Difference between revisions of "FAQ's"

From Charitylog Manual
Jump to: navigation, search
(Created page with "Frequently Asked Questions =What hardware is required?= Charitylog is an internet (web) application and as such it is possible to login from any desktop PC, laptop or mobil...")
 
 
(55 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Frequently Asked Questions
+
[[File:helpheader_small.png|right]]
  
=What hardware is required?=
+
==System Requirements==
+
'''What browser to I need?'''
Charitylog is an internet (web) application and as such it is possible to login from any desktop PC, laptop or mobile device that has an internet connection and browser. It will also run on iPads, most tablets and smart phones.
 
  
=What other software do we need?=
+
Edge, Firefox, Chrome and Safari are supported. Internet Explorer is no longer supported. It is important that your browser is kept up to date as we only support the two latest versions.
 
No other software is required although MS Excel 2010 (and above) is a useful reporting tool.
 
  
=What internet browser(s) are supported?=
+
'''How fast should my internet connection be?'''
 
We support the latest 2 versions of Internet Explorer, Chrome, Firefox and Safari.
 
  
=How is Charitylog licenced?=
+
Connection speeds are rarely an issue these days. A minimum of 2Mbps is recommended. For reference Ofcom state that the average UK home broadband speed in September 2022 was 65.3Mbps
 
Charitylog is licenced for up to 50 concurrent users, as standard. Additional licences are available at extra cost.  
 
  
=What SSL security is used?=
+
==Business==
 
Thawte V3. TLS 1.2, AES with 256-bit encryption (High); RSA with 3072-bit exchange.
 
  
=What quality checking is performed on code to prevent vulnerability such as SQL injection?=
+
'''When did Dizions start in business?'''
 
We use certain functions or processes to prevent this and to protect data being ‘posted’ or ‘get’ between pages, as well as CSRF checks etc.
 
  
All user input, whether through POST or GET, is validated against its defined properties in a data dictionary and screen for what may be regarded as invalid characters as appropriate. We use standard escaping processes to store and retrieve data. Our method of implementing MySQL does not allow multiple queries to be submitted in a single query string. We only present single queries and a multiple query would create an error which would be reported back to us automatically, showing the query submitted.  
+
Dizions started trading in 2004 and was incorporated in 2008.  
  
We have CSRF checks implemented on every page that is displayed. A failure would stop the program running and report the incident to us.
+
'''How many people do you employ?'''
  
=Where is data stored?=
+
Dizions currently employs 27 people
 
The system is hosted on dedicated servers in the UK by Rackspace (www.rackspace.co.uk). Each organisation has its own database(s) within this datacentre. It uses a MySQL database with PHP as the main programming language. There is no need for any local data storage, although clients make take local backups of their data if and when required. Responsibility for the security of those backups rests with the customer.
 
  
=HMG Security Policy Framework 2014=
+
'''Does your company hold a recognised quality management certification?'''
 
The new simplified government security classification scheme uses just three levels:
 
  
1 OFFICIAL: This category is for the majority of information created or processed by government and includes both routine business and some sensitive information, which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile.
+
Yes – ISO 9001:2015 which is annually audited
  
 +
'''What type of business is Charitylog / Crossdata?'''
  
2 SECRET: Very sensitive information that justifies heightened protective measures to defend against determined and highly capable threats. For example, where compromise could seriously damage military capabilities, international relations or the investigation of serious organised crime.
+
We are a software house and Charitylog / Crossdata are brands (trading) names of Dizions Ltd
 +
Dizions Ltd is a private limited company registered in Scotland – registration no SC340502
 +
Registered office: c/o Henderson Kildavaig, 109/14 Swanston Road, Edinburgh EH10 7DS
  
3 TOP SECRET: This category of information is the most sensitive requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations.
+
'''What insurance cover do you have?'''
  
These new classifications are intended to liberate and modernise Government IT by simplifying the approach to secure data transfer and introducing greater commonality to support uptake of shared services.
+
Employers Liability: £10,000,000 (single)
  
The most used grade of sensitive information – OFFICIAL – is the level which Charitylog systems and policies adopt.
+
Public Liability: £10,000,000 (single)
  
=NHS Standard Contract 2016 (General Conditions)=
+
Product Liability: £10,000.000 (single)  
 
As Data Processor we comply with paragraph 21.16 of these conditions and also comply with the FOIA requirements outlined in Para. 21.17 (see para. 27 below).
 
  
=Datacentre security=
+
Professional Indemnity: £2,000,000 (single)  
 
The Rackspace data centre is un-branded, un-marked and their postal address is not freely available. Only customers who are under a Non-Disclosure Agreement (NDA) with Rackspace and have a legitimate reason are given their address. It is also not listed on Google or other search engines.
 
  
Physical access to devices within a Rackspace data centre is restricted to authorised Rackspace personnel who have security badges which prevent access to unauthorised areas. (eg: Inventory Controller does not have access to the servers and devices within the data halls.)
+
Cyber Security: £2,000,000 (single)  
Card reader and biometric access is required to enter the facility (finger printing); Card reader access required to enter data centre floor; Security cameras recorded by digital video recorder; Bomb proof film installed behind all windowed areas; Fully fenced perimeter.
+
 
 +
'''Have any claims been made against you in the last five years?'''
  
