Security Policies and Procedures

Keosetech is a security-focused organisation that maintains high standards of security for its systems and those of its customers. We’re a small organisation, but we aim to achieve enterprise-level security, and help our small business customers achieve it too.

In this whitepaper we describe some of the security controls we use. For further information, please email info@keosetech.com. Keosetech offers cyber security services to its customers. For more information on those, please see the 'Services' page.


Customer data

Customer data is stored using a cloud service that is protected with end-to-end encryption and two factor authentication. Only personnel whose job requires it have access to customer data. This cloud service conforms with the requirements of UK and European GDPR.


Security Researchers, Responsible Disclosure and Bug Bounty Programme

Security researchers play a vital role in identifying security weaknesses and helping to resolve them. Keosetech offers a penetration testing service for customers and fully supports the work of the security research community. Currently, Keosetech does not manufacturer software or devices, nor does it maintain its own servers. If we do develop this kind of infrastructure in the future, we will put in place a responsible disclosure policy, a bug bounty programme and a ‘hall of fame’. In the meantime, security researchers who do wish to bring any security issue to our attention should please email us on info@keosetech.com with the subject heading ‘security issue’ and we’ll respond as soon as possible.


Behavioural controls

Keosetech personnel are extensively trained in ways to minimise the chances that threats such as phishing, malicious websites and social engineering will impact our systems or the systems of our customers.


Access control

Keosetech personnel are extensively vetted to ensure that they are trustworthy and suitable persons to have access to our systems and the systems of our customers.

Keosetech implements the ‘principle of least privilege’. This means that personnel only have access to resources they strictly need to do their jobs. Their level of access to those resources is the minimum needed. For example, administrative rights are only granted if those are strictly needed.

Only Keosetech personnel directly involved in managing customer systems have access to those systems, and they are given the least amount of access that they need to do their jobs for our customers.

Keosetech has a process in place to ensure that personnel who leave our organisation can no longer access our systems or those of our customers.


Devices

Keosetech desktop and laptop computers use a mixture of Windows, MacOS, various Linux operating systems based on Debian, which is a major security-focused version of Linux, as well as Qubes, which is a security-specific operating system.

 We harden our devices significantly to add layers of security through:

 •      Changes to system settings.

•      Use of anti-virus.

•      Firewalls.

•      Use of other security software.

 All desktops and laptops use full disk encryption. Devices are set to automatically lock after a period of inactivity, and use strong passwords.

Keosetech mobile devices have also been hardened through control of operating system settings. Devices are encrypted. Screen locks are set with strong passcodes. All Android devices have anti-virus software. VPNs are used to protect mobile devices when on non-Keosetech networks.

Devices no longer being used have their data wiped and then their operating systems reset to default. Additionally, where necessary, storage mediums are physically destroyed to prevent any attempts at data recovery.

An Intrusion Detection System (IDS) is used on all Keosetech devices. This helps to ensure that we can identify any threats on our devices and act quickly to respond.

All operating systems, firmware and applications are kept regularly updated.


Application Control and Online Services

All applications running on Keosetech devices, and all online services that we use, have been extensively vetted and chosen for their high standards of security.

Where possible, online services used by Keosetech have two factor authentication and other controls enabled to stop them being accessed in the event that user credentials are compromised.


Password management

All Keosetech passwords and the passwords for the customer infrastructure we manage are stored encrypted in password managers. Passwords are long and complex, and never re-used for multiple accounts.


Network

Routers are purchased from vendors with strong security programmes. Router settings are hardened to improve security. Keosetech uses the strongest available WiFi encryption protocols. We keep router firmware updated regularly.

On Keosetech’s premises, all devices sit behind hardware firewalls. Our network is segmented into security groups to help prevent lateral movement. All Keosetech desktops, laptops and mobile devices run VPNs, which protects the devices when using internet connections outside of Keosetech premises.


Backup and Disaster Recovery

All Keosetech and customer data is regularly backed up. Backups are stored on physically separate, encrypted devices that are not connected to the internet.