Our Dedication to Data Security
Touchpoint Group is ISO/IEC 27001 certified and manages information security within a framework based on related standards such as ISO/IEC 27017 (Code of Practice for Information Security Controls Based on ISO/IEC 27001 for Cloud Services) and ISO/IEC 27018 (Protection of Personally Identifiable Information).
"Internationally recognized ISO/IEC 27001 is an excellent framework which helps organizations manage and protect their information assets so that they remain safe and secure. It helps you to continually review and refine the way you do this, not only for today, but also for the future." - Learn more about ISO 27001 with BSI.
Organisational Security and Compliance
CERTIFICATION AND COMPLIANCE
Touchpoint Group is ISO 27001:2013 certified. The certificate is available for download here.
Privacy and data protection policies
Touchpoint Group always treats customer data as confidential. Touchpoint Group does not access, use or share the information collected from a customer except as set forth in the Terms to carry out its obligations under this agreement, and as per our Privacy Policies.
For information on our legal and privacy terms, please visit:
Third party and security assessments
Touchpoint Group's compliance with security standards and ISO 27001 is reviewed annually by an independent accredited third party. In addition, Touchpoint Group’s security maturity has been reviewed on a number of occasions by third parties including external auditors such as PWC.
For customers based in the EU, or who source data from the EU, we offer a Data Processing Agreement. This defines the terms and conditions (including the incorporation of the European Commission’s Model Contractual Clauses) regarding the processing of personal data that is transferred from an EU to a non-EU jurisdiction, in accordance with the requirements of the GDPR.
Customer initiated security assessments and audits are possible, but will be agreed on a case by case basis and require an independent auditor, in order to protect the confidentiality of customers who are not party to the audit. As these custom audits require effort and carry cost for the customer, Touchpoint Group offers to make a summary of the most recent third-party audits or certifications available instead.
INFORMATION SECURITY MANAGEMENT SYSTEM
Touchpoint Group has implemented an Information Security Management System (ISMS) that is compliant with ISO 27001, the international standard for information security. This ISMS also aligns with ISO 27017 (Code of Practice for Information Security Controls Based on ISO 27001 for Cloud Services) and ISO 27018 (Protection of Personally Identifiable Information).
The Touchpoint Group Information Security Management System and related controls cover these domains:
This ISMS is reviewed independently on a regular basis to provide for continued effectiveness and accuracy.
If you require additional information to the above security domains, please see below or contact us.
RISK AND VULNERABILITY MANAGEMENT
Touchpoint Group has defined its methodology for assessment and treatment of information risks based on the ISO/IEC 27001 standard. Risk assessment and risk treatment are applied to the entire scope of the Information Security Management System (ISMS), i.e. to all information assets within Touchpoint Group or which could have an impact on information security, including customer information.
Technical compliance and testing
Touchpoint Group approves and engages with third-party security firms to perform penetration testing that can uncover potential vulnerabilities and improve the overall security of our products and services. Upon receipt of the report provided by the third party, Touchpoint Group documents these vulnerabilities, evaluates the impact and likelihood(risk), and creates a mitigation strategy or remediation plan. Penetration tests are conducted in regular intervals or after every major release.
Other technical compliance activities include:
- Scheduled vulnerability reviews.
- Code reviews.
- External penetration testing as commissioned by customers.
- Scheduled external vulnerability scans.
- Internal testing.
- Internal code vulnerability scans.
- Review of application error logs.
New vulnerabilities and threats evolve each day, and Touchpoint Group strives to respond quickly to mitigate newly discovered threats. In addition to subscribing to industry-wide vulnerability announcement lists, Touchpoint Group subscribes to the latest security alert lists issued by major security vendors.
Vulnerability and web scans are performed quarterly.
When a significant announced or detected vulnerability puts one of Touchpoint Group's products at risk, the Touchpoint Group CISO and Security Team communicate the vulnerability to the appropriate teams within Touchpoint Group and coordinate the mitigation effort. Vulnerabilities are assessed for risk, and appropriate measures taken to address the associated risk.
Touchpoint Group scans all inbound and outbound email for known malware threats.
Anti-malware protection mechanisms are implemented for all systems and employee assets (e.g. laptops) commonly affected by malware. Anti-malware protection involves the following:
- Malware, spyware and ransomware protection
- Device firewall protection
- Automated file submission and cloud detection of the latest threats
- Antivirus signatures are updated daily
- AV engine updated with the latest Antivirus features
- Fully automated system scans
- Event logs are generated
- Realtime Threat Protection enabled
- Browser and system level protection
Touchpoint Group maintains a detailed incident management process which includes the standard phases:
- Report: Initial identification and reporting of events, weaknesses and incidents.
