Skip to content

Security Policy

This document covers are security requirements including:

  • Passwords
  • 2Factor Authentication
  • Firewall
  • VPN Access
  • Software Updates
  • Backups
  • Least Privelege

Passwords

All employees and contractors are responsible for the security of Digital Elite client data. You must ensure any passwords or information provided to you during the course of your work are stored securely. We recommend using a password vault, such as LastPass (https://lastpass.com) to securely store passwords. You should not disclose, or permit to be disclosed, any passwords provided to you by The Digital Elite t/a OTB Consulting, to anyone at any time.

The following are simple to setup, and best practise for your own security, as well as that of our clients.

Password Manager

  • you should use a unique and strong password for access to all client systems
  • do not re-use passwords across multiple systems
  • we highly recommend LastPass as a storage vault (https://lastpass.com)
  • alternatively, visit https://www.digitalelite.co.uk/tools/ and search for "password manager"
  • speak to our team for additional recommendations

Sharing Passwords

From time to time, passwords need to be shared amongst customers and Digital Elite staff. This document aims to highlight some best practises in this respect.

  1. Make sure any password you share is a unique, strong password.
  2. Never send passwords in email
  3. Never write passwords down on paper
  4. If communicating a password over the phone, ensure that nobody around you can hear you
  5. The best way to share passwords is with a password manager, such as LastPass. This ensures the password remains encrypted, and provides you with an audit of who has that password. However due to the way secure encryption works, it does require both users to be LastPass users
  6. Alternatively WhatsApp or Signal https://signal.org/, both use the same end-to-end encrypted chat protocol developed by Open Whisper Systems
  7. Use a secure sharing service, we recommend One Time Secret https://onetimesecret.com

Emergency Access

Emergency access function https://blog.lastpass.com/2016/07/how-to-get-started-with-lastpass-emergency-access.html/

Firewall

Enable a firewall.

Particularly if you're in a shared workspace, or regularly work out of an office where others on the same network cannot be trusted.

Enable stealth mode i.e. don't respond to or acknowledge attempts to discover your machine on the network by test applications using ICMP, such as Ping.

VPN Access

Contractors requiring secure access to client systems may either provide a fixed IP address and/or use a VPN provider that supports dedicated/fixed IP addresses.

Many VPN providers are based in countries without data retention laws (e.g. Hong Kong and Panama etc) or with privacy-friendly countries (e.g. Switzerland).

The VPN Provider we recommend is NordVPN https://nordvpn.com/

Features include:

  • Dedicated / Fixed IP Address
  • Strong encryption (AES 256)
  • Strict "no logs" policy, nothing written to desk
  • Windows, MacOS and iOS compatible
  • Good performance.

You may find a discount at https://nordvpn.com/special/deal/, note dedicated/fixed IP is an additional cost.

2Factor Authentication

  • you should enable two factor authentication (2FA) wherever possible
  • always enable two factor authentication for email, as once someone has access to your email they can typically reset other passwords
  • also for your password manager
  • speak to our team for additional recommendations

The two most popular app-based solutions tend to be

Authy https://authy.com/ (our preference)

Google Authenticator

Full Disk Encryption

Secure Empty Trash and FileVault are two different methods for protecting data. FileVault encrypts everything on the hard drive. Only someone with an admin password can decrypt them. This includes anything in your Trash. So by default, the files you delete when FileVault is on are safe via encryption. Even if someone recovered them, they'd still need your password to decrypt.

Secure Empty Trash has nothing to do with encryption. The default Empty Trash just deletes pointers to old files and marks the space they were using on the hard drive as free to use in the future. However, the files are still there if someone ran a data recovery tool or until the OS decides to put a new file over them. Secure Empty Trash prevents recovering deleted files by writing data (zeros) over the space the files you're deleting were using. Meaning the files are completely destroyed.

FileVault On | Empty Trash (non-secure) | Someone can still recover those files, but they will recover files that are encrypted per FileVault

FileVault On | Secure Empty Trash | No one can recover the files, so it doesn't matter whether they were encrypted or not to begin with.

A secure empty of the trash does a 7X write over the deleted files. So, in this sense, it's not overkill.

For SSD-based Mac owners, the best course if you want to be sure files are unavailable to anyone else is to enable FileVault 2. FileVault 2 uses whole-disk encryption to read and write every chunk of data securely.

Windows 10 Full Disk Encryption https://support.microsoft.com/en-gb/help/4028713/windows-10-turn-on-device-encryption. You may have to pay for the Professional edition of Windows 10 or use a third-party. If Device Encryption isn’t enabled—or if you want a more powerful encryption solution that can also encrypt removable USB drives, for example—you’ll want to use BitLocker. Microsoft’s BitLocker encryption tool has been part of Windows for several versions now, and it’s generally well regarded. However, Microsoft still restricts BitLocker to Professional, Enterprise, and Education editions of Windows 10.

Software Updates

Set your machine to automatically check for, download and install new updates.

Enabled for:

  • Your Operating System
  • Your Browser
  • Key Applications

Backups

For most sites today, we keep automated daily backups for 7 days and the last 4 weekly backups. Users have control over the retention of their manual backups with a maximum of 6 months, after which they are deleted.

We host sites and store backups in ISO 27001 / FedRAMP certified data centers. This complies with GDPR, as the regulation governs the protection of customer data and does not require EU data residency.

We use Spanning Backup as a second tier of backup from all of our Google Apps content.

Principle Of Least Privilege

restrict access to only those that need it

only those privileges which are essential to perform its intended function.

Least privilege is the concept and practice of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform routine, legitimate activities. While most non-IT users should, as a best practice, only have standard user account access, some IT roles (such as a network admin) may possess multiple accounts, logging in as a standard user for routine tasks, while logging into a superuser account to perform administrative activities. Because administrative accounts possess more privileges, and thus, pose a heightened risk compared to standard user accounts, a best practice is to only use these administrator accounts when absolutely necessary, and for the shortest time needed.

This helps reduce the "attack surface" of the computer by eliminating unnecessary privileges that can result in network exploits and computer compromises.