Cyber Security

All server or infrastructure type maintenance is always scheduled overnight between 11pm and 1am Mon-Thurs to avoid any impact on live services.

Windows server, database and operating system fixes are applied weekly every Tuesday night. Occasionally these require server restarts – the downtime for this is not counted against the 99.9% uptime target.

Development planning follows an agile methodology using initial change requests to ascertain requirements and scope out risks. Low impact changes (hot fixes) can be deployed immediately but medium or high-level changes will enter the development cycle with the appropriate developer(s). The development cycle will use internal test environments with each developer initially responsible for testing their own work and then being further escalated for review by the operations team. Dependent on scale, the development will either then be rolled out to the client Sandbox environment for feedback/review or deployed to live production at a pre-agreed date/time.

The ability to rollback production is maintained as part of the version controls.

Following the development cycle, applications will be deployed at an agreed date/time. Typically, this will be after working hours for back office applications and before working hours for front-end public facing websites. Average downtime for deployment is 30 seconds.

In the case of major releases, additional instances can be deployed to alternative URL’s and then switched with the original instance being removed from the workgroup.

We maintain performance monitoring and fault-finding tools across all facets of the network and server infrastructure. Pre-set indicators are established and when exceeded SMS and Email notifications are sent to relevant members of the development and operations teams. In addition, performance statistics for each 24-hour period are automatically produced and made available to the operations team for exception and trend analysis.

Internal administration web tools have been developed which allow us to monitor both server and web applications via a single dashboard accessible only via a dedicated VPN restricted by IP address. The dashboard provides both a summary and snapshot of real-time server performance and website availability. It also provides the ability to apply performance tweaking including the ability to scale the servers to meet demand and reset application pools.

A support ticket application is provided via the back office to log issues, record all communications and measure against SLA objectives. Tasks are assigned to the relevant developer and monitored via the operations team and account management.

The standard bandwidth channel is already of greater capacity than required to meet highest usage as monitored over the previous rolling 12 months. ‘Burst’ capability is in place to meet unexpected demand.

All live databases and application servers are real time mirrored to a separate environment using the Claranet Zerto replication product. In the event of a major disaster, the servers can be restored within 3 hours from decision to restore. A full documented Disaster Recovery Plan is in force and key elements are regularly tested.

In addition, generic scheduled overnight incremental backups of databases and live applications are run using the Attix5 product supported by Claranet. Full or part restoration can be performed on demand.

Restore tests are run every quarter and the results documented and recorded.

Repositories are used by developers for key application source code providing each developer with access to either the full library or restricted privileges based on dependencies. The repository records a full audit trail thus allowing live production versions to be rolled back if required.

Target for uptime is 99.99%. Three key issues apply when talking about uptime:

• Reliability of hosting provider
• Reliability of software
• Correct configuration

Regular monitoring of these three key areas and the implication of any changes that may affect these are considered as part of any major upgrade or release.

Third Party monitoring tools such as Pingdom and Uptime Robot are used to monitor availability and provide additional performance metrics.

There is no limit on the number of internal users active at any one time.

The contracted Web Acceleration and DoS protection in use uses a host of tools to protect our applications from attacks, ranging from layer 3 (volumetric) to layer 7 (application) attacks. Intelligent DoS mitigation system monitors the network for traffic that is synonymous with attacks to prevent them before they can cause an issue.

In addition a Pulse Secure Firewall is active across all servers and is regularly checked for status, relevance and latest versions.

All servers, workstations and laptops run real-time virus check and Malware scans are run weekly. Emails are scanned and, where necessary quarantined, pre-delivery.

In addition, a Pulse Secure Firewall is active across all servers and is regularly checked for status, relevance and latest versions.

Approved third party vendors are contracted to:

• Run automated monthly vulnerability scans on relevant servers
• Carry out annual black box penetration tests
• Approve annual PCI Assessments
• Carry out annual ISO27 Information Security audits
• Carry out tri-ennial BACS audits