As a stakeholder in your company website, you have a level of responsibility to secure customer data and protect brand reputation.
You need to know the website design agency you’re working with is up to the job of keeping your website and data completely secure.
You need to be assured that they will process and store your data in the most secure way possible. That they follow recognised industry standards and guidelines.
Your reputation depends on it.
Without going into too much dry technical detail, this article will highlight some of the steps Intuitiv Digital take to ensure your website and data are completely secure for you and your customers.
The way we work (or our 'business processes' in corporate-speak) is audited by industry specialists Atos on behalf of one of our larger clients.
We sit with their auditors for several days at a time, going through our processes in fine detail and documenting the findings.
Any changes needed to the way we work are communicated back to our staff, acted upon and followed up in annual reviews.
This ensures we’re always up to date with industry standards and expectations.
An audit requirement is that we follow a Secure Development Methodology, which ensures the highest level of security runs through all the applications we build.
For example, we adopt the industry-recognised OWASP Top 10 awareness document. This document is agreed and produced by leading security experts from around the world.
It focuses on the 10 most-critical security risks to web applications:
Sensitive data exposure
XML external entities (XXE)
Broken access control
Cross-site scripting (XSS)
Using components with known vulnerabilities
Insufficient logging and monitoring
Another part of our Secure Development Methodology is to only use high-quality SSL Certificates. These help to encrypt your sensitive data to the highest level and protect your reputation when sending information across the internet.
And, where necessary, we use data encryption for our databases too.
One of the key policies we adhere to is our Logical Access Management Policy.
This covers best practice concerning access to servers, database and our network.
For example, we use tiered levels of authorisation and access.
Only our senior developers are allowed to deploy updates and new websites to the live servers. And even our senior developers must first ask our infrastructure team for access.
If a developer requires access to live servers to check configuration files, database entries etc., a request is sent to our infrastructure team. The request then requires approval by senior staff before infrastructure allow access. This access is then given with a restricted level of access to data.
As part of our ongoing commitments to GDPR compliance, the data we store is classified and logged.
We keep a record of each type of data that we store for each website we host.
This record is also used to manage the retention of data to ensure we no longer hold data which we don't have permission to hold.
It’s a big job, but it’s part of our commitment to data security and GDPR compliance.
It should also reassure you that your data is being stored and maintained responsibly.
As part of auditing the way we work, we have to show defined and documented policies, procedures and systems.
Some examples of documents are:
Physical Security Policy
Personal Data Management Policy
Information Asset Register
Business Continuity Reports
Disaster Recovery Procedure
Processed Data Management Policy
IT Security Policy
To name but a few!
They’re not seat-of-your-pants thrillers to read of course, but they do allow us to ensure the security of our network and respond to incidents quickly and effectively, e.g., DoS (denial of service) attacks, disaster recovery etc.
We don’t outsource any work or use third parties for any aspect of website design, development and hosting. Never have. And we’ve been going since 1996.
Not even hosting.
We have a dedicated in-house infrastructure support team who operate and manage our hosting network. Our many servers are located in two UK locations, with the majority in Telehouse London, Docklands.
You need to be confident that your web design agency or internal web design team will process and store your data in the most secure way possible.
You need to be confident that any networks, servers and databases they use are completely secure too, and that access to them is controlled.
Some questions to ask your web design agency:
Do they follow recognised industry standards and guidelines?
Are they audited?
Can they evidence GDPR compliance?
How do they keep your data secure?
Can they evidence a secure infrastructure?
Do they outsource or use third parties? Are they secure? How do they know?
Remember, your business and reputation depend on it.
You need a highly experienced, reliable and secure website design agency.
Your website will be in safe hands.