OEYE Information Documents

Download as: PDF document PDF

OEYE Data Security document

Data Security

Overview

The SDA Online Early Years Entitlement (OEYE) system, when hosted on our servers, will provide the highest level of data security and will comply with all appropriate regulations and codes of practice1. The system will, of course, comply fully with the Department for Education (DfE) Eligibility Checking Service (ECS) connection requirements2. It is not the intention of this document to give detailed accounts of the provisions of the ECS connection requirements, or their attainment, but the following is a brief outline of some major features.

Software for Data Analysis Limited

SDA have extensive experience in providing and managing systems involving the transferring and handling of large quantities of personal data, for example, the DfE’s National Pupil Database (NPD) and Key to Success (KtS) service. In addition to working on many projects and services for the DfE, SDA works for many other central government, local government and non-departmental public body organisations.

Most importantly SDA is fully and currently certified as ISO27001 compliant. ISO27001 is the definitive specification to ensure that businesses and organisations throughout the world conform to a compliant Information Security Management System (ISMS). Its auditing and certification requirements are stringent and its assurance is comprehensive. The standard is published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC).

SDA Personnel

Only trained SDA staff with experience of handling personal data will be permitted to access the OEYE system. All SDA staff are cleared to Baseline Personnel Security Standard3 and will have Enhanced Disclosure and Barring Service (DBS)4 clearance. SDA expect any Local Authority (LA) user of the OEYE system to be at least cleared to the Baseline Personnel Security Standard.

1For local authorities choosing to host the system on one of their own servers the responsibility for many aspects of compliance will, quite naturally, fall to them.
2Currently detailed in ECS Connection Requirements v1-5 (Rel 2e).xls – a copy of which SDA and the local authority will need to complete.
3https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/299555/HMG_Baseline_Personnel_ Security_Standard.pdf
4Formerly Criminal Record Bureau (CRB)

 

Physical Security

SDA servers are located in one of TelecityGroup’s data centres in London5. TelecityGroup is the leading operator of network-independent data centres in Europe and all of their data centres are certified to the ISO 270016 (Information Security Management) standard and have Payment Card Industry Data Security Standard (PCI DSS) accreditation. Physical access to the data centre is controlled by biometrics and access card and the centre is fully staffed for 24 hours all year round. Visits may be organised for those wishing to view the premises, equipment and security arrangements.7

Intrusion Detection, Monitoring and Access Control

Intrusion detection mechanisms (both within the OEYE domain and between the OEYE domain and connected networks) are in place to identify potential attacks. The OEYE service has mechanisms in place to detect suspicious activity and to identify suspected multiple applications.

Information Security events are reported through appropriate management channels as quickly as possible. Management responsibilities between SDA and the LA will be established to ensure quick, effective and orderly response to Information Security incidents.

The OEYE service incorporates reliable user authentication, including measures concerning password strength, renewal and re-use.

Audit logs recording the activities of all users, exceptions and information security events will be produced to assist in future investigations and access control monitoring.

5See http://www.telecitygroup.com/colocation-