Security at Wealth Wizards

We take security seriously here at Wealth Wizards.  We are a regulated business, comply with all relevant data protection standards, and employ cutting edge cybersecurity to keep our customers safe.  We have a company wide, ISO 27001/27018 certified management system called Remus.

Compliance & Certifications

We are independently ISO/IEC 27001:2013 and ISO/IEC 27018:2019 Certified and are working towards certification to BS 10012.  Click here to download our Certification.

We are regulated by the Financial Conduct Authority.  Registration number 596641.

We are compliant with the EU Data Protection Directive.  To learn more, please read our Privacy and data protection policy.

Security questions or concerns?

If you have any questions or concerns, or think you may have found a problem with our security, please don’t hesitate to contact our security team.

Our principles

Our principles are:

• Shared - Managing risk is everyone's responsibility.  Our approach to security and risk is driven by the needs of our business, and aligned with our culture.
• Systematic - Managing risk is a systematic, continuous activity.  Instinct is important but our focus is on fact-driven, risk prioritised tasks rather than sporadic, repetitive heroic efforts.
• Standard - We have a single framework in place across the whole company which can be tailored to individual teams' needs.

We have a comprehensive and innovative management system – Remus - that holds all our policy, risk and control information. Remus raises and tracks tasks to ensure these are continuously reviewed and improved.

We employ a Three Lines of Defence model:

• First line: Operational and business teams - Remus ensures that controls are in place and are monitored to treat the risks which we and our customers face. Our Platform team implements and monitors security controls on our end user and platform infrastructure.
• Second line - We have dedicated risk, compliance and platform teams who monitor the performance of Remus and provide subject matter expertise for its improvement.
• Third line - We run an internal audit programme and employ external auditors to monitor the performance of Remus and our first and second-line teams.

Information Security is a standing agenda item for all our key committees, up to and including our main board.

Our policies

We have a comprehensive set of controlled policies covering Information Security. Each is owned by a specific individual in the second line of our defence, with a defined review schedule and approval process.
Our relevant policies include:

• Business Continuity Management
• Continuous Improvement
• Data Encryption Policy
• Data Handling Policy
• Data Protection - Data Retention Policy
• Data Protection - Impact Assessments (DPIA)
• Data Protection - Legitimate Interest Assessment (LIA)
• Data Protection - Subject Access Request Process
• Data Protection Policy
• Data Retention Schedules
• Information Security Consolidated Communication Plan
• Information Security Incident Handling Procedure
• Information Security Policy
• Information Security Roles & Responsibilities
• Internal Audit Process
• Personal Data Breach Notification
• Privacy Policy
• Risk Management Policy
• Security in the Software Delivery Life Cycle
• Third Party Purchase Procedure

ISO 27001/27018

Wealth Wizards holds accredited certifications to ISO 27001 and ISO 27018.

ISO/IEC 27001:2013 (ISO 27001) is the international standard that describes the requirements for an ISMS (information security management system).

It is supported by its code of practice for information security management, ISO/IEC 27002:2013.

We have extended the approach to manage risks across our entire business.

ISO/IEC 27018:2019 (ISO 27018) extends ISO 27001 controls to ensure best practice for privacy in cloud computing is followed.

Wealth Wizards is independently audited and certified to these standards by the British Standards Institute.

Risk management

We have a unified approach to risk management. Based on internationally recognised best practice (specifically ISO27001, IS1 and CISSP), it has been designed to be engaging and understandable across our organisation.

The approach covers the assessment and treatment of risk against our agreed risk appetite, and includes consideration of the confidentiality, integrity and availability aspects of each risk.

Risk assessments are triggered:

• When any new system is implemented
• When there is a significant change to our risk appetite
• When there is a significant change to our security requirements
• At a frequency appropriate to the area of risk (at least annually)
• Ad hoc when raised as a concern via our incident management system
• On a specific event such as a near miss incident

Risk assessments cover all aspects of our business including:

• Our physical assets and security
• Our people
• Our processes (in particular those relating to data security and handling)
• Our suppliers
• Our systems
• Our platform

Whilst our impact and probability assessment scales are consistent to allow us to compare risks across all domains, our treatment methods are tailored according to best practice in each area.

