Our Security Approach
Wealth Wizards takes security seriously. We follow three key principles:
- Shared – We treat Information Security as a shared responsibility.
- Systematic – Managing Information Security is a systematic, continuous activity.
- Safe – Ultimately our approach is about keeping our customers and ourselves safe.
Our Management System
We have a comprehensive and innovative Management System – Remus. Remus holds all our policy, risk and control information, and raises and tracks tasks to ensure these are continuously reviewed and improved.
We employ a Three Lines of Defence model:
- First line – Operational and business teams – Remus ensures that controls are in place and are monitored to treat the risks which we and our customers face. Our Platform team implements and monitors security controls on our end user and platform infrastructure.
- Second line – We have dedicated risk, compliance and platform teams which monitor the performance of Remus, and provide subject matter expertise for its improvement.
- Third line – We run an internal audit programme, and employ external auditors to monitor the performance of our Remus and first and second line teams.
Information Security is a standing agenda item for all of our key committees, up to and including our main board.
We have a comprehensive set of controlled policies covering Information Security. Each is owned by a specific individual in the second line of our defence, with a defined review cadence and approval process.
Our relevant policies include:
- Business Continuity Management Plan
- Continuous Improvement
- Data Handling Policy
- Data Protection
- Data Protection Impact Assessments (DPIA)
- Data Protection Policy
- Data Retention Policy
- Data Retention Schedules
- Group Security Policy
- Information Security Consolidated Communication Plan
- Information Security Incident Handling Procedure
- Information Security Policy
- Information Security Roles & Responsibilities
- Internal Audit Process
- Personal Data Breach Notification
- Platform Security
- Risk Management Policy
- Risk Treatment Process
- Security in the Software Delivery Life Cycle
- Third Party Purchase Procedure
ISO/IEC 27001:2013 (ISO 27001) is the international standard that describes the requirements for an ISMS (information security management system). It is supported by its code of practice for information security management, ISO/IEC 27002:2013.
Wealth Wizards holds accredited certification to ISO 27001. This provides independent, expert assessment that our information security is managed in line with international best practice and business objectives. We have extended the approach to manage risks across our entire business.
What keeps us awake at night
We have a unified approach to Risk Management. It’s based on internationally recognised best practice (specifically ISO27001, IS1 and CISSP), and has been designed to be engaging and understandable across our organisation.
The approach covers the assessment and treatment of risk against our agreed risk appetite, and includes consideration of the confidentiality, integrity and availability aspects of each risk.
Risk assessments are triggered;
- when any new system is implemented;
- when there is a significant change to our risk appetite;
- when there is a significant change to our security requirements;
- at a cadence appropriate to the area of risk (at least annually);
- ad hoc when raised as a concern via our incident management system; or
- on a specific event such as a near miss incident.
Risk assessments cover all aspects of our business including:
- Our physical assets & security
- Our people
- Our processes (in particular those relating to data security and handling)
- Our suppliers
- Our systems
- Our platform
Whilst our impact and probability assessment scales are consistent to allow us to compare risks across all domains, our methods are tailored according to best practice in that area.
Information cuts across all aspects of our business.
We undertake the following checks on all our people:
- Verification of name and address
- Verification of identity
- Verification of previous two years employment history
- Disclosure and Barring Service (DBS) check
In addition we perform the background checks required by the Financial Conduct Authority (FCA) for our Financial Advisors.
Security responsibilities are included in all job descriptions, and people receive security awareness training (and undertake qualifications) appropriate to their role. Individual awareness, training and qualifications are reviewed as part of our mastery framework.
End user devices
We maintain a complete, real-time inventory of all our End User devices. Our workstations and laptops have anti-virus software included as part of the standard build we deploy across all devices:
- We don’t store any data locally on laptops, and we do not allow the use of detachable, portable media (e.g. memory sticks)
- We encrypt all local disc storage (to protect cached information)
- We use Mobile Device Management allows us to monitor laptop usage, and to remotely wipe/lock down devices
- Internet access and network connectivity is routed through our network, with access to services locked to our office locations
We ensure that all data has an appropriate level of protection, and unauthorised access or deletion is prevented:
- All data we hold is classified and processed in accordance with our data handling policy
- We have procedures in place to ensure that all data is deleted in accordance with the retention period applicable to its classification
- We have procedures in place to ensure that any data transferred between us and our customers is secure
- Data is encrypted at rest, and in transit across public internet, in accordance with industry best practice
- PII Data is further encrypted at column level in datastores.
Access to our systems is strictly limited to those who are authorised to do so:
- User responsibilities are documented, and users held accountable for safeguarding the data they have access to
- We employ multi-factor authentication, and password complexity requirements in line with the National Cyber Security Centre guidelines
- Access is managed by designated administrators of each given system, and processes are in place to manage access and removal from all systems
- Customer and user requests are administered via our Service Desk
- Access is segregated where required to ensure that it is controlled and appropriate to the system content
- Processes are in place to ensure that access rights are removed in a timely fashion
We operate an encryption policy to protect confidentiality and integrity of information:
- PII data is encrypted at column level in data-stores.
