Data, Hosting and Security FAQs – BSI Connect Plus Knowledge Base

Question	Answer
What is BSIs view on security when it comes to BSI Connect?	BSI have a robust programme in place and employ controls at a management, operational and technical level. Key security practices for BSI Connect include: (a) Being ISO 27001 certified, (b) Staff trained on security on a regular basis, (c) Dedicated security team within BSI Group, (d) Data encrypted in transit and at rest, (e) Up to date patch management, (f) Penetration and vulnerability testing by third parties, (g) Documented policies and procedures. (h) Data privacy and GDPR compliance, (i) Strict access controls.
Where is the data hosted for BSI Connect?	Data is hosted on the Microsoft Azure environment based on a data residency approach.
What standards does the hosting provider have in place?	Microsoft Azure hold many including ISO 27001, ISO 27017, ISO 27018, SOC, PCI DSS.
What standards does BSI have in place for BSI Connect?	BSI is certified to ISO 27001 and follows the control guidelines of ISO 27017. Certificate available on request.
Are BSI compliant to GDPR and data privacy regulations?	BSI take data very seriously. See privacy notice here and GDPR notice within our terms and conditions here
Is the data within BSI Connect encrypted?	Yes, the data within BSI Connect is encrypted using 256-bit AES encryption to ensure the highest level of security and protect sensitive information from unauthorized access.
Are passwords within BSI Connect secure?	Yes, we use Microsoft Azure AD B2C for authentication. Passwords are never stored or transmitted in plain text, they are hashed and salted using the PBKDF2 algorithm with HMAC-SHA256. All data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256 within Microsoft’s secure datacentres.
What network access security is in place for BSI Connect?	Yes, BSI Connect ensures network access security through secure HTTPS access, providing encrypted communication to protect data during transmission and safeguard against unauthorized access.
Can an administrator restrict user access within BSI Connect?	Yes, an administrator can restrict user access within BSI Connect, allowing them to control permissions and system context, to ensure that users only have access to the appropriate resources based on their roles and responsibilities.
Does BSI carry out penetration tests, vulnerability tests on BSI Connect?	Yes, BSI regularly carries out penetration tests and vulnerability assessments on BSI Connect to identify and address potential security weaknesses, ensuring the platform remains secure and resilient against threats.
Does BSI have access to my data within BSI Connect?	A limited number of staff have access to be able to provide the contracted services and support.
Does BSI employ separate environments for development and production?	Yes, BSI employs separate environments for development and production to ensure security, stability, and quality control during the platform development lifecycle. This separation allows for thorough testing and validation of new features or updates before they are deployed to the live production environment.
Does BSI follow clean code practices for BSI Connect?	Yes, BSI follows clean code practices for BSI Connect to ensure high-quality, maintainable, and efficient code. These practices help improve readability, reduce technical debt, and enhance collaboration among development teams.
What are the technical requirements for BSI Connect?	Cloud based with mobile support. Browsers fully supported are Chrome, Firefox, Safari and Edge.
Does BSI employ a dedicated security team for BSI Connect?	BSI group function employs a dedicated security team for which BSI Connect falls under that. This team is responsible for identifying and addressing security vulnerabilities, implementing best practices, and maintaining a secure environment for all users.
Does BSI Connect support SSO and/or MFA?	MFA is currently supported, SSO is not currently supported.
What controls are in place for staff background checks and security training?	BSI employ third party providers to conduct background checks on staff; and all staff undergo regular security awareness training that is documented.
Is there automated malware scanning?	BSI Connect scans files for malware and viruses when you upload them to the platform. Files which you’ve uploaded won’t be available for download until BSI Connect has verified that the file is likely to be safe. Normally, this only takes a few seconds. If the system detects a harmful file, it is quarantined to keep the platform secure. You won’t be notified if this happens. If you try to download a file which has been quarantined because it is potentially malicious, you will receive a safe .htm placeholder file instead of your original file. If you think we’ve made a mistake and quarantined a safe file, please contact support through our live chat. While we use the latest tools to detect malicious files, we can’t guarantee we’ll always get it right. For that reason, we recommend that you follow standard cybersecurity practices and are cautious when downloading files from the web. We’re always looking at ways to improve our processes and would value your feedback. You can contact us through the live chat at the bottom left of your screen.
Do you maintain an inventory of all hardware and software assets, including ownership?	Yes, we maintain an inventory of all hardware and software assets, including their ownership details. This ensures effective asset management, tracking, and compliance.
Do you maintain an inventory or map of data flows between both internal and external information systems?	Yes, we maintain an inventory and map of data flows between both internal and external information systems. This allows us to track and manage data movement, ensuring security, compliance, and operational efficiency.
Do you regularly perform security threat and risk assessments on your critical information systems?	Yes, we regularly perform security threat and risk assessments on critical information systems to identify vulnerabilities, assess potential risks, and implement necessary controls to ensure the security and integrity of our systems.
Do you have Business Continuity & Disaster Recovery Plans in place?	Yes, we have Business Continuity and Disaster Recovery Plans in place to ensure that critical operations can continue and data can be restored in the event of an emergency or disaster. These plans are regularly reviewed and tested to maintain effectiveness.
Do you perform security assessments/reviews on potential suppliers prior to entering into agreements with them?	Yes, we perform security assessments and reviews on potential suppliers prior to entering into agreements with them. This ensures that they meet our security standards and align with our risk management requirements.
Do you regularly evaluate suppliers to ensure that they are meeting their security obligations?	Yes, we regularly evaluate suppliers to ensure that they are meeting their security obligations. This includes conducting assessments and reviews to verify their compliance with our security requirements and standards.
Are all access rights to information systems regularly reviewed for appropriateness by the asset owners?	Yes, all access rights to information systems are regularly reviewed for appropriateness by the asset owners to ensure that access is granted only to authorized individuals based on their roles and responsibilities.
Do you conduct regular phishing simulation tests of your employees?	Yes, we conduct regular phishing simulation tests of our employees to raise awareness, improve their ability to recognize phishing attempts, and strengthen our overall security posture.
Do you maintain an inventory and mapping of where all personal data is stored that includes cross-border data flows?	Yes, we maintain an inventory and mapping of where all personal data is stored, including details of any cross-border data flows, to ensure compliance with data protection regulations and secure handling of sensitive information.
In the last 5 years have there been any data breaches that needed reporting to the ICO?	No, there have been no data breaches in the last 5 years that required reporting to the ICO.
Do you incorporate threat modelling into application design?	Yes, we incorporate threat modelling into application design to proactively identify and address potential security vulnerabilities, ensuring that security risks are mitigated during the development process.
Do you enforce containerisation on all mobile devices that may contain organisational data?	Yes, we enforce containerization on all mobile devices that may contain organizational data to ensure that sensitive information is securely isolated and protected from unauthorized access.
Do you have the capability of deleting all organisational data from mobile devices?	Yes, we have the capability to delete all organizational data from mobile devices remotely, ensuring that sensitive information can be securely wiped in case of loss, theft, or when the device is no longer in use.
Are security event logs protected and retained?	Yes, security event logs are protected and retained in accordance with our security policies to ensure the integrity of the logs and enable effective monitoring, analysis, and compliance with regulatory requirements.
Do you have automated tools to collect, correlate, and analyse security event logs?	Yes, we use automated tools to collect, correlate, and analyse security event logs, allowing us to efficiently detect, respond to, and mitigate potential security threats in real time.
Are security alerts monitored 24x7?	Yes, security alerts are monitored 24x7 to ensure timely detection and response to potential security incidents, minimizing risks to our systems and data.
Are all security incidents recorded, classified, and tracked?	Yes, all security incidents are recorded, classified, and tracked to ensure proper handling, resolution, and continuous improvement of our security posture.
Are forensic investigations conducted as part of incident response?	Yes, forensic investigations are conducted as part of our incident response to thoroughly analyse security incidents, determine their root cause, and ensure appropriate corrective actions are taken.
How is segregation between customers enforced?	Logical separation within the database.
Which version of TLS is in use?	TLS 1.2
What is the timeout period for session tokens?	24 hours
How long is backup information retained?	7 days