=Is the database server shared by other systems?=
 
 
 
No
 
No
  
=Do you use a shared SAN for backups?=
+
==Software==
+
 
No
+
'''What hardware is required?'''
 +
 
 +
No special hardware is required as Charitylog /Crossdata is an internet (web) application. It is therefore possible to login from any desktop PC, laptop or mobile device that has an internet connection and browser. It will also run on iPads, most tablets and smart phones
 +
 
 +
'''What other software do we need?'''
 +
 
 +
No other software is required although MS Excel 2010 (and above) is a useful reporting tool.
 +
 
 +
'''What internet browser(s) are supported?'''
 +
 
 +
We support the latest 2 versions of Edge, Chrome, Firefox and Safari.
 +
 
 +
'''How is the system accessed?'''
 +
 
 +
From any location with a broadband internet connection. 2Mps minimum recommended.
 +
 
 +
'''Does each user have their own unique identifier?'''
 +
 
 +
Yes. There are two levels of login – first the user needs the organisation username and password, after this they need their own user name and password. Accounts will lock out after 3 invalid login attempts. Resets are then done via an approved administrator with the appropriate validation checks i.e. confirming that the user is who they say they are.
 +
 
 +
'''What if passwords are forgotten?'''
 +
 
 +
The local administrator controls this and will provide new passwords subject to rigorous authentication procedures.
 +
 
 +
'''Does the system ensure passwords are not hard coded and no clear text passwords exist in the code, database or other files?'''
 +
 
 +
Yes. No hard coded passwords exist in the software.
 +
 
 +
'''Does the system allow different user profiles that permit different access / read / write / delete / create actions for individuals and groups of users to be established?'''
 +
 
 +
Yes
 +
 
 +
'''Does the system time out after a period of inactivity and log the user out?'''
 +
 
 +
Yes. Currently a ‘default’ 60 minutes is applied but this may be changed at an organisation level to allow you to set your own inactivity period
 +
 
 +
'''Access to certain system files, program files and data is restricted to administrator role?'''
 +
 
 +
Yes. This is controlled by the access rights given to a group of users – they can be kept out of all administration and security options as required. There is a system wide process which allows pages to be made visible, access allowed, editing allowed and, where relevant, new record entry allowed.
 +
 
 +
'''Can data be restricted to named individuals or groups and hidden from others?'''
 +
 
 +
Yes. The local administrator is able to manage the ‘visibility’ of individual and /or group data sets as required
 +
 
 +
'''Can I share information securely with project partners?'''
 +
 
 +
Yes. The local administrator can control this through the ‘branch’ facility.
 +
 
 +
'''How is the system upgraded?'''
 +
 
 +
Software upgrades are scheduled to take place at around 4 monthly intervals. Details of forthcoming upgrades are posted on the website.
 +
 
 +
'''Can we integrate Charitylog / Crossdata into our website?'''
 +
 
 +
Yes
 +
 
 +
'''What documentation will be made available to support the application?'''
 +
 
 +
All features are thoroughly documented in our manual, which is what you are reading now.
 +
 
 +
'''What help is available?'''
 +
 
 +
The online manual is ‘context sensitive’ and will link automatically to the correct page in the manual containing the information.
 +
 
 +
A telephone support line is also available during office hours (9am – 5pm) from Monday to Friday. We also provide support via email.
 +
 
 +
We record videos on specific topics and embed them into the manual together with uploading them to our webinar library for viewing whenever required.
 +
 
 +
'''How are bugs fixed?'''
 +
 
 +
All bugs are reported through a formalised reporting procedure which firstly establishes that the report is in fact a bug and then, if confirmed, allocates resources to its resolution.
 +
 
 +
Bugs which prevent operation of the system are given a high priority and are usually fixed in a few hours whilst others with lower impact may take longer. In very low priority cases the resolution may be delayed until the next software release stage.
 +
 
 +
'''Can individual user activity be monitored and audited?'''
 +
 
 +
The system maintains a secure audit trail that records all successful and unsuccessful attempts to access the system including user, date and time. The IP address from which the login was attempted is also recorded.
 +
 
 +
==Infrastructure & Data Centre==
 +
 
 +
'''Where is data stored?'''
 +
 
 +
The system is hosted on dedicated servers in the UK by Rackspace (www.rackspace.co.uk) and Amazon Web Services (AWS). Each organisation has its own database(s) within the datacentre. It uses a MySQL database with PHP as the main programming language. There is no need for any local data storage, although clients may take local backups of their data when required. In this situation the client will be responsible for the security of the local backups.
 +
 
 +
'''Is the data encrypted at rest?'''
 +
 
 +
Yes, using AES with 256-bit encryption (high).
 +
 
 +
'''What security measures are in place at the data centre'''
 +
 
 +
The data centres are unbranded and unmarked. Physical access to devices within a data centre is restricted to authorised personnel which prevents access to unauthorised areas. (e.g. the Inventory Controller does not have access to the servers and devices within the data halls).
 +
 
 +
A card reader and biometric access is required to enter the facility (finger printing), and further card reader access required to enter data centre floor. Security cameras recorded by digital video recorder. Bomb proof film installed behind all windowed areas. Fully fenced perimeter.
 +
 
 +
'''Is the database server shared by other systems?'''
 +
 
 +
No
 +
 
 +
'''Is any data stored outside the EU?'''
 +
 
 +
No
 +
 
 +
'''Do you use a shared SAN for backups?'''
 +
 
 +
No
 +
 
 +
'''Do you deploy updates to servers and infrastructure?'''
 +
 
 +
All security updates are tested and deployed as soon as possible. General updates and version changes are tested and deployed in line with our planned new releases of the software.
 +
 
 +
'''What process and procedures are applied to remove unnecessary services from running automatically on operating systems?'''
 +
 
