GDPR Standard IT Security Questions and Answers

 

To help with customers completing GDPR compliance questionnaires, Keybridge IT has put together a list of common questions and answers that will assist you.

GDPR compliance is the responsibility of the Data Controller and therefore customers will be asked all manner of questions, many of which are not under the remit of the IT provider.  However, we are here to help. 

The questions and answers are based on the typical customer base who use Microsoft Office 365, Microsoft Azure. Microsoft EM+S.  Keybridge IT use a backup supplier called Solarwinds and Mitol and this is taken in to account throughout this FAQ.

Any questions relating to the operations within Keybridge IT will also be answered as and where possible / relevant.

General FAQs

Question

Answer

 

Who / What do you use for your Hosting?

Keybridge IT host your emails and documents in Microsoft Office 365.  Some customers have in house servers and in these cases, files (shared drive) may be stored on the server.

What does Keybridge IT do with our data?

Keybridge IT store the data in Microsoft cloud and / or on your (customer) server(s).  Keybridge IT backs up any data outside of the Microsoft cloud in to a number of secure data centres.  Data stored in Microsoft Azure is backed up and snap shots are taken by Microsoft.

Keybridge provide admin functions on some customer data as directed by the customer (Data Controller)

Is my (customer) data segregated / How is my data segregated?

Data in the Microsoft cloud is segregated from other Microsoft customers.  Microsoft uses logical isolation to segregate customers to ensure complete confidentiality and separation.

Customers with their own servers do not have to be concerned with this question.

Is traffic encrypted?

Data on the customer network is not encrypted, however, data is kept behind a secure company firewall.

Data in the Microsoft cloud is encrypted in transit and at rest.

Is data encrypted?

Data in the Microsoft cloud is encrypted in transit and at rest.

Keybridge IT’s backup Partners (MITOL and Solarwinds) uses encryption (AES256) for all data stored

Are my computers encrypted?

If you have purchased Microsoft EM+S from Keybridge IT, your portable computers will be encrypted. 

Windows 10 also provides Bit Locker which would allow you to manually encrypt each computer

Are my files or emails encrypted?

Office 365 allows you to encrypt files within Sharepoint using Azure Rights Management. 

How are Passwords stored?

Keybridge IT store all customer passwords in Connectwise.  This is an industry standard CRM and Helpdesk system and the data is stored in the Microsoft Cloud.  Access to this system is via MFA (Multi Factor authentication) ONLY and so only authorised personnel are able to access this.

Keybridge IT has a Password Policy for length and complexity of passwords.

Keybridge IT customers should write a password policy and it is recommended to have staff passwords changed Quarterly or Half yearly and for them to be complex and not basic words.

How do you monitor Breaches / How do you monitor unusual activity / How do you report breaches?

Keybridge IT have a Network Operations team (NOC) who use an industry standard system provided by Solarwinds.  In Addition, Microsoft provides alerts and reporting on access and activity.

Breaches must be notified to the ICO as soon as possible and within 72 hours.

What is your backup policy?

Customers with their own servers have a nightly backup with a 30 day retention.  This can be increased at the customer’s request.

Microsoft data (Office 365) is backed up and retained for 30 days.

Microsoft Azure is flexible but by standard, Keybridge IT have configured this to snap shot every night and to cary out a full file level backup every night.

All backups for all customers are logged and failed backups or missed backups are monitored by the Network Operations Team (NOC)

What is your Disaster Recovery procedure?

This is a question for each individual customer of Keybridge IT.  Keybridge IT itself has everything in the cloud in terms of emails, files, remote monitoring and CRM and Ticketing.  Phones are VoIP and so in the event of a Disaster, the Keybridge IT team would work from home / remote offices.

 

From a customer point of view, all customers are slightly different.  For Microsoft 365 and Azure customers and for those customers using cloud based CRMs, most users can work from anywhere in the event of a disaster.

 

Microsoft have 40+ data centres, as part of the Microsoft Office 365, there is multiple site replication.

For Azure customers local replication is set up by default and further replication can be added at an extra cost.

