant. Logical security is applied by a password protection policy including regular mandatory changes. Remote access is granted to only authorised employees e VPN again with full password control applied.

ISO 27002:2013 - A.9.2.1 -User registration and de-registration A formal user registration and de-registration process shall be implemented to enable assignment of access rights. User access is assigned by the client within the GUI passwords must meet minimum complexity and can be given expiration dates and forced renewals. This is managed by the end user following suitable training.

ISO 27002:2013 - A.9.2.2 - User Access Provision A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. User access is assigned by the client within the GUI passwords must meet minimum complexity and can be given expiration dates and forced renewals. This is managed by the end user following suitable training.

ISO 27002:2013 - A.9.2.3 -Management of Privileged access rights The allocation and use of privileged access rights shall be restricted and controlled. Privileged access rights policy is applied to all employees. This is the direct responsibility of the UK IT manager, sanctioned by the group IT manager. Employees only have access to data and services applicable to their role. in the event of Any temporary changes to grade or role, are reflected in time limited credentials managed directly by the IT Manager or Group IT manager.

ISO 27002:2013 - A.9.2.4 - Management of Secret authentication information of others The allocation of secret authentication information shall be controlled through a formal management process. User access is assigned by the client within the GUI passwords must meet minimum complexity and can be given expiration dates and forced renewals. This is managed by the end user following suitable training. Passwords can be randomly generated for a user and sent to email as a One Time sign on forcing the user to pick a new and complex password in line with the password policy for complexity. These passwords are then encrypted into the SQL and cannot be viewed by users or administrators. If a user forgets their password, they must reset it.

ISO 27002:2013 - A.9.2.5 - Review of user access rights Asset owners shall review users' access rights at regular intervals. Access rights as are assigned to individual roles within the organisation. These rights per role are reviewed annually in line with the Infosec policy.

ISO 27002:2013 - A.9.2.6 - Removal or Adjustment of Access Rights The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract, or agreement, or adjusted upon change. Access rights as are assigned to individual roles within the organisation. These rights per role are reviewed annually in line with the Infosec policy.

ISO 27002:2013 - A.9.2.1 -User registration and de-registration A formal user registration and de-registration process shall be implemented to enable assignment of access rights. User access is assigned by the client within the GUI passwords must meet minimum complexity and can be given expiration dates and forced renewals. This is managed by the end user following suitable training.

ISO 27002:2013 - A.9.2.2 - User Access Provision A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services. User access is assigned by the client within the GUI passwords must meet minimum complexity and can be given expiration dates and forced renewals. This is managed by the end user following suitable training.

ISO 27002:2013 - A.9.2.3 -Management of Privileged access rights The allocation and use of privileged access rights shall be restricted and controlled. Privileged access rights policy is applied to all employees. This is the direct responsibility of the UK IT manager, sanctioned by the group IT manager. Employees only have access to data and services applicable to their role. in the event of Any temporary changes to grade or role, are reflected in time limited credentials managed directly by the IT Manager or Group IT manager.

ISO 27002:2013 - A.9.2.4 - Management of Secret authentication information of others The allocation of secret authentication information shall be controlled through a formal management process. User access is assigned by the client within the GUI passwords must meet minimum complexity and can be given expiration dates and forced renewals. This is managed by the end user following suitable training. Passwords can be randomly generated for a user and sent to email as a One Time sign on forcing the user to pick a new and complex password in line with the password policy for complexity. These passwords are then encrypted into the SQL and cannot be viewed by users or administrators. If a user forgets their password, they must reset it.

ISO 27002:2013 - A.9.2.5 - Review of user access rights Asset owners shall review users' access rights at regular intervals. Access rights as are assigned to individual roles within the organisation. These rights per role are reviewed annually in line with the Infosec policy.

ISO 27002:2013 - A.9.2.6 - Removal or Adjustment of Access Rights The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract, or agreement, or adjusted upon change. Access rights as are assigned to individual roles within the organisation. These rights per role are reviewed annually in line with the Infosec policy.

ISO 27002:2013 - A.9.3.1 - Use of secret authentication information Users shall be required to follow the organization's practices in the use of secret authentication information. The Used of "Secret" or Highly sensitive security access rights are governed by the same policies as all other information security measures. However highly sensitive access rights only reside with senior managers and employees and are not disclosed under any circumstances.

ISO 27002:2013 - A.9.4.1 - Information Access Restriction Access to information and application system functions shall be restricted in accordance with the access control policy. Only employees who require access to the systems or applications have that access granted. This process follows the current information security policy. All access to the systems is monitored and reordered. Actions within the system or application can be traced back to a specific user or id.