Security domains

Information security cuts across all aspects of our business.

People

We undertake the following checks on all our people:

• Verification of name and address
• Verification of identity
• Verification of previous two years employment history
• Disclosure and Barring Service (DBS) check

All our people are required to sign a restrictive deed of covenant as part of their contract of employment.  This sets out their responsibilities for handling confidential information.  In addition, anyone who handles client data is required to sign an additional Non Disclosure Agreement.

In addition, we perform the background checks required by the Financial Conduct Authority (FCA) for our Financial Advisers.

Security responsibilities are included in all job descriptions, and people receive security awareness training (and undertake qualifications) appropriate to their role. Individual awareness, training and qualifications are reviewed as part of our learning and development framework.

Asset management

End user devices

We maintain a complete, real-time inventory of all our end user devices. Our workstations and laptops have anti-virus software included as part of the standard build we deploy across all devices:

• We don't store any data locally on laptops, and we do not allow the use of detachable, portable media (e.g. memory sticks)
• We encrypt all local disc storage (to protect cached information)
• We use Mobile Device Management to monitor laptop usage, and to remotely wipe/lock down devices
• Only engineers and administrators have administrative rights to their machines
• Internet access and network connectivity is routed through our network, with access to restricted services locked to our office locations

Data

We ensure that all data has an appropriate level of protection, and unauthorised access or deletion is prevented:

• All data we hold is classified and processed in accordance with our data handling policy
• We have procedures in place to ensure that all data is deleted in accordance with the retention period applicable to its classification
• We have procedures in place to ensure that any data transferred between us and our customers is secure
• Data is encrypted at rest, and in transit across public internet, in accordance with industry best practice
• Personal identifying information (PII) data is further encrypted at column level in data stores

Access management

Access to our systems is strictly limited to those who are authorised to do so:

• User responsibilities are documented, and users held accountable for safeguarding the data they have access to
• We employ multi-factor authentication, and password complexity requirements in line with the National Cyber Security Centre guidelines
• Access is managed by designated administrators of each given system, and processes are in place to manage access and removal from all systems
• Customer and user requests are administered via our Service Desk
• Access is segregated where required to ensure that it is controlled and appropriate to the system content
• Processes are in place to ensure that access rights are removed in a timely fashion

Cryptography

We operate an encryption policy to protect confidentiality and integrity of information:

• PII data is encrypted at column level in data-stores
• All data is encrypted at rest
• Real time application data is transmitted over encrypted TLS connections
• We use unique encryption keys for each customer and secrets management and rotation to protect API keys and other access related information

Physical security

We use third parties and our own controls to prevent unauthorised access to our locations:

• We use Amazon Web Services (AWS) to host our applications. Details of their approach to physical security can be found here: https://aws.amazon.com/compliance/data-center/controls/
• We operate a paper free environment, scanning and shredding all paper documents
• All our office locations are protected by key and fob access and appropriate alarm systems
• Additional physical devices (such as screen protectors) are used where necessary

Operations security

We use third parties to host our information processing infrastructure, through Infrastructure as a Service (IaaS). This means we put in place the controls needed to secure our account and platform configuration (the shared responsibility model).

Our controls ensure that our infrastructure is secure, and protected against malware and data loss:

• We define our infrastructure as code in version-controlled repositories
• All our live servers are taken down and replaced by the up to date image on a regular basis
• Pattern updates to anti-malware software are checked at least once a day, with virus scans conducted in real time where possible (and daily where not).
• All data is backed up in an encrypted format to encrypted AWS S3 buckets
• We use a third-party service to continually scan our infrastructure for vulnerabilities and suspicious activity
• We front our applications with a web application firewall (WAF) that blocks requests to our services that resemble common attacks
• We hold immutable logs on system and network activity, and store these centrally
• We have a system of alerts which are triggered if any suspicious activity is detected
• All applications and services are managed through reviewed, version-controlled configuration stores with fully automated deployment systems
• We benchmark our systems against the appropriate Centre for Internet Security (CIS) benchmarks, which represent industry best practice

Communications security

We employ a variety of processes and technologies to ensure that our communications are protected within our network, and in transit to/from our customers:

