Security

The nature of our work is such that we and our clients need to be confident that documents can be transferred, stored and retrieved quickly and securely. Our security measures are outlined below.

File transfer and storage.

Email is inherently insecure and there is an ever-growing list of politicians, senior bureaucrats and business leaders who have suffered considerable embarrassement from an email that went astray.

Consequently, we neither accept nor send files by email but instead use managed accounts at a server farm that is maintained by Amazon Web Services.  Each server is SSAE 16 certified, demonstrating that it meets rigorous standards for security.  All file transfers are encrypted using 256-bit SSL (Secure Sockets Layer). This is the same security used by banks and many e-commerce sites such as Amazon.com. 

There are multiple backup strategies in place to protect against loss of data, and the system is certified under the U.S. Department of Commerce Safe Harbor programme.

Editors and writers

Each of our editors and writers is bound by a confidentiality agreement and required to follow stringent operating protocols with regard to file security. For example, our protocols include that computer systems must be protected by secure password and run behind an approved firewall. Files of any sensitivity may stored only on the server, and no file may be downloaded to any form of mobile storage.

Client access accounts

Each client with a server access account has a unique login.

Passwords are hashed so that nobody other than the client, not even us, can access this information. The system will lock an account if the user enters an incorrect password five times in a row.

Account users will only see folders to which they have been granted permission, and folders for which they have not been granted permission will be invisible to them. By default, client users do not have access to information about other users on the account.

The system provides a number of advanced features, including a two-step verification process (switchable) that utilises the person’s phone to provide an extra layer of security for their username. After they log in, they will be asked to enter a verification code that is be sent to their phone via a text message (SMS).

Multiple logins may be provided where appropriate, and all activity in the system by an account holder is logged.

The network is monitored daily by third party software to ensure that there have not been any security compromises. The dated McAfee® SECURE seal at the login page confirms this. If the system were to fail a security audit this seal would not appear until any compromise had been investigated and repaired.

Managing Editor

>