ISO 27002:2013 - A.9.4.2 - Secure log-on Procedures Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. Multi factor authentication is used for remote access to the third party's organisation, we will follow the procedures laid down by those third-party organisations. This does not dilute or compromise our own internal processes. All OS and root access are controlled by the UK IT manager and backed up by the group IT manager.

ISO 27002:2013 - A.9.4.3 - Password Management System Password management systems shall be interactive and shall ensure quality passwords. All password processes for system and application access are secured using UN & PW. When first active a standard access password is issued to an employee. This password must then be changed before proceeding, this is system mandated. Passwords are alphanumeric with minimum length and character rules. Password reset is automatic within the system as well as periodic change rules to ensure passwords are regularly changed.

ISO 27002:2013 - A.9.4.4 - Use of Privileged utility programs The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. Access to all applications and utilities is governed by the infosec policy and access is fully controlled by the UK and Group IT managers in line with password and access policies.

ISO 27002:2013 -A.9.4.5 - Access control to program source code Access to program source code shall be restricted. Only the developer team has access to any source code. This is centrally Managed by the IT Manager. Only authorised employees have these rights.

ISO 27002:2013 A.10.1.1 - Policy on the Use of Cryptographic controls A policy on the use of cryptographic controls for protection of information shall be developed and implemented. All passwords are encrypted

ISO 27002:2013 A.10.1.2- Key Management A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. End users set their own policy for password expiration and can force a reset every X number of days. This process is applied throughout the lifecycle of the system and individual users.

ISO 27002:2013 - A.11.1.1 - Physical Security Perimeter Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. Synel offices have multiple security perimeters. All using physical access control either access card or biometrically based. Secure and sensitive areas are secured individually with biometric access. CCTV is used in the security of the main of the premises. The data centre is a contracted service based in the UK and fully complies to IRAP standards.

ISO 27002:2013 - A.11.1.2- Physical Entry Controls Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Synel offices have multiple security perimeters. All using physical access control either access card or biometrically based. Secure and sensitive areas are secured individually with biometric access. CCTV is used in the security of the main of the premises. The data centre is a contracted service based in the UK and fully complies to IRAP standards.

ISO 27002:2013 - A.11.1.3 - Securing Offices, Rooms & Facilities Physical security for offices, rooms and facilities shall be designed and applied. Synel offices have multiple security perimeters. All using physical access control either access card or biometrically based. Secure and sensitive areas are secured individually with biometric access. CCTV is used in the security of the main of the premises. The data centre is a contracted service based in the UK and fully complies to IRAP standards.

ISO 27002:2013 - A.11.1.4 - Protecting against external and environmental threats Physical protection against natural disasters, malicious attack or accidents shall be designed and applied. Our hosting provider is fully IRAP compliant and accredited ISO 27001, 27018 this includes both physical (CCTV and Access Control) and logical protection (Antivirus, Firewall, off site back-ups and Disaster recovery). This guarantees to the highest level of security and protection for the solutions and data stored.

ISO 27002:2013 - A.11.1.5 - Working in Secure Areas Procedures for working in secure areas shall be designed and applied. Our hosting provider is fully IRAP compliant and accredited ISO 27001, 27018 this includes both physical (CCTV and Access Control) and logical protection (Antivirus, Firewall, off site back-ups and Disaster recovery). This guarantees to the highest level of security and protection for the solutions and data stored.

ISO 27002:2013 - A.11.1.6 - Delivery & Loading Areas Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access. Our hosting provider is fully IRAP compliant and accredited ISO 27001, 27018 this includes both physical (CCTV and Access Control) and logical protection (Antivirus, Firewall, off site back-ups and Disaster recovery). This guarantees to the highest level of security and protection for the solutions and data stored.

ISO 27002:2013 - A.11.2.1 - Equipment siting & protection Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. Our hosting provider is fully IRAP compliant and accredited ISO 27001, 27018 this includes both physical (CCTV and Access Control) and logical protection (Antivirus, Firewall, off site back-ups and Disaster recovery). This guarantees to the highest level of security and protection for the solutions and data stored.

ISO 27002:2013 - A.11.2.2 - Supporting utilities Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. As a fully accredited IRAP the servers are fully backed -up and protected from external threats including power failure. This is supported by full disaster recovery and fail-over to back-up machines.

ISO 27002:2013 - A.11.2.3 - Cabling security Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference, or damage. Our hosting provider is fully IRAP compliant and accredited ISO 27001, 27018 this includes both physical (CCTV and Access Control) and logical protection (Antivirus, Firewall, off site back-ups and Disaster recovery). This guarantees to the highest level of security and protection for the solutions and data stored.

ISO 270012:2013 - A.11.2.4 - Equipment Maintenance Equipment shall be correctly maintained to ensure its continued availability and integrity. Our hosting provider is fully IRAP compliant and accredited ISO 27001, 27018 this includes both physical (CCTV and Access Control) and logical protection (Antivirus, Firewall, off site back-ups and Disaster recovery). This guarantees to the highest level of security and protection for the solutions and data stored.

ISO 27002:2013 - A.11.2.5 -Removal of Assets Equipment, information, or software shall not be taken off-site without prior authorization. No equipment regardless of being fixed or mobile, soft, or hard, will be removed from either a customer site or Synel Promises without following the appropriate procedures and authorisations.

ISO 27002:2013 -A.11.2.6 - security of equipment and assets off premises Security shall be applied to off-site assets considering the different risks of working outside the organization's premises. Assets security off premises from a business perspective includes all mobile devices, laptops and phones. These are the responsibility of each employee and covered by our personnel and infosec policies. Regarding commercial customer equipment the security of any devices is the responsibility of the end user and assumes internal processes by the customer. Whilst encrypted at rest and in transit, the security of data within the client's network is the responsibility of the client.

ISO 27002:2013 -A.11.2.7 - Secure disposal or reuse of equipment All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. All returned equipment and hardware are purged (if can't be purged then data storage media will be destroyed) prior to recycling or disposal in line with Infosec policy. All hardware is disposed of compliant with the WEEE regulations.

ISO 27002:2013 - A.11.2.8 - Unattended user equipment Users shall ensure that unattended equipment has appropriate protection. No equipment is left unattended or accessible if not in use. Preinstallation hardware does not contain customer data and any returned or damaged equipment is purged or destroyed

ISO 27002:2013 - A.11.2.9 - Clear desk and clear screen policy A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. The policy for this is under Synel UK's "Clean Desk Policy" (document number SYD-0024-01). It covers the handling of sensitive information in the workspace. The central IT policy also locks screens after a period of inactivity, which is applied to all employees.

ISO 27002:2013 -A.12.1.1 - Documented Operating procedures Operating procedures shall be documented and made available to all users who need them. All Procedures are available to employees via the employee handbook or via their line manager. The policies are also delivered directly via employee training sessions

ISO 27002:2013 - A.12.1.2 - Change Management Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled. Change management is the responsibility of the CEO, delegated to each department head or live team. These processes and progress are monitored and reviewed by the CEO and senior leadership team within the business.

ISO 27002:2013 -A.12.1.3 - Capacity Management sources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. The use and capacity of system resources is monitored in real time by the IT manager. Any changes and flags are monitored and reviewed by the SLT monthly. Any changes or optimization is carried as when required because of real time events or when strategy required.

ISO 27002:2013 - A.12.1.4 - Separation of development, testing, and operational environments Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. Within our IT strategy we have many environments used for specific purposes such as deployment, live, development, testing, and R&D. These separate environments are managed as separate and unique environments.

ISO 27002:2013 - A.12.2.1 -Controls against Malware Detection, prevention, and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. All Cloud servers are protected via ESET Enterprise

ISO 27002:2013 - A.12.3.1 -Information backup Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy. All back-ups of customer data are hosted by our provider, within our hosting agreement. Back-ups and fail-overs are maintained at the same level as active servers and active data. Our hosting provider is IRAP, ISO 27001 and ISO 27018 compliant.

ISO 27002:2013 - A.12.4.1 - Event Logging Event logs recording user activities, exceptions, faults, and information security events shall be produced, kept and regularly reviewed. The Software contains its own Audit trail process to monitor all changes and exceptions

ISO 27002:2013 - A.12.4.2 - Protection of log information Logging facilities and log information shall be protected against tampering and unauthorized access. All logs and admin access are protected by Password and only accessible be authorised senior employees.

ISO 27002:2013- A.12.4.3 - Administrator and Operator Logs System administrator and system operator activities shall be logged, and the logs protected and regularly reviewed. Audit and Administration logs are kept against all access transactions and limited to senior personnel only. All access is password protected with unique credentials per user.

ISO 27002:2013- A.12.4.4 - Clock Synchronisation The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source. Yes, all devices are linked to the central server time. Although GMT offsets are applied for separate and distinct time zones.

ISO 27002:2013 - A.12.5.1 - Installation of Software on Operational systems Procedures shall be implemented to control the installation of software on operational systems. We have a fully documented process for the implementation and go live of new systems. This is strictly limited to individual members of the unique project team