• We use WPA2 and Active Directory authentication to protect our wi-fi network
• We use encrypted VPNs for all remote connections to our internal systems
• We use a third party, managed Host Intrusion Detection System (HIDS)
• We employ a separate third party to conduct penetration testing on our Infrastructure and applications
• We segment our networks by security value
• We separate our proving and production environments (and never store user data in non-production environments)
• We have procedures in place to ensure that any transfer of information to and from customers is protected by Transport Layer Security

System acquisition, development and maintenance

Security is an integral part of our entire Software Development Life Cycle:

• We train all our people in the relevant technologies for their job role (including dedicated on-going secure coding training for all our engineers)
• Our developers undertake Open Web Application Security Project (OWASP) training and refresher sessions
• Our code review process covers OWASP vulnerabilities, adherence to secrets policy and the security of our endpoints
• We make extensive use of automated testing - this is executed as part of our build process, and overnight for all our test environments
• We maintain a balanced pyramid of tests, automating unit, contract, system and performance tests
• All tests are executed as part of our automated build pipeline
• We do not make use of any client data for testing purposes
• All code is held in configuration managed repositories

We have processes in place to ensure that the third-party software and libraries we us are safe:

• We automatically check our code libraries for known vulnerabilities
• All third-party products are risk-assessed and reviewed for General Data Protection Regulation compliance:
• When we are considering using a new product
• When an existing product undergoes a major upgrade
• When we change the way we are using an existing product

Release Management

We have controls in place which ensure the software we release is code reviewed, tested and configuration managed:

• We use an automated build pipeline to ensure changes are:
• Reviewed
• Tested
• Committed to our configuration managed repositories
• Scanned for code vulnerabilities
• We employ additional governance around the release process where changes can affect the advice which our products give - this requires:
• Adviser approval
• Compliance approval

Supplier Relationships

In order to protect the data we hold, we employ a number of controls to manage our interaction with suppliers:

• We have a supplier risk assessment tool (Dora) which covers the supplier's financial and security obligations
• Our contractual terms cover all aspects of Data Protection compliance, including notification requirements
• We regularly review supplier service delivery in line with the agreements we have in place

Our key suppliers are large, world class organisations at the forefront of each of their fields of expertise.  This presents some challenges during contract negotiation, and in particular backing off the requirements our customers have of us as an organisation.  Our policy on this is:

• Where a regulatory or legislative obligation exists (e.g. audit under the GPDR) this must be included in the contractual arrangements between us and the supplier
• Where no such obligation exists, we will negotiate our contract with our customer and notify them of any differences between those arrangements and those with our key suppliers

Incident Management

We have controls in place which ensure a consistent and effective approach to the management of security incidents:

• We have a dedicated Service Desk which allows customers and our own people to raise incidents quickly and easily
• We have established an open culture which encourages the raising of incidents
• We have dedicated roles and responsibilities which cover all aspects of incident management:
• Identification
• Triage
• Containment
• Resolution
• Communication
• We retrospectively analyse all incidents to allow trends to be analysed, and improvements to be put in place

Business Continuity Management

Information security is an integral part of our Business Continuity Plan (BCP):

• We maintain a central BCP, with processes for the containment and communication of any continuity event
• We rehearse our BCP at least annually
• By storing all aspects of the configuration of our systems in code, we are able to rapidly rebuild and redeploy them to other geographical locations in the event of a disaster
• We train all our people in remote working safely
• Our use of an Infrastructure as a Service model means we maintain very little of our own infrastructure. We are, therefore, largely unaffected by non-availability of any of our office locations

Compliance

We are a regulated business, and maintain a range of controls to ensure we comply with legal, statutory, regulatory and contractual obligations:

• We conform to all the requirements placed upon us by the FCA, Information Commissioner and our certification auditors
• We maintain registers for all compliance related events in our management system, Remus
• We maintain a registry of relevant legislation, and its impact on the organisation of security
• We run an internal audit programme which verifies our adherence to our obligations
• We have an exception process to respond to non-conformances
• We employ third party experts to validate our technical approach, and to ensure we are up to date with expert community best practice

‍

This page was last updated on 22nd September 2022

‍