 +
Our servers only run the services and software for hosting our software and data. Our internal systems are not connected to the production servers. We only run approved services and software, which is audited monthly.
 +
 
 +
'''Are all pre-installed system account passwords changed from their defaults on your internal systems?'''
 +
 
 +
Our production servers and internal systems will have all manufacturer passwords replaced in line with our Information Management System policies. This is also a requirement for our ISO 27001 and Cyber Essentials Plus certification.
 +
 
 +
'''Do you use Antivirus Software and Personal Firewalls?'''
 +
 
 +
Hardware and/or Software is deployed at all of our network gateways including our Production and Email Servers. In additional to the gateways we also protect each device individually. The solutions that we use are industry standard provided by Avast, Cisco and Microsoft (Email Servers).
 +
 
 +
'''How do you physically transfer data?'''
 +
 
 +
As a cloud-based software developer we only transfer data electronically using SSL/TLS using 256-bit encryption.
 +
 
 +
'''Do you have a wireless network?'''
 +
 
 +
We have wireless access which is restricted by MAC address and password for office equipment only. Guest access is isolated via a VLAN, preventing access to the internal network.
 +
 
 +
==GDPR==
 +
 
 +
'''Is Charitylog / Crossdata GDPR compliant?'''
 +
 
 +
There is no formal accreditation for software products to be GDPR ‘compliant’. Charitylog / Crossdata does however, have an integrated set of tools to enable your organisation to be fully compliant with the GDPR (General Data Protection Regulation).
 +
 
 +
'''Is Dizions Ltd registered with the Information Commissioners Office?'''
 +
 
 +
Yes – we comply with the General Data Protection Regulation (GDPR) and are registered with the ICO - number ZA029219.
 +
 
 +
'''Have you appointed a Data Protection Officer (DPO)?'''
 +
 
 +
Yes, they may be contacted at our normal office address or by email dpo@dizions.co.uk
 +
 
 +
'''Freedom of Information Act (FOIA)'''
 +
 
 +
Whilst Charitylog / Crossdata does not directly come under the scope of this Act it would co-operate in any FOIA request should this become necessary.
 +
 
 +
The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland.
 +
 
 +
Public authorities include government departments, local authorities, the NHS, state schools and police forces. However, the Act does not necessarily cover every organisation that receives public money. For example, it does not cover some charities that receive grants and certain private sector organisations that perform public functions.
 +
 
 +
Whilst Charitylog / Crossdata does not directly come under the scope of this Act it would co-operate in any FOIA request should this become necessary.
 +
 
 +
==Security==
 +
 
 +
'''What SSL security is used?'''
 +
 
 +
Thawte V3. TLS 1.2, AES with 256-bit encryption (High); RSA with 2048 bit exchange.
 +
 
 +
'''What security certification do you have?'''
 +
 
 +
We hold ISO27001:2013 and Cyber Essential Plus accreditations which are annually audited.
 +
 
 +
'''Are your staff trained for information security?'''
 +
 
 +
All staff undergo internal training specifically for data protection and information security.
 +
 
 +
'''HMG Security Policy Framework 2018'''
 +
 
 +
The new simplified government security classification scheme uses just three levels:
 +
 
 +
1 OFFICIAL: This category is for the majority of information created or processed by government and includes both routine business and some sensitive information, which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile.
 +
 
 +
2 SECRET: Very sensitive information that justifies heightened protective measures to defend against determined and highly capable threats. For example, where compromise could seriously damage military capabilities, international relations or the investigation of serious organised crime.
 +
 
 +
3 TOP SECRET: This category of information is the most sensitive requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations.
 +
 
 +
These new classifications are intended to liberate and modernise Government IT by simplifying the approach to secure data transfer and introducing greater commonality to support update of share services.
 +
 
 +
The most used grade of sensitive information – OFFICIAL – is the level which Charitylog/Crossdata systems and policies adopt.
 +
 
 +
'''Is the data encrypted at rest?'''
 +
 
 +
Yes, using AES with 256-bit encryption (high)
 +
 
 +
'''What quality checking is performed on code to prevent vulnerability such as SQL injection?'''
 +
 
 +
All user input, whether through POST or GET, is validated against its defined properties in a data dictionary and screened for what may be regarded as invalid characters as appropriate. We use standard escaping processes. Our method of implementing MySQL does not allow multiple queries to be submitted in a single query string. We only present single queries and a multiple query would create an error which would be reported back to us automatically, showing the query submitted.
 +
 
 +
We have XSS (cross-site-scripting) checks implemented on every page. A failure would stop the application and report the incident to us.
 +
 
 +
'''What type of firewalls are used?'''
 +
 
 +
Cisco ASA 5508 X
 +
 
 +
'''Are strong passwords enforced?'''
 +
 
 +
Yes. The following options regarding passwords apply: -
 +
 
 +
Minimum Length of User Username;
 +
 
 +
Minimum number of upper case characters in Username;
 +
 
 +
Minimum number of numeric characters in Username;
 +
 
 +
Number of weeks before user password change required;
 +
 
 +
Minimum length of user passwords;
  
=Do you have ISO27001:2013 security certification?=
+
Minimum number of upper case characters in password
 
Yes and we also hold Cyber Essentials Plus accreditation.
 
  
=Is any data stored outside the EU?=
+
Minimum number of numeric characters in password;
 
No
 
  
=How is the system accessed?=
+
Prevent immediate re-use of the same password if a password is changed.  
 
From any location with a broadband internet connection. 2Mps minimum recommended.
 