- Assess: Assessment of and decision on events.
- Respond: Response to incidents.
- Review and learn: Learning from incidents.
- Resolve: Close incident and ticket.
- Archive: Store documentation and evidence.
We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition.
Touchpoint Group has developed a comprehensive set of security policies covering a range of topics as part of its ISMS. Touchpoint Group employees are provided with the relevant policies when joining the organisation. The employment contract includes specific clauses stating they have read and agree to comply with these. In addition the onboarding process for all employees includes specific sections around security and compliance, with more in depth training provided depending on the specific role.
All employees understand that disciplinary action will be taken for non-compliance.
Touchpoint Group performs background checks for employment purposes. This specific nature and scope of these checks that Touchpoint Group typically seeks includes inquiries regarding educational background, work history, and references obtained from professional and personal associates as well as criminal background checks, each as permitted by applicable law. These background check requirements apply to all employees and contractors, including those who will be administering systems or have access to customer information.
All employees have signed a Non-Disclosure and Confidentiality agreements before gaining access to our code and data.
When an employee leaves Touchpoint Group, the employees manager submits an exiting worker request. Once approved, Touchpoint Group HR initiates an email workflow to inform relevant stakeholders to take specific actions leading up to the employee’s last day. In the event that Touchpoint Group terminates an employee, the HR department sends a similar email notification to relevant stakeholders, including the specific date and time of the employee termination. Touchpoint Group Security then schedules the following actions to help ensure that upon conclusion of the employee’s final day of employment, they can no longer access the Touchpoint Group systems, offices or confidential files:
- Email access removal
- Remote VPN access removal (if applicable)
- Office access invalidation
- System access termination
- Network access termination
If required, managers may escort the terminated employee from the Touchpoint Group offices or building.
Security training programme
All staff undergo security awareness training when they join the company to ensure they understand the company security policies and procedures, and the specific security aspects applicable to their role. This training may be repeated if employees change roles or teams, and all employees take part in an annual security training session to update and refresh awareness.
Security awareness training
The awareness training covers these topics:
- A commitment to information security at Touchpoint Group and the protection of customer data.
- The need to become familiar with and comply with applicable information security policies and processes.
- The personal accountability of each staff member for their own actions and inactions regarding information security.
- Information about important policies and processes.
Role based security training
Staff receive annual training which has four levels depending on the employee role:
- Introduces basic security concepts, the ISMS, privacy compliance and company security policies and procedures
- Covers the protocols relating to secure handling of customer data
- Focuses on security as applied to application developers – covers OWASP and related technical standards
- Focuses on security as applied to infrastructure and networks
Various teams within Touchpoint Group participate in additional security training, workshops and attend security conferences to increase awareness of how security affects specific roles within the organisation, our products and services, and the company as a whole.
As part of our commitment to the security of our products and services, Touchpoint Group coordinates all security efforts under the role of Chief Information Security Officer (CISO), The office of the CISO coordinates all product and service security initiatives.
The CISO also manages the Operations and Security teams, who securely maintains the infrastructure and environments used to host all company products, and who act as security consultants to Touchpoint Group product development and operations teams. This team is also responsible for assessing and managing security incidents as well as weaknesses and taking any necessary responsive measures.
The team members work with teams and staff members across the business to strive to achieve the right level of security for products and services and advise these teams on security practices for clear and repeatable processes for development, deployment and operations.
SECURE PRODUCT LIFE-CYCLE
A Secure Product Life-cycle provides guidance and requirements for the development of Touchpoint Group software products and services. The objective of the Secure Product Life-cycle is to embed secure processes and practices into the development culture of the organisation. This is done to ensure that information security is accounted for at every phase of the development life cycle, and as a result, the software and systems produced have a high level of security.
The Secure Product Life-cycle (SPLC) covers the following eight stages:
- Employee security training
- Requirements and planning
- Development and testing
- Staging and stabilisation
- Operations and monitoring including intrusion detection
- Incident management
The Secure Product Lifecycle (SPLC) activities include some or all of the following recommended practices, processes and tools depending on the specific Touchpoint Group product:
- Security training for product teams
- Product health, risk and threat landscape analysis
- Secure coding guidelines, rules and analyses
- Service roadmaps, security tools, and testing methods that guide the product, infrastructure and operations teams to help address the Open Web Security Project (OWASP) top 10 most critical web application security flaws and CWE/SANS top 25 most dangerous software errors.