Question

Answer

What is BSIs view on security when it comes to BSI Connect?

Where is the data hosted for BSI Connect?

Data is hosted on the Microsoft Azure environment based on a data residency approach.

What standards does the hosting provider have in place?

Microsoft Azure hold many including ISO 27001, ISO 27017, ISO 27018, SOC, PCI DSS.

What standards does BSI have in place for BSI Connect?

BSI is certified to ISO 27001 and follows the control guidelines of ISO 27017. Certificate available on request.

Are BSI compliant to GDPR and data privacy regulations?

BSI take data very seriously. See privacy notice here and GDPR notice within our terms and conditions here

Is the data within BSI Connect encrypted?

Yes, the data within BSI Connect is encrypted using 256-bit AES encryption to ensure the highest level of security and protect sensitive information from unauthorized access.

Are passwords within BSI Connect secure?

Yes, we use Microsoft Azure AD B2C for authentication. Passwords are never stored or transmitted in plain text, they are hashed and salted using the PBKDF2 algorithm with HMAC-SHA256.

All data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256 within Microsoft’s secure datacentres.

What network access security is in place for BSI Connect?

Yes, BSI Connect ensures network access security through secure HTTPS access, providing encrypted communication to protect data during transmission and safeguard against unauthorized access.

Can an administrator restrict user access within BSI Connect?

Yes, an administrator can restrict user access within BSI Connect, allowing them to control permissions and system context, to ensure that users only have access to the appropriate resources based on their roles and responsibilities.

Does BSI carry out penetration tests, vulnerability tests on BSI Connect?

Yes, BSI regularly carries out penetration tests and vulnerability assessments on BSI Connect to identify and address potential security weaknesses, ensuring the platform remains secure and resilient against threats.

Does BSI have access to my data within BSI Connect?

A limited number of staff have access to be able to provide the contracted services and support.

Does BSI employ separate environments for development and production?