- All data is encrypted at rest.
- Real time application data is transmitted over encrypted TLS connections
- We use unique encryption keys for each customer and secrets management and rotation to protect API keys and other access related information
We use third parties and our own controls to prevent unauthorised access to our locations:
- We use Amazon Web Services (AWS) to host our applications. Details of their approach to physical security can be found here: https://aws.amazon.com/compliance/data-center/controls/
- We operate a paper free environment, scanning and shredding all paper documents
- All our office locations are protected by key and fob access and appropriate alarm systems
- Additional physical devices (such as screen protectors) as used where necessary
Although we use third parties to host our information processing infrastructure, we use their Infrastructure as a Service (IaaS). This means we put in place the controls needed to secure our account and platform configuration (the shared responsibility model).
Our controls ensure that our infrastructure is secure, and protected against malware and data loss:
- We define our infrastructure as code in version controlled repositories
- All our live servers are torn down and replaced by the up to date image on a frequent basis
- Pattern updates to anti-malware software are checked at least once a day, with virus scans conducted in real time where possible (and daily where not)
- All data is backed up in an encrypted format to encrypted AWS S3 buckets.
- We use a third party service to continually scan our infrastructure for vulnerabilities and suspicious activity
- We hold immutable logs on system and network activity, and store these centrally
- We have a system of alerts which are triggered if any suspicious activity is detected
- All applications and services are managed through reviewed, version controlled configuration stores with fully automated deployment systems.
- We frequently benchmark our systems against the appropriate Centre for Internet Security (CIS) benchmarks, which represent Industry best practice
We employ a variety of processes and technologies to ensure that our communications are protected within our network, and in transit to/from our customers:
- We use WPA2 and Active Directory authentication to protect our Wifi network
- We use encrypted VPNs for all remote connections to our internal systems
- We use a third party, managed, Host Intrusion Detection System (HIDS)
- We employ a separate third party to conduct penetration testing on our Infrastructure and applications
- We segment our networks by security value
- We separate our proving and production environments (and never store user data in non-production environments)
- We have procedures in place to ensure that any transfer of information to and from customers is protected by TLS
System acquisition, development and maintenance
Security is an integral part of our entire Software Development Life Cycle:
- We train all our people in the relevant technologies for their job role
- Our developers undertake OWASP training and refresher sessions
- Our code review process covers OWASP vulnerabilities, adherence to secrets policy and the security of our endpoints
- We make extensive use of automated testing – this is executed as part of our build process, and also overnight for all our test environments
- We maintain a balanced pyramid of tests, automating unit, contract, system and performance tests
- All tests are executed as part of our automated build pipeline
- We do not make use of any client data for testing purposes
- All code is held in configuration managed repositories
We have processes in place to ensure that the third party software and libraries we us are safe:
- We automatically check our code libraries for known vulnerabilities
- All third party products are risk assessed and reviewed for GDPR compliance:
- When we are considering using a new product
- When an existing product undergoes a major upgrade
- When we change the way we are using an existing product
We have controls in place which ensure the software we release is code reviewed, tested and configuration managed:
- We use an automated build pipeline to ensure changes are:
- committed to our configuration managed repositories
- scanned for code vulnerabilities
- We employ additional governance around the release process where changes can affect the advice which our products give – this requires:
- adviser approval
- compliance approval
In order to protect the data we hold, we employ a number of controls to manage our interaction with suppliers:
- We have a supplier risk assessment tool (Dora) which covers the suppliers financial and security obligations
- Our contractual terms cover all aspects of Data Protection compliance, including notification requirements
- We regularly review supplier service delivery in line with the agreements we have in place
We have controls in place which ensure a consistent and effective approach to the management of security incidents:
- We have a dedicated Service Desk which allows customers and our own people to raise incidents quickly and easily
- We have established an open culture which encourages the raising of incidents
- We have dedicated roles and responsibilities which cover all aspects of incident management:
- We retrospectively analyse all incidents to allow trends to be analysed, and improvements to be put in place
Business Continuity Management
Information security is an integral part of our Business Continuity Plan (BCP):
- We maintain a central BCP, with processes for the containment and communication of any continuity event
- We rehearse our BCP at least annually
- By storing all aspects of the configuration of our systems in code, we are able to rapidly rebuild and redeploy them to other geographical locations in the event of a disaster
- We train all our people in remote working safely
- We maintain very little of our own infrastructure meaning we are largely unaffected by non-availability of any of our office locations
We are a regulated business, and maintain a range of controls to ensure we comply with legal, statutory, regulatory and contractual obligations:
- We conform to all the requirements placed upon us by the FCA, Information Commissioner and our certification auditors
- We maintain registers for all compliance related events in our management system, Remus
- We maintain a registry of relevant legislation, and its impact on the organisation of Security
- We run an internal audit programme which verifies our adherence to our obligations
- We have an exception process to respond to non-conformances
- We employ third party experts to validate our technical approach, and to ensure we are up to date with expert community best practice
Version 44, updated 7 November 2018