FAQ's
Frequently Asked Questions
Contents
- 1 What hardware is required?
- 2 What other software do we need?
- 3 What internet browser(s) are supported?
- 4 How is Charitylog licenced?
- 5 What SSL security is used?
- 6 What quality checking is performed on code to prevent vulnerability such as SQL injection?
- 7 Where is data stored?
- 8 HMG Security Policy Framework 2014
- 9 NHS Standard Contract 2016 (General Conditions)
- 10 Datacentre security
- 11 Is the database server shared by other systems?
- 12 Do you use a shared SAN for backups?
- 13 Do you have ISO27001:2013 security certification?
- 14 Is any data stored outside the EU?
- 15 How is the system accessed?
- 16 What are the business continuity arrangements?
- 17 What type of firewalls are used?
- 18 Does each user have their own unique identifier?
- 19 Are strong passwords enforced?
- 20 What if passwords are forgotten?
- 21 Does the system ensure passwords are not hard coded and no clear text passwords exist in the code, database or other files?
- 22 Does the system allow different user profiles that permit different access / read / write / delete / create actions for individuals and groups of users to be established?
- 23 Does the system time out after a period of inactivity and log the user out?
- 24 Access to certain system files, program files and data is restricted to administrator role?
- 25 Can data be restricted to named individuals or groups and hidden from others?
- 26 Can I share information securely with project partners?
- 27 Freedom of Information Act (FOIA)
- 28 How is data protected during transfer to and from the server?
- 29 Can individual user activity be monitored and audited?
- 30 How is the system upgraded?
- 31 Can we integrate Charitylog into our website?
- 32 When did Charitylog start in business?
- 33 How many people do you employ?
- 34 What documentation will be made available to support the application?
- 35 What help is available?
- 36 What training is provided?
- 37 How are bugs fixed?
- 38 What Insurance cover do you have?
- 39 Have any claims been made against you in the last 10 years?
- 40 Does your organisation hold a recognised quality management certification for example BS/EN/ISO 9000?
- 41 Is Dizions a limited company?
- 42 Is Dizions registered with the UK’s Information Commissioner?
- 43 Have any 3rd party security reviews been performed on Charitylog?
- 44 How will Dizions communicate changes in service?
- 45 Do you maintain an inventory of assets?
What hardware is required?
Charitylog is an internet (web) application and as such it is possible to login from any desktop PC, laptop or mobile device that has an internet connection and browser. It will also run on iPads, most tablets and smart phones.
What other software do we need?
No other software is required although MS Excel 2010 (and above) is a useful reporting tool.
What internet browser(s) are supported?
We support the latest 2 versions of Internet Explorer, Chrome, Firefox and Safari.
How is Charitylog licenced?
Charitylog is licenced for up to 50 concurrent users, as standard. Additional licences are available at extra cost.
What SSL security is used?
Thawte V3. TLS 1.2, AES with 256-bit encryption (High); RSA with 3072-bit exchange.
What quality checking is performed on code to prevent vulnerability such as SQL injection?
We use certain functions or processes to prevent this and to protect data being ‘posted’ or ‘get’ between pages, as well as CSRF checks etc.
All user input, whether through POST or GET, is validated against its defined properties in a data dictionary and screen for what may be regarded as invalid characters as appropriate. We use standard escaping processes to store and retrieve data. Our method of implementing MySQL does not allow multiple queries to be submitted in a single query string. We only present single queries and a multiple query would create an error which would be reported back to us automatically, showing the query submitted.
We have CSRF checks implemented on every page that is displayed. A failure would stop the program running and report the incident to us.
Where is data stored?
The system is hosted on dedicated servers in the UK by Rackspace (www.rackspace.co.uk). Each organisation has its own database(s) within this datacentre. It uses a MySQL database with PHP as the main programming language. There is no need for any local data storage, although clients make take local backups of their data if and when required. Responsibility for the security of those backups rests with the customer.
HMG Security Policy Framework 2014
The new simplified government security classification scheme uses just three levels:
1 OFFICIAL: This category is for the majority of information created or processed by government and includes both routine business and some sensitive information, which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile.
2 SECRET: Very sensitive information that justifies heightened protective measures to defend against determined and highly capable threats. For example, where compromise could seriously damage military capabilities, international relations or the investigation of serious organised crime.
3 TOP SECRET: This category of information is the most sensitive requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations.
These new classifications are intended to liberate and modernise Government IT by simplifying the approach to secure data transfer and introducing greater commonality to support uptake of shared services.
The most used grade of sensitive information – OFFICIAL – is the level which Charitylog systems and policies adopt.
NHS Standard Contract 2016 (General Conditions)
As Data Processor we comply with paragraph 21.16 of these conditions and also comply with the FOIA requirements outlined in Para. 21.17 (see para. 27 below).
Datacentre security
The Rackspace data centre is un-branded, un-marked and their postal address is not freely available. Only customers who are under a Non-Disclosure Agreement (NDA) with Rackspace and have a legitimate reason are given their address. It is also not listed on Google or other search engines.
Physical access to devices within a Rackspace data centre is restricted to authorised Rackspace personnel who have security badges which prevent access to unauthorised areas. (eg: Inventory Controller does not have access to the servers and devices within the data halls.) Card reader and biometric access is required to enter the facility (finger printing); Card reader access required to enter data centre floor; Security cameras recorded by digital video recorder; Bomb proof film installed behind all windowed areas; Fully fenced perimeter.
No
No
Do you have ISO27001:2013 security certification?
Yes and we also hold Cyber Essentials Plus accreditation.
[27001:2013] [Cyber Essentials Plus]
Is any data stored outside the EU?