Does BSI follow clean code practices for BSI Connect?

Yes, BSI follows clean code practices for BSI Connect to ensure high-quality, maintainable, and efficient code. These practices help improve readability, reduce technical debt, and enhance collaboration among development teams.

What are the technical requirements for BSI Connect?

Cloud based with mobile support. Browsers fully supported are Chrome, Firefox, Safari and Edge.

Does BSI employ a dedicated security team for BSI Connect?

BSI group function employs a dedicated security team for which BSI Connect falls under that. This team is responsible for identifying and addressing security vulnerabilities, implementing best practices, and maintaining a secure environment for all users.

Does BSI Connect support SSO and/or MFA?

MFA is currently supported, SSO is not currently supported.

What controls are in place for staff background checks and security training?

BSI employ third party providers to conduct background checks on staff; and all staff undergo regular security awareness training that is documented.

Is there automated malware scanning?

While we use the latest tools to detect malicious files, we can’t guarantee we’ll always get it right. For that reason, we recommend that you follow standard cybersecurity practices and are cautious when downloading files from the web.

We’re always looking at ways to improve our processes and would value your feedback. You can contact us through the live chat at the bottom left of your screen.

Do you maintain an inventory of all hardware and software assets, including ownership?

Yes, we maintain an inventory of all hardware and software assets, including their ownership details. This ensures effective asset management, tracking, and compliance.

Do you maintain an inventory or map of data flows between both internal and external information systems?

Yes, we maintain an inventory and map of data flows between both internal and external information systems. This allows us to track and manage data movement, ensuring security, compliance, and operational efficiency.

Do you regularly perform security threat and risk assessments on your critical information systems?

Yes, we regularly perform security threat and risk assessments on critical information systems to identify vulnerabilities, assess potential risks, and implement necessary controls to ensure the security and integrity of our systems.

Do you have Business Continuity & Disaster Recovery Plans in place?

Yes, we have Business Continuity and Disaster Recovery Plans in place to ensure that critical operations can continue and data can be restored in the event of an emergency or disaster. These plans are regularly reviewed and tested to maintain effectiveness.

Do you perform security assessments/reviews on potential suppliers prior to entering into agreements with them?

Yes, we perform security assessments and reviews on potential suppliers prior to entering into agreements with them. This ensures that they meet our security standards and align with our risk management requirements.

Do you regularly evaluate suppliers to ensure that they are meeting their security obligations?

Yes, we regularly evaluate suppliers to ensure that they are meeting their security obligations. This includes conducting assessments and reviews to verify their compliance with our security requirements and standards.

Are all access rights to information systems regularly reviewed for appropriateness by the asset owners?

Yes, all access rights to information systems are regularly reviewed for appropriateness by the asset owners to ensure that access is granted only to authorized individuals based on their roles and responsibilities.

Do you conduct regular phishing simulation tests of your employees?

Yes, we conduct regular phishing simulation tests of our employees to raise awareness, improve their ability to recognize phishing attempts, and strengthen our overall security posture.

Do you maintain an inventory and mapping of where all personal data is stored that includes cross-border data flows?

Yes, we maintain an inventory and mapping of where all personal data is stored, including details of any cross-border data flows, to ensure compliance with data protection regulations and secure handling of sensitive information.

In the last 5 years have there been any data breaches that needed reporting to the ICO?

No, there have been no data breaches in the last 5 years that required reporting to the ICO.

Do you incorporate threat modelling into application design?

Yes, we incorporate threat modelling into application design to proactively identify and address potential security vulnerabilities, ensuring that security risks are mitigated during the development process.

Do you enforce containerisation on all mobile devices that may contain organisational data?

Yes, we enforce containerization on all mobile devices that may contain organizational data to ensure that sensitive information is securely isolated and protected from unauthorized access.

Do you have the capability of deleting all organisational data from mobile devices?

Yes, we have the capability to delete all organizational data from mobile devices remotely, ensuring that sensitive information can be securely wiped in case of loss, theft, or when the device is no longer in use.

Are security event logs protected and retained?

Yes, security event logs are protected and retained in accordance with our security policies to ensure the integrity of the logs and enable effective monitoring, analysis, and compliance with regulatory requirements.

Do you have automated tools to collect, correlate, and analyse security event logs?

Yes, we use automated tools to collect, correlate, and analyse security event logs, allowing us to efficiently detect, respond to, and mitigate potential security threats in real time.

Are security alerts monitored 24x7?

Yes, security alerts are monitored 24x7 to ensure timely detection and response to potential security incidents, minimizing risks to our systems and data.

Are all security incidents recorded, classified, and tracked?

Yes, all security incidents are recorded, classified, and tracked to ensure proper handling, resolution, and continuous improvement of our security posture.

Are forensic investigations conducted as part of incident response?

Yes, forensic investigations are conducted as part of our incident response to thoroughly analyse security incidents, determine their root cause, and ensure appropriate corrective actions are taken.

How is segregation between customers enforced?

Logical separation within the database.

Which version of TLS is in use?

TLS 1.2

What is the timeout period for session tokens?

24 hours