  
 +
All passwords are combined with a ‘salt’ before they are encrypted. The salt is periodically changed. This prevents rainbow based attacks against dictionary passwords. We also check the password entered against previous and current salts to check for reuse.
  
=What are the business continuity arrangements?=
+
'''How is data protected during transfer to and from the server?'''
 
Backups are made automatically every night in the datacentre, and stored at a different location in the same datacentre. There is a security controlled option to take a data backup locally, which will provide all the SQL needed to rebuild the database elsewhere. There is an ESCROW agreement provided by a solicitor who would release source code if it was proven that the system was no longer supported. If the whole datacentre was destroyed (i.e. the server and the backups were destroyed at the same time), the database could only be rebuilt from a local backup. We do not save backups in a different data centre but clients can make their own local backups (under secure conditions) should they wish. Responsibility for the security of those backups rests with the customer.
 
  
 +
As a cloud-based software developer we only transfer data electronically using SSL/TLS using 256-bit encryption. The system stores and transmits all passwords in encrypted form.
  
=What type of firewalls are used?=
+
'''Is the software penetration tested?'''
 
Cisco ASA 5505 Sec+
 
  
=Does each user have their own unique identifier?=
+
Yes, every year we have a in-depth test conducted by a Certified Cyber Security Consultancy. This check covers both the software and the hardware for a range of potential vulnerabilities. The tests involve a mixture of automated tools, such as SSL scans, and manual tests by an expert tester.  
 
Yes. There are two levels of login – first the user needs the organisation username and password, after this they need their own user name and password. Accounts will lock out after 3 invalid login attempts.  Resets are then done via an approved administrator with the appropriate validation checks i.e. confirming that the user is who they say they are.
 
  
=Are strong passwords enforced?=
+
'''Can I have a copy of the latest penetration report?'''
 
Yes. The following options regarding passwords apply:-
 
Minimum Length of User Username;
 
Minimum number of upper case characters in Username;
 
Minimum number of numeric characters in Username;
 
Number of weeks before user password change required;
 
Minimum length of user passwords;
 
Minimum number of upper case characters in password;
 
Minimum number of numeric characters in password;
 
Prevent immediate re-use of the same password if a password is changed.
 
  
All passwords are combined with a ‘salt’ before they are encrypted. The salt is periodically changed. This prevents rainbow based attacks against dictionary passwords. We also check the password entered against previous and current salts to check for reuse.
+
No, this is a commercially sensitive document of a technical nature, which is not shared with 3rd parties. However, we can provide a ‘letter of opinion’ from the certifying agency if required. In line with our ISO 27001 accreditation, we act on any recommendations from the report in a timely manner.  
  
=What if passwords are forgotten?=
+
'''Can I conduct my own penetration test?'''
 
The local administrator controls this and will provide new passwords subject to rigorous authentication procedures.
 
  
=Does the system ensure passwords are not hard coded and no clear text passwords exist in the code, database or other files?=
+
No. We commission pen test annually, which is conducted by a CREST accredited organisation. If we let other companies conduct such work independently, we would have to audit them as part of our ISO27001 accreditation, to make sure they were keeping their qualifications and accreditations up to date. We are also contractually obliged by the data centre to provide them with details of the scope all tests, and give them sufficient notice to avoid false alerts by their own mitigation systems.  
 
Yes. No hard coded passwords exist in the software. We prevent passwords from being saved in browsers.
 
  
=Does the system allow different user profiles that permit different access / read / write / delete / create actions for individuals and groups of users to be established?=
+
'''Do you commission penetration tests on your internal office network and systems?'''
 
Yes
 
  
=Does the system time out after a period of inactivity and log the user out?=
+
A penetration test is performed annually by an independent body as part of our Cyber Essentials Plus accreditation. The independent body qualifications include CLAS, CCP and IASME & CE+ A and is IASME Gold
 
Yes. The system ‘defaults’ to a standard 60 minutes but this may be changed locally, to suit individual requirements, at an organisation level.
 
  
=Access to certain system files, program files and data is restricted to administrator role?=
+
'''Should I connect to Charitylog / Crossdata using public WIFI?'''
 
Yes. This is controlled locally through the access rights given to a group of users – access can be restricted to all administration and security options as required. There is a system wide process which allows pages to be made visible, access allowed, editing allowed and, where relevant, new record entry allowed.
 
  
=Can data be restricted to named individuals or groups and hidden from others?=
+
There are 2 types of public WIFI: unsecured and secured. You can tell if a network is secured because it will prompt you for a password when you connect.
+
Most security experts recommend against using unsecured WIFI for any purpose whatsoever, often these can be people trying to obtain your data.
Yes. The local administrator is able to manage the ‘visibility’ of individual and /or group data sets as required.
+
For additional security when using a secured public network, you may want to consider using a VPN.
 +
Using a VPN means you are connected securely to your office, and the connection to our servers will go through the IP address of your office, which has the added benefit that you can then use the Restricted IP Addresses feature to block access from unknown locations.
  
=Can I share information securely with project partners?=
+
'''What are the business continuity arrangements?'''
 
Yes. The local administrator can control this through the ‘branch’ facility (optional extra).
 
  
=Freedom of Information Act (FOIA)=
+
Backups are made automatically every 24hrs in the data centre and stored offsite for 28 days. The restore process is tested monthly. There is a security controlled option to take a data backup locally, which will provide all the SQL needed to rebuild the database elsewhere.
 
The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland.  
 
