The Sustainability Assessor System – Hosting and Information Security

The security of your data is of the utmost importance to us. With that in mind, we are committed to managing and supporting effective processes that ensure your data is secure and protected. The following page was developed to help you understand what we are doing to ensure quality and data security in the CSR assessment and benchmarking services we provide.

Hosted Environment

The Assessor systems are managed by QuEST Forum’s development partner, epi Consulting. Their in-house IT team in Cheltenham, UK and all active instances are hosted on a High Availability Stack (HAS) server environment that forms part of the global IBM Soft Layer network. The environment’s maintenance is managed by epi, in conjunction (for software fixes) with its long term web systems development partner and also in partnership with IBM.

Performance and Stability

The IBM network is one of the most extensive, fastest and most resilient in the world. It allows epi to nominate HAS server resources in many countries to allow balanced choices on performance, data protection and security. All Assessor system instances are currently hosted at the UK data centres. System availability and scheduled uptime is typically higher than 99%. The IBM network also provides real time “mirror site” failover functionality, providing continuity of service in the event of major outage.

Access Control and Security

epi follows appropriate security protocols and standards typically applied to data sharing and storage networks today. epi has established processes for security on the web and the system delivery networks with advanced “hardened” server and firewall technology used today in many mainstream web applications that require high levels of security.

At site level, the systems use Secure Socket Layer (SSL) protocols when transmitting any data; epi processes then add “double layer” access security throughout (for example, new registration to the sites requires access code issue by an authorised epi team member after screening of each registrant, in addition to account and password set up). On site, each user’s data is transmitted under authenticated server communications protocols, including TLS and SSL protocols. Industry standard cryptography techniques for password protection are employed. User Data is stored on dedicated and private epi server partitions; Only pre-approved, nominated epi personnel can access the partitions via passworded and VPN access to the system Administration Tables. Access codes are restricted to a small group of nominated personnel and controlled and monitored by the epi director responsible for security, who has complete oversight on access to the system; no other party can access the partitions. All approved epi staff are trained in data security procedures and operate under the non-disclosure conditions that epi has agreed contractually with its user clients. pi has a policy of continuous review and upgrading of security processes and protocols as new standards and technologies become available.

Data Privacy

On site, a full data confidentiality and privacy policy is available for presentation to the user at registration stage and any time thereafter. epi maintains strict privacy for all data entered into the Assessor systems. epi may use company contact data to contact a user in connection with support for the systems or systems improvement. epi will never pass on contact details to any third party, except where this is necessary for its partners to provide systems support or where a user has specifically authorised its onward transmission, this includes financial sponsors of the system operation. Any exception to this policy (for instance certain bespoke versions may require onward transmission of contact details before access passwords can be granted) will be clearly marked on the relevant version of the website confidentiality and privacy policies.

Data Ownership

All data input to the Assessor systems remains the property of the user who inputs it and a user can view or modify his/her data, or ask for the data to be deleted at any time. epi may interrogate and compile data stored on the systems for support purposes or to provide aggregate analysis for its own management information or to provide aggregated reports under its contractual terms, but epi will never report any data at the individual or identifiable level unless specifically authorised to do so. Again the site data and confidentiality policy available to all users makes the data ownership policy clear to all users.

Translate »