- Security architecture review and penetration testing
- Source code reviews to help eliminate known flaws that could lead to vulnerabilities
- User-generated content validation
- Application and network scanning
- Full readiness review, response plans, and release of developer education materials
Touchpoint Group corporate locations
Touchpoint Group maintains offices around the world and implements the following processes and procedures company-wide to protect the company against security threats.
Physical security of offices
Every Touchpoint Group office location employs on-site guards and/or electronic surveillance to protect the premises 24x7. Visitors enter through the front entrance, sign in and out with the receptionist, and are accompanied by an employee at all times while on the premises. Touchpoint Group keeps all server equipment, development machines, phone systems, file and mail servers, and other sensitive systems secured at all times accessible only by appropriate, authorised staff members.
Touchpoint Group platform networks are segregated into logical zones based on trust level. These zones include DMZ for public services, application layer for application services, storage layer for databases and related file storage. This segregation is enforced, such as by utilising a combination of VLANs, Security Groups, Network ACLs and/or Local Firewall Policies. Touchpoint Group's office network is logically segregated based on trust level, e.g. office and guest WiFi.
Access to systems and data is tightly controlled.
Employee access to customer data
- Touchpoint Group maintains segmented development and production environments, using technical controls to limit network and application-level access to live production systems. Employees have specific authorisations to access development and production systems. Access is given to employees using ‘need to know’ and ‘least privilege’ principles. Access rights are reviewed quarterly. Access is secured through multi-factored authentication and encryption in transit. The allocation and use of privileged access rights is restricted and controlled. Privileged access is only granted to employees requiring elevated access to perform their job responsibilities.
- Customer data will only be accessed as necessary to resolve a support or service issue.
- A robust VPN network is in place for all system administration access. All access for system administration is only available over the VPN network.
- Rules governing the installation of software by users have been established and implemented. Employees are restricted from installing software unless duly authorised.
Backups and restore
Backup copies of information, software and system images are taken and tested regularly. Backups and restore tests are scheduled according to the availability requirements of the information that is being backed up. The schedule is documented and maintained for all critical Touchpoint Group owned systems and data. Backups are held in a geographically separate location from the source data.
Monitoring, logging and review
- Touchpoint Group uses a robust monitoring solution to proactively monitor the Touchpoint Group systems and networks 24/7 in order to maintain uptime and proactively resolve issues. Each system component is monitored, e.g. for excessive resource usage. Automated notifications are in place to notify Touchpoint Group teams of issues or outages.
- Event logs record user activities, exceptions, faults and information security events are regularly reviewed. This includes system and service logs, as well as application logs of all production systems. A central log server receives all critical system logs, analyses them for unusual events, and alerts Touchpoint Group teams.
- Logging facilities and log information are protected against tampering and unauthorised access. Access to the central log server is restricted. Only selected staff can erase logs within the individual systems. Backups of logs are taken as per backup schedule.
- System administrator and system operator activities are logged and the logs protected and regularly reviewed. All administrator and operator logs are kept and protected from being deleted or tampered with.
Touchpoint Group's Business Continuity Management Programme works alongside and is embedded in the ISMS. The framework follows the ISO 22301:2012 standard and takes guidance from the BCI good practice guidelines 2018. The programme ensures Touchpoint Group has the ability to rapidly adapt and respond to business disruptions, safeguard people and assets, while maintaining continuous business operations. This is achieved through four principal areas of focus: Business Continuity, Disaster Recovery, Incident Management and Crisis Management. Touchpoint Group maintains its readiness by proactively assessing operational risks, establishing contingency plans, and administering incident response and crisis management training.
Touchpoint Group has established a risk framework (Business Impact Analysis) that accounts for the evaluation of our facilities, technology, applications, data, processes and overall organisation to ensure our risk mitigation strategy operates at multiple levels with broad coverage. The Business Continuity Management Programme includes validation steps to ensure resiliency strategies are effective and meet the policy established by the programme. The validation includes test, exercise, monitoring, internal audit and management review of Business Continuity Programme, including the BCP and Disaster Recovery plans.
Our Disaster Recovery (DR) programme ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.
In the event of a business disruption, the BCP and DR allow us to continue operations of critical functions, we accomplish this in part by:
- Using redundant processing capacity at other locations.
- Designing our technology and systems to support the recovery processes for critical business functions.
- Active-standby and/or clustered solutions.
- Selection of suppliers which meet the business availability requirements.
- Using business and technology teams that are responsible for activating and managing the recovery process.
- Failover and DR plans which allow for sufficient restore timeframes as per Business Continuity Management Programme.
- Exercising our recovery procedures and testing those procedures on a regular basis.
Additional information for Touchpoint Group Products will be added soon.
Fill out your details in our contact form and we’ll help answer your questions!