  
Public authorities include government departments, local authorities, the NHS, state schools and police forces. However, the Act does not necessarily cover every organisation that receives public money. For example, it does not cover some charities that receive grants and certain private sector organisations that perform public functions.
+
If the whole data centre and the backup location was destroyed (i.e. the servers and the backups were destroyed at the same time), the database could only be rebuilt from a local backup. Clients can make their own local backups (under secure conditions) should they wish.
  
Whilst Charitylog does not directly come under the scope of this Act it would co-operate fully in any FOIA request should this become necessary.
+
There is also an ESCROW agreement provided by a solicitor who would release source code and software tools to enable the system to be rebuilt elsewhere, if it was proven that the system was no longer supported.  
  
=How is data protected during transfer to and from the server?=
+
'''How do you handle data breaches?'''
 
The system stores and transmits all passwords in 128-bit encrypted form.
 
  
=Can individual user activity be monitored and audited?=
+
In the unlikely event of a data breach being encountered on on our platform, we would contact your registered administrators immediately. We would also advise the Information Commissioner’s Office (ICO) if necessary.
 
The system maintains a secure audit trail that records all successful and unsuccessful attempts to access the system including user, date and time. The IP address from which the login was attempted is also recorded.
 
  
=How is the system upgraded?=
+
'''How do I reduce the risk of cyber attacks?'''
 
Software upgrades are scheduled to take place at around 4 monthly intervals. Details of forthcoming upgrades are posted on the website.
 
  
=Can we integrate Charitylog into our website?=
+
Cyber attacks are a broad range of threats by bad actors. Dizions has a robust security posture, detailed in this section of the FAQs and our ISO27001 documentation, designed to reduce the risk of cyber attacks by securing the infrastructure and application. Your responsibilities as a user are mainly about good password hygiene and avoiding phishing emails. In the event of an attack, Dizions would first seek to secure the existing infrastructure to minimise downtime.
 
Yes.
 
  
=When did Charitylog start in business?=
+
'''Do you operate a password change policy?'''
  
Charitylog began trading in 2004 and was incorporated in 2008.
+
Yes, our systems require strong passwords, minimum of 8 characters, including capitals, numbers and special characters. Passwords require changing every 90 days. Users cannot use the previous 10 passwords.  
  
=How many people do you employ?=
+
'''What is the policy for the use of laptops and mobile devices?'''
 
Charitylog currently employs 30 people.
 
  
=What documentation will be made available to support the application?=
+
We have users with Laptops and Phones which are protected by encryptions and two factor authentication. We only use our cloud services to store our client information. None of the devices has direct access to our production servers. Devices are centrally managed.  
 
We currently provide a Wikipedia style manual to the system which is regularly updated to cover system upgrades.
 
  
=What help is available?=
+
'''What is your policy for the use of removable media such as memory sticks and CD/DVDs?'''
 
A telephone support line is available during office hours (9am – 5pm) from Monday to Friday. We also provide support via email.
 
We deliver ‘online’ webinars from time to time on specific topics and these are recorded online and may be viewed 24/7.
 
  
=What training is provided?=
+
We do not use any removable media. All removable media is physically blocked on our network.
 
A specific number of on-site days will be included in the proposal to ensure the implementation goes smoothly and the setup is matched to your needs and reporting requirements.
 
  
=How are bugs fixed?=
+
'''What technical and organisational measures do you use to restrict and regulate your employee’s access to customer’s data?'''
 
Any identified bugs are reported through a formalised reporting procedure which firstly confirms that the report is in fact a bug and then, if confirmed, allocates resources to its resolution. Bugs which prevent operation of the system are given a high priority and are usually fixed in a few hours whilst others with lower impact may take longer. In very low priority cases the resolution may be delayed until the next software release stage.
 
  
=What Insurance cover do you have?=
+
Only named employees have access to client data, specifically for Data Migration services. This access is restricted by permissions on the network. Access to the production servers is also restricted to a controlled location. Access to data is audited including any failed access. If a client requests a change to their data this is done using an administration panel to complete the update without displaying it. It is also carried out in a test environment first.
 
Employers Liability: £10,000,000 (single)
 
  
Public Liability: £10,000,000 (single)
+
==Other==
  
Product Liability: £10,000,00 (single)
+
'''How is Charitylog / Crossdata licenced?'''
  
Professional Indemnity: £1,000,000 (single)
+
Charitylog / Crossdata is licenced for 5 concurrent users on the Starter plan, 10 on the One plan, and unlimited on the Plus and Ultimate plans. Additional licences are available at extra cost.
  
=Have any claims been made against you in the last 10 years?=
+
'''What training is provided?'''
 
No
 
  
=Does your organisation hold a recognised quality management certification for example BS/EN/ISO 9000?=
+
A specific number of days will be included in our proposal for Charitylog Standard to ensure the implementation goes smoothly and the setup is matched to your needs and reporting requirements. Charitylog One includes a specific number of getting started sessions.
 
Yes - ISO 9001:2015
 
  
=Is Dizions a limited company?=
+
Additional days may be purchased, as and when needed, for refresher training or for new staff joining the organisation. These days can be delivered remotely. They may also be delivered onsite if the company deems it safe to do so.  
 
Yes -  Dizions is a limited company. Charitylog and Crossdata are trading names of Dizions Ltd.
 
The company is registered in Scotland - Registration No. SC340502.
 
Registered Office: c/o Anderson Ballantine Tower Mains Studios 18D Liberton Brae Edinburgh EH16 6AE
 
  
=Is Dizions registered with the UK’s Information Commissioner?=
+
'''How do you remove my data at the end of the contract if I don't renew?'''
 
Yes, notification number ZA029219
 
  
 +
There are 2 areas to consider - the database(s) and the backup files.
  
=Have any 3rd party security reviews been performed on Charitylog?=
+
Simply deleting a database can leave fragmented data on the disk. To prevent this, the data within the database is first overwritten multiple times, which means that even with physical access to the disk, an attacker would not be able to recover the deleted data.  
 
Yes. CQS Certified Quality Systems Ltd of Malvern carry out an annual audit. We have ISO 27001:2013 accreditation.
 
  
=How will Dizions communicate changes in service?=
+
The backup files are created using a Managed Backup, which is an automated process. Your data will remain for the duration of the back retention period.
+
For additional peace of mind, for physical servers, we arrange for the storage media to be physically destroyed when it's decommissioned and a certificate of destruction provided.  
By email or through a screen available to all users when they log in.
 
  
=Do you undertake regular security risk assessments and take steps to mitigate the risks identified?
+
'''What is a VPN?'''
 
Yes – ISO 27001:2013 covers this eventuality.
 
  
=Do you maintain an inventory of assets?=
+
A Virtual Private Network (VPN) is a connection between a device and a host (usually an office). A VPN can be used to create a secure and encrypted connection between devices. It is recommended that this is setup and configured by an IT professional. Please contact your IT support for further information.
 
Yes -  It is a requirement of ISO 27001:2013.
 

Latest revision as of 10:56, 21 March 2024

Helpheader small.png

System Requirements

What browser to I need?

Edge, Firefox, Chrome and Safari are supported. Internet Explorer is no longer supported. It is important that your browser is kept up to date as we only support the two latest versions.

How fast should my internet connection be?

Connection speeds are rarely an issue these days. A minimum of 2Mbps is recommended. For reference Ofcom state that the average UK home broadband speed in September 2022 was 65.3Mbps

Business

When did Dizions start in business?

Dizions started trading in 2004 and was incorporated in 2008.

How many people do you employ?

Dizions currently employs 27 people

Does your company hold a recognised quality management certification?

Yes – ISO 9001:2015 which is annually audited

What type of business is Charitylog / Crossdata?

We are a software house and Charitylog / Crossdata are brands (trading) names of Dizions Ltd Dizions Ltd is a private limited company registered in Scotland – registration no SC340502 Registered office: c/o Henderson Kildavaig, 109/14 Swanston Road, Edinburgh EH10 7DS

What insurance cover do you have?

Employers Liability: £10,000,000 (single)

Public Liability: £10,000,000 (single)

Product Liability: £10,000.000 (single)

Professional Indemnity: £2,000,000 (single)

Cyber Security: £2,000,000 (single)

Have any claims been made against you in the last five years?

No

Software

What hardware is required?

No special hardware is required as Charitylog /Crossdata is an internet (web) application. It is therefore possible to login from any desktop PC, laptop or mobile device that has an internet connection and browser. It will also run on iPads, most tablets and smart phones

What other software do we need?

No other software is required although MS Excel 2010 (and above) is a useful reporting tool.

What internet browser(s) are supported?

We support the latest 2 versions of Edge, Chrome, Firefox and Safari.

How is the system accessed?

From any location with a broadband internet connection. 2Mps minimum recommended.

Does each user have their own unique identifier?

Yes. There are two levels of login – first the user needs the organisation username and password, after this they need their own user name and password. Accounts will lock out after 3 invalid login attempts. Resets are then done via an approved administrator with the appropriate validation checks i.e. confirming that the user is who they say they are.

What if passwords are forgotten?

The local administrator controls this and will provide new passwords subject to rigorous authentication procedures.

Does the system ensure passwords are not hard coded and no clear text passwords exist in the code, database or other files?

Yes. No hard coded passwords exist in the software.

Does the system allow different user profiles that permit different access / read / write / delete / create actions for individuals and groups of users to be established?

Yes

Does the system time out after a period of inactivity and log the user out?

Yes. Currently a ‘default’ 60 minutes is applied but this may be changed at an organisation level to allow you to set your own inactivity period

Access to certain system files, program files and data is restricted to administrator role?

Yes. This is controlled by the access rights given to a group of users – they can be kept out of all administration and security options as required. There is a system wide process which allows pages to be made visible, access allowed, editing allowed and, where relevant, new record entry allowed.

Can data be restricted to named individuals or groups and hidden from others?

Yes. The local administrator is able to manage the ‘visibility’ of individual and /or group data sets as required

Can I share information securely with project partners?

Yes. The local administrator can control this through the ‘branch’ facility.

How is the system upgraded?

Software upgrades are scheduled to take place at around 4 monthly intervals. Details of forthcoming upgrades are posted on the website.

Can we integrate Charitylog / Crossdata into our website?

Yes

What documentation will be made available to support the application?

All features are thoroughly documented in our manual, which is what you are reading now.

What help is available?

The online manual is ‘context sensitive’ and will link automatically to the correct page in the manual containing the information.

A telephone support line is also available during office hours (9am – 5pm) from Monday to Friday. We also provide support via email.

We record videos on specific topics and embed them into the manual together with uploading them to our webinar library for viewing whenever required.

How are bugs fixed?

All bugs are reported through a formalised reporting procedure which firstly establishes that the report is in fact a bug and then, if confirmed, allocates resources to its resolution.

Bugs which prevent operation of the system are given a high priority and are usually fixed in a few hours whilst others with lower impact may take longer. In very low priority cases the resolution may be delayed until the next software release stage.

Can individual user activity be monitored and audited?

