Security Policy

Overview

Oxford Consultants for Social Inclusion (OCSI) routinely carry out projects and developments requiring access to information and data that is regarded as personal and/ or sensitive. This Security Policy sets out our security processes, which are designed to minimise the risk of data loss or access by unauthorised individuals.

This Policy covers several aspects of OCSI’s work, namely:

  • Information security relating to our product and service offerings
  • Information security relating to our general business activities
  • Information security relating to bespoke projects involving highly sensitive data

Any reference to “Insight products” refers to our Software as a Service platforms Local Insight, Community Insight and Value Insight unless otherwise stated.

Risk awareness

At OCSI, we actively encourage a culture of awareness around security and confidentiality. Data confidentiality is actively considered throughout all strands of our work. All staff are made aware of security best practice and new potential threats. Our technical team monitor for potential threats to security, and raise threats with the whole company as soon as possible.

In order to comply with the necessary information management and security requirements imposed by data providers, all OCSI staff must be aware of and adhere to the strict security principles contained in this Security Policy.

OCSI is registered with the Information Commissioner’s Office as a Data Controller (registration number ZA059044).

Staff and teams

Network access

We establish a range of security protocols for our staff and partners, depending on the data they need access to, the work they are doing, and their individual level of responsibility.

Where possible, we implement strong authentication protocols, including:

  • Strong password schemes
  • Unique passwords and/or key files for each user and service
  • Individual logins for all services
  • Use of password safes to store passwords securely
  • Two-factor authentication

Access to network devices and services is further protected through use of whitelisting of known IPs and further security measures.

Data access

As with network access, we establish a range of security protocols for our staff and partners, depending on the data they need access to, the work they are doing, and their individual level of responsibility.

Staff are given access to internal and external data on a required basis, including an assessment of the data that is being accessed, the levels of permission that a user has, and the medium through which data is accessed. Any or all of these are rescinded once relevant access is no longer required.

Remote access to data provider secure data facilities

Where sensitive data is held by a third-party data provider in relation to a bespoke project, we prefer to access personal and/or sensitive data using access procedures put in place by the data provider.

Making use of such access procedures, typically requires a formal written request to the data provider for each access requirement (for example requiring a new request for each project), as well as staff training. OCSI and project staff abide by all protocols implemented by the data provider.

Data Storage

Customer data for Insight products is stored across several internal and third-party services in order to provide an efficient, secure service. Please see our Privacy Policy for more details on what information is shared with which services.

Where data is shared with third-party suppliers, we audit and monitor security policies for these suppliers, and aim to work with these suppliers where we have questions of concerns about how sensitive data is treated. You can find our list of third parties and subprocessors here.

Physical Security

Customer data for Insight products is primarily hosted by ISO27001-accredited platform suppliers. All data is stored in UK-based locations. Where data is shared with third-party suppliers (eg cloud computing providers), we aim to store data in UK-based locations where possible.

Where customer data is transferred to OCSI’s internal networks for processing, data is stored within a shared business offices building. Access to the building is via a manned reception area where all visitors must report on entry and await collection by their host member of staff. Out of hours, the building entry is alarmed and secured with a key code and deadlock. The alarm is linked to a 24/7 response team

Only named OCSI staff have access to alarm fobs and office keys. When staff cease to be members of OCSI they provide back their keys and alarm fobs are returned immediately.

Data encryption

Data at rest

User passwords in Insight products are encrypted using a strong, individually salted one-way hashing algorithm. Raw password data is not stored in plain text at any point in the database or in back-ups.

Data in transit

Insight products support the latest recommended secure cipher suites and protocols to encrypt all traffic in transit.

As with all of our security policy, we routinely monitor for any advances and weaknesses in security infrastructure, and implement best practice to resolve and mitigate against any risk on our network, including data transmission protocols.

Data destruction

Where sensitive data is imported into Insight products, we ensure that disposal of this data is designed into our processing. Sensitive data is removed automatically from systems as soon as possible after it has been processed.

Where data is externally accessible, we employ service providers who conform to the HMG IS5 Enhanced standard for disposal of data. Where data is internally accessible, we follow our data destruction policy, which is reviewed regularly.

Contingency and recovery

We regularly back-up all data required to run the Insight products. Back-ups are only accessible to key members of staff on an as-needed basis.

If restoration from a back-up is required, this will follow a standard, documented process that ensures data is restored securely, and that data that has been requested to be removed is removed at point of restore.

We maintain logs for all servers, sites and systems. These logs are analysed daily for security events by our technical team, and any incidents are raised according to our response policy. We also actively monitor the wider security landscape for any new threats or risks, and prioritise mitigation action accordingly.

All computers and devices are automatically kept up-to-date with latest operating system patches, and monitored centrally.

Policy Review

This Security Policy will be updated as further improvements to our infrastructure and processes are made. We review this Security Policy on an annual basis.