We have in house servers, what is our Disaster Recovery procedure?

For in house servers, each customer will have a different set up depending on budget and risk appetite.  The majority of customers would have much of their data in the cloud and so the data or systems on the server in house would potentially need to be restored from back up to new physical or cloud servers.  Keybridge IT can assist with a DR plan if and when necessary

What training has been provided for GDPR?

Keybridge IT have put together  training and refresher training plan for all staff

Keybridge IT customers should provide in house training to their staff on Data Protection and GDPR

How is server access provided?

How do you protect access to your servers?

Keybridge IT do not host any servers

Microsoft servers are secured via access control.  Only authorised personnel are allowed in to Microsoft Data Centres.

MITOL and Solarwinds servers are secured via access control.  Only authorised personnel are allowed in to Microsoft Data Centres.

What Certifications and accreditations do you hold?

How is your business compliant?

Keybridge IT have ITIL and Microsoft trained Staff.

Keybridge IT partners with a number of suppliers for the hosting, back up and storage of data.

Microsoft hold a number of certifications including ISO27001.  All of these can be found here:

https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings

 

Mitol and Solarwinds are also ISO 27001 certified

How do you control access to your data?

How do we control access to your data?

Keybridge IT customers mainly use Office 365 and this can be protected by MFA (Multi Factor authentication)  this will ensure your staff are the only ones that can log in.  This is best managed through EM+S.  if you use Office 365 and EM+S you can also lock down who logs in from where and from which device

Who can request information or changes by Keybridge IT?

Keybridge IT define an approver list at the outset of working with a customer.  Only approved users are able to request new users, leavers, password changes etc.

 

Hardware, Software and Networking FAQ

Do you have a firewall?

Do I have a firewall?

Keybridge IT have DELL Sonicwall in place at their London Office

 

Keybridge IT customers have firewalls in every office.  If it is not a serviced office, Keybridge would supply a Draytek or a Sonicwall depending on your size.  Some customers have their own firewalls purchased prior to working with Keybridge IT.

Who keeps the firewalls up to date?

Keybridge IT have a Network Operations Team (NOC) who update Firewall firmware on a regular basis

How are our computers and networks kept secure?

Keybridge IT have a Network Operations Team (NOC) who schedule PC and Server updates each month.  Critical updates are rolled out automatically.

 

Unless requested otherwise by the customer, Keybridge IT deploy Bitdefender on all PCs and Servers which provides Anti Virus protection

 

Keybridge recommend customers also purchase Web Protection for an added layer of security

 

Keybridge IT change the default password for security devices upon configuration

 

Keybridge IT use random password generator to set up security passwords and user passwords

Can my network be accessed externally?

Most Keybridge IT customers have their services in the cloud and so it is rare that external access is open to the customer network.

Some customers who have servers on site may have a terminal server or VPN configured to allow staff to access remotely.  This is done ion a controlled manner with only authorised staff being given access

 

All ports are closed unless otherwise required by the customer

Is there Remote access to firewalls?

By default, Keybridge block external access unless required

Do you change our admin passwords? And how complex are our passwords?

Keybridge IT change all customer’s admin passwords and ensure they are complex and random generated

Passwords are set to a minimum of 8 Characters and Keybridge IT recommend they are changed quarterly or half yearly

How do you manage our PCs?  How do you keep our PCs up to date?

Keybridge IT monitor all computers for viruses and patch updates.   Our larger customers have a windows domain and all users are standard non admin users.  All smaller customers have a user account on a “workgroup” or going forward all accounts will be linked to Office 365 and Azure AD.

Do I have a password policy?

Keybridge IT have an internal Password policy, but does not manage or dictate the password policy of customers

 

Other Security and Access FAQs

DPIA

Has a DPIA been carried out?

Keybridge IT use Microsoft technologies, services and Data centres.  Microsoft are GDPR compliant.

 

https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx

 

As an IT provider, we do not process any data in such a way that constitutes the need to carry out a DPIA:

 

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

 

What encryption is used?

Microsoft and MITOL use AES256