The system maintains a secure audit trail that records all successful and unsuccessful attempts to access the system including user, date and time. The IP address from which the login was attempted is also recorded.

Infrastructure & Data Centre

Where is data stored?

The system is hosted on dedicated servers in the UK by Rackspace (www.rackspace.co.uk) and Amazon Web Services (AWS). Each organisation has its own database(s) within the datacentre. It uses a MySQL database with PHP as the main programming language. There is no need for any local data storage, although clients may take local backups of their data when required. In this situation the client will be responsible for the security of the local backups.

Is the data encrypted at rest?

Yes, using AES with 256-bit encryption (high).

What security measures are in place at the data centre

The data centres are unbranded and unmarked. Physical access to devices within a data centre is restricted to authorised personnel which prevents access to unauthorised areas. (e.g. the Inventory Controller does not have access to the servers and devices within the data halls).

A card reader and biometric access is required to enter the facility (finger printing), and further card reader access required to enter data centre floor. Security cameras recorded by digital video recorder. Bomb proof film installed behind all windowed areas. Fully fenced perimeter.

Is the database server shared by other systems?

No

Is any data stored outside the EU?

No

Do you use a shared SAN for backups?

No

Do you deploy updates to servers and infrastructure?

All security updates are tested and deployed as soon as possible. General updates and version changes are tested and deployed in line with our planned new releases of the software.

What process and procedures are applied to remove unnecessary services from running automatically on operating systems?

Our servers only run the services and software for hosting our software and data. Our internal systems are not connected to the production servers. We only run approved services and software, which is audited monthly.

Are all pre-installed system account passwords changed from their defaults on your internal systems?

Our production servers and internal systems will have all manufacturer passwords replaced in line with our Information Management System policies. This is also a requirement for our ISO 27001 and Cyber Essentials Plus certification.

Do you use Antivirus Software and Personal Firewalls?

Hardware and/or Software is deployed at all of our network gateways including our Production and Email Servers. In additional to the gateways we also protect each device individually. The solutions that we use are industry standard provided by Avast, Cisco and Microsoft (Email Servers).

How do you physically transfer data?

As a cloud-based software developer we only transfer data electronically using SSL/TLS using 256-bit encryption.

Do you have a wireless network?

We have wireless access which is restricted by MAC address and password for office equipment only. Guest access is isolated via a VLAN, preventing access to the internal network.

GDPR

Is Charitylog / Crossdata GDPR compliant?

There is no formal accreditation for software products to be GDPR ‘compliant’. Charitylog / Crossdata does however, have an integrated set of tools to enable your organisation to be fully compliant with the GDPR (General Data Protection Regulation).

Is Dizions Ltd registered with the Information Commissioners Office?

Yes – we comply with the General Data Protection Regulation (GDPR) and are registered with the ICO - number ZA029219.

Have you appointed a Data Protection Officer (DPO)?

Yes, they may be contacted at our normal office address or by email dpo@dizions.co.uk

Freedom of Information Act (FOIA)

Whilst Charitylog / Crossdata does not directly come under the scope of this Act it would co-operate in any FOIA request should this become necessary.

The Act covers any recorded information that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland.

Public authorities include government departments, local authorities, the NHS, state schools and police forces. However, the Act does not necessarily cover every organisation that receives public money. For example, it does not cover some charities that receive grants and certain private sector organisations that perform public functions.

Whilst Charitylog / Crossdata does not directly come under the scope of this Act it would co-operate in any FOIA request should this become necessary.

Security

What SSL security is used?

Thawte V3. TLS 1.2, AES with 256-bit encryption (High); RSA with 2048 bit exchange.

What security certification do you have?

We hold ISO27001:2013 and Cyber Essential Plus accreditations which are annually audited.

Are your staff trained for information security?

All staff undergo internal training specifically for data protection and information security.

HMG Security Policy Framework 2018

The new simplified government security classification scheme uses just three levels:

1 OFFICIAL: This category is for the majority of information created or processed by government and includes both routine business and some sensitive information, which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile.

2 SECRET: Very sensitive information that justifies heightened protective measures to defend against determined and highly capable threats. For example, where compromise could seriously damage military capabilities, international relations or the investigation of serious organised crime.

3 TOP SECRET: This category of information is the most sensitive requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations.

These new classifications are intended to liberate and modernise Government IT by simplifying the approach to secure data transfer and introducing greater commonality to support update of share services.

The most used grade of sensitive information – OFFICIAL – is the level which Charitylog/Crossdata systems and policies adopt.

Is the data encrypted at rest?

Yes, using AES with 256-bit encryption (high)

What quality checking is performed on code to prevent vulnerability such as SQL injection?

All user input, whether through POST or GET, is validated against its defined properties in a data dictionary and screened for what may be regarded as invalid characters as appropriate. We use standard escaping processes. Our method of implementing MySQL does not allow multiple queries to be submitted in a single query string. We only present single queries and a multiple query would create an error which would be reported back to us automatically, showing the query submitted.

We have XSS (cross-site-scripting) checks implemented on every page. A failure would stop the application and report the incident to us.

What type of firewalls are used?

Cisco ASA 5508 X

Are strong passwords enforced?

Yes. The following options regarding passwords apply: -

Minimum Length of User Username;

Minimum number of upper case characters in Username;

Minimum number of numeric characters in Username;

Number of weeks before user password change required;

Minimum length of user passwords;

Minimum number of upper case characters in password

Minimum number of numeric characters in password;

Prevent immediate re-use of the same password if a password is changed.