No
How is the system accessed?
From any location with a broadband internet connection. 2Mps minimum recommended.
What are the business continuity arrangements?
Backups are made automatically every night in the datacentre, and stored at a different location in the same datacentre. There is a security controlled option to take a data backup locally, which will provide all the SQL needed to rebuild the database elsewhere. There is an ESCROW agreement provided by a solicitor who would release source code if it was proven that the system was no longer supported. If the whole datacentre was destroyed (i.e. the server and the backups were destroyed at the same time), the database could only be rebuilt from a local backup. We do not save backups in a different data centre but clients can make their own local backups (under secure conditions) should they wish. Responsibility for the security of those backups rests with the customer.
What type of firewalls are used?
Cisco ASA 5505 Sec+
Does each user have their own unique identifier?
Yes. There are two levels of login – first the user needs the organisation username and password, after this they need their own user name and password. Accounts will lock out after 3 invalid login attempts. Resets are then done via an approved administrator with the appropriate validation checks i.e. confirming that the user is who they say they are.
Are strong passwords enforced?
Yes. The following options regarding passwords apply:- Minimum Length of User Username; Minimum number of upper case characters in Username; Minimum number of numeric characters in Username; Number of weeks before user password change required; Minimum length of user passwords; Minimum number of upper case characters in password; Minimum number of numeric characters in password; Prevent immediate re-use of the same password if a password is changed.
All passwords are combined with a ‘salt’ before they are encrypted. The salt is periodically changed. This prevents rainbow based attacks against dictionary passwords. We also check the password entered against previous and current salts to check for reuse.
What if passwords are forgotten?
The local administrator controls this and will provide new passwords subject to rigorous authentication procedures.
Does the system ensure passwords are not hard coded and no clear text passwords exist in the code, database or other files?
Yes. No hard coded passwords exist in the software. We prevent passwords from being saved in browsers.
Does the system allow different user profiles that permit different access / read / write / delete / create actions for individuals and groups of users to be established?
Yes
Does the system time out after a period of inactivity and log the user out?
Yes. The system ‘defaults’ to a standard 60 minutes but this may be changed locally, to suit individual requirements, at an organisation level.
Access to certain system files, program files and data is restricted to administrator role?
Yes. This is controlled locally through the access rights given to a group of users – access can be restricted to all administration and security options as required. There is a system wide process which allows pages to be made visible, access allowed, editing allowed and, where relevant, new record entry allowed.
Yes. The local administrator is able to manage the ‘visibility’ of individual and /or group data sets as required.
Yes. The local administrator can control this through the ‘branch’ facility (optional extra).
Freedom of Information Act (FOIA)
The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland.
Public authorities include government departments, local authorities, the NHS, state schools and police forces. However, the Act does not necessarily cover every organisation that receives public money. For example, it does not cover some charities that receive grants and certain private sector organisations that perform public functions.
Whilst Charitylog does not directly come under the scope of this Act it would co-operate fully in any FOIA request should this become necessary.
How is data protected during transfer to and from the server?
The system stores and transmits all passwords in 128-bit encrypted form.
Can individual user activity be monitored and audited?
The system maintains a secure audit trail that records all successful and unsuccessful attempts to access the system including user, date and time. The IP address from which the login was attempted is also recorded.
How is the system upgraded?
Software upgrades are scheduled to take place at around 4 monthly intervals. Details of forthcoming upgrades are posted on the website.
Can we integrate Charitylog into our website?
Yes.
When did Charitylog start in business?
Charitylog began trading in 2004 and was incorporated in 2008.
How many people do you employ?
Charitylog currently employs 24 people.
What documentation will be made available to support the application?
We currently provide a Wikipedia style manual to the system which is regularly updated to cover system upgrades.
What help is available?
A telephone support line is available during office hours (9am – 5pm) from Monday to Friday. We also provide support via email. We deliver ‘online’ webinars from time to time on specific topics and these are recorded online and may be viewed 24/7.
What training is provided?
A specific number of on-site days will be included in the proposal to ensure the implementation goes smoothly and the setup is matched to your needs and reporting requirements.
How are bugs fixed?
Any identified bugs are reported through a formalised reporting procedure which firstly confirms that the report is in fact a bug and then, if confirmed, allocates resources to its resolution. Bugs which prevent operation of the system are given a high priority and are usually fixed in a few hours whilst others with lower impact may take longer. In very low priority cases the resolution may be delayed until the next software release stage.
What Insurance cover do you have?
Employers Liability: £10,000,000 (single)
Public Liability: £10,000,000 (single)
Product Liability: £10,000,00 (single)
Professional Indemnity: £1,000,000 (single)
Have any claims been made against you in the last 10 years?
No
Does your organisation hold a recognised quality management certification for example BS/EN/ISO 9000?
Yes - [ISO 9001:2015]
Is Dizions a limited company?
Yes - Dizions is a limited company. Charitylog and Crossdata are trading names of Dizions Ltd. The company is registered in Scotland - Registration No. SC340502. Registered Office: Hudson House, 8 Albany Street, Edinburgh, EH1 3QB
Is Dizions registered with the UK’s Information Commissioner?
Yes, notification number ZA029219
Have any 3rd party security reviews been performed on Charitylog?
Yes. CQS Certified Quality Systems Ltd of Malvern carry out an annual audit. We have ISO 27001:2013 accreditation.
How will Dizions communicate changes in service?
By email or through a screen available to all users when they log in.
=Do you undertake regular security risk assessments and take steps to mitigate the risks identified?
Yes – ISO 27001:2013 covers this eventuality.
Do you maintain an inventory of assets?
Yes - It is a requirement of ISO 27001:2013.