Last Updated 18th December 2023
Secure Screening Services is committed to keeping client and candidate information secure. We are transparent about our practices as a business, and we are happy to work with our customers to answer any questions or address any concerns regarding how we protect their personal data
Below you will find general information and answers to many of our frequently asked questions regarding our security.
Secure Screening Services holds Cyber Essentials and Cyber Essentials Plus certification. The systems that fall under the scope of the Cyber Essentials Plus scheme include internet connected end-user devices (desktop PCs, laptops, tablets and smartphones) and internet connected systems (e.g. email, web and application servers). You can view the certificates here: securescreeningservices.com/docs/ce.pdf and here: securescreeningservices.com/docs/ceplus.pdf
Secure Screening Services is certified to ISO/IEC 27001 Information Security Management standard and is annually audited and certified by NQA. You can view the certificate here: securescreeningservices.com/docs/iso27001.pdf
Secure Screening Services is also certified to ISO/9001 Quality Assurance standard and is annually audited and certified by the British Standard Institute (BSI). You can view the certificate here: securescreeningservices.com/docs/iso9001.pdf
Secure Screening Services information governance program policies and procedures are directed by our leadership team and are documented and maintained as part of our Information Security Management System (ISMS)
Our information security program has been developed and implemented to comply with ISO27001 standards. We have regular Security Forum meetings to review incidents and potential vulnerabilities, we also have incident response procedures in place with a third party Cyber security company if required.
Business continuity management and operational resilience policies and procedures are documented and maintained as part of our ISMS.
Our continuity management procedures are supported by internal audits using an independent Risk management company and regular desktop exercises.
A defined quality change control, approval, and testing process with established baselines, testing, and release standards is followed.
A process to proactively roll back changes to a previously known "good state" is defined and can be implemented in case of errors or security concerns.
A software development lifecycle (SDLC) process is implemented for application design, development, deployment, and operation as per organisationally designed security requirements.
We use AWS EC2 instances, AWS RDS Database clusters, AWS S3. All file uploads on the portal are authenticated and scanned for malware on upload from candidates and clients.
The platform uses OAuth tokens that timeout, connections are deactivated after a set timeout.
Data at-rest and in-transit are cryptographically protected using cryptographic libraries certified to approved standards. TLS 1.3 or higher is used.
Application Passwords must be at least 8 characters, contain at least one of each of the following characters: Uppercase, lowercase, number and special character. Two Factor Authentication is provided and recommended for all users and is enforced for all Screening Administrators.
Policies and procedures are documented for the classification, protection, and handling of data throughout its lifecycle according to all applicable laws and regulations, standards, and risk levels.
Our client and candidate data is held on our AWS Platform located in The UK. All candidate documents are stored on our secure online platform.
On the occasion that a candidate or client document is reviewed and processed on a Screening Administrator’s internal desktop system, the documents are removed from those systems after processing and are stored securely on the Portal.
Our help desk service (Helpscout) is hosted on AWS in the US but remains fully GDPR compliant through a Data Processing Amendment for EU and UK data. It is used only for communications, and no personal documents or sensitive information are shared or stored on it.
We sub-process data through our selected partners. These are carefully vetted and responsibility for data remains with us.
Processes, procedures, and technical measures for authenticating access to systems, applications, and data assets, including multi-factor authentication, for least-privileged user and sensitive data access are implemented.
Multi-factor authentication for secure screening staff and client access is supported and enforced on the Secure Screening Services Portal.
Applications and infrastructures are designed, deployed, and configured such that Secure Screening Services and customer user access are appropriately segmented, segregated, monitored, and restricted from other clients.
Communications between environments are monitored and encrypted. Production and non-production environments are separated.
We have a number of platforms to monitor IT compliance including real time platform and software monitoring to identify any unusual platform activity.
Security-related events are identified and monitored within applications and the underlying infrastructure.
Audit logs of cloud service customer user access, data changes, and configuration changes are kept.
Policies and procedures for security incident management are documented in accordance to the ISO27001 standard.
A security incident response plan, which includes relevant internal departments, impacted customers, and other business-critical relationships (such as supply-chain), is documented and maintained.
Security breaches and assumed security breaches are recorded and reported (including any relevant supply chain breaches) as per applicable SLAs, laws, and regulations.
Policies and procedures are documented to identify, report, and prioritise the remediation of vulnerabilities to protect systems against vulnerability exploitation.
Policies and procedures to protect against malware on managed assets are documented and maintained.
Processes are implemented to update detection tools, threat signatures, and compromise indicators on a weekly (or more frequent) basis.
Processes, procedures, and technical measures are implemented to identify updates for applications that use third-party or open-source libraries. Security updates to libraries are carried out as part of an ongoing maintenance plan.
Periodic, independent, CREST certified third-party penetration testing is conducted on both the Secure Screening Services own application and infrastructure and our Microsoft 365 Tenant. This occurs at least annually, but also more often when required, based on platform or environment changes.