All passwords are combined with a ‘salt’ before they are encrypted. The salt is periodically changed. This prevents rainbow based attacks against dictionary passwords. We also check the password entered against previous and current salts to check for reuse.

How is data protected during transfer to and from the server?

As a cloud-based software developer we only transfer data electronically using SSL/TLS using 256-bit encryption. The system stores and transmits all passwords in encrypted form.

Is the software penetration tested?

Yes, every year we have a in-depth test conducted by a Certified Cyber Security Consultancy. This check covers both the software and the hardware for a range of potential vulnerabilities. The tests involve a mixture of automated tools, such as SSL scans, and manual tests by an expert tester.

Can I have a copy of the latest penetration report?

No, this is a commercially sensitive document of a technical nature, which is not shared with 3rd parties. However, we can provide a ‘letter of opinion’ from the certifying agency if required. In line with our ISO 27001 accreditation, we act on any recommendations from the report in a timely manner.

Can I conduct my own penetration test?

No. We commission pen test annually, which is conducted by a CREST accredited organisation. If we let other companies conduct such work independently, we would have to audit them as part of our ISO27001 accreditation, to make sure they were keeping their qualifications and accreditations up to date. We are also contractually obliged by the data centre to provide them with details of the scope all tests, and give them sufficient notice to avoid false alerts by their own mitigation systems.

Do you commission penetration tests on your internal office network and systems?

A penetration test is performed annually by an independent body as part of our Cyber Essentials Plus accreditation. The independent body qualifications include CLAS, CCP and IASME & CE+ A and is IASME Gold

Should I connect to Charitylog / Crossdata using public WIFI?

There are 2 types of public WIFI: unsecured and secured. You can tell if a network is secured because it will prompt you for a password when you connect. Most security experts recommend against using unsecured WIFI for any purpose whatsoever, often these can be people trying to obtain your data. For additional security when using a secured public network, you may want to consider using a VPN. Using a VPN means you are connected securely to your office, and the connection to our servers will go through the IP address of your office, which has the added benefit that you can then use the Restricted IP Addresses feature to block access from unknown locations.

What are the business continuity arrangements?

Backups are made automatically every 24hrs in the data centre and stored offsite for 28 days. The restore process is tested monthly. There is a security controlled option to take a data backup locally, which will provide all the SQL needed to rebuild the database elsewhere.

If the whole data centre and the backup location was destroyed (i.e. the servers and the backups were destroyed at the same time), the database could only be rebuilt from a local backup. Clients can make their own local backups (under secure conditions) should they wish.

There is also an ESCROW agreement provided by a solicitor who would release source code and software tools to enable the system to be rebuilt elsewhere, if it was proven that the system was no longer supported.

How do you handle data breaches?

In the unlikely event of a data breach being encountered on on our platform, we would contact your registered administrators immediately. We would also advise the Information Commissioner’s Office (ICO) if necessary.

How do I reduce the risk of cyber attacks?

Cyber attacks are a broad range of threats by bad actors. Dizions has a robust security posture, detailed in this section of the FAQs and our ISO27001 documentation, designed to reduce the risk of cyber attacks by securing the infrastructure and application. Your responsibilities as a user are mainly about good password hygiene and avoiding phishing emails. In the event of an attack, Dizions would first seek to secure the existing infrastructure to minimise downtime.

Do you operate a password change policy?

Yes, our systems require strong passwords, minimum of 8 characters, including capitals, numbers and special characters. Passwords require changing every 90 days. Users cannot use the previous 10 passwords.

What is the policy for the use of laptops and mobile devices?

We have users with Laptops and Phones which are protected by encryptions and two factor authentication. We only use our cloud services to store our client information. None of the devices has direct access to our production servers. Devices are centrally managed.

What is your policy for the use of removable media such as memory sticks and CD/DVDs?

We do not use any removable media. All removable media is physically blocked on our network.

What technical and organisational measures do you use to restrict and regulate your employee’s access to customer’s data?

Only named employees have access to client data, specifically for Data Migration services. This access is restricted by permissions on the network. Access to the production servers is also restricted to a controlled location. Access to data is audited including any failed access. If a client requests a change to their data this is done using an administration panel to complete the update without displaying it. It is also carried out in a test environment first.

Other

How is Charitylog / Crossdata licenced?

Charitylog / Crossdata is licenced for 5 concurrent users on the Starter plan, 10 on the One plan, and unlimited on the Plus and Ultimate plans. Additional licences are available at extra cost.

What training is provided?

A specific number of days will be included in our proposal for Charitylog Standard to ensure the implementation goes smoothly and the setup is matched to your needs and reporting requirements. Charitylog One includes a specific number of getting started sessions.

Additional days may be purchased, as and when needed, for refresher training or for new staff joining the organisation. These days can be delivered remotely. They may also be delivered onsite if the company deems it safe to do so.

How do you remove my data at the end of the contract if I don't renew?

There are 2 areas to consider - the database(s) and the backup files.

Simply deleting a database can leave fragmented data on the disk. To prevent this, the data within the database is first overwritten multiple times, which means that even with physical access to the disk, an attacker would not be able to recover the deleted data.

The backup files are created using a Managed Backup, which is an automated process. Your data will remain for the duration of the back retention period. For additional peace of mind, for physical servers, we arrange for the storage media to be physically destroyed when it's decommissioned and a certificate of destruction provided.

What is a VPN?

A Virtual Private Network (VPN) is a connection between a device and a host (usually an office). A VPN can be used to create a secure and encrypted connection between devices. It is recommended that this is setup and configured by an IT professional. Please contact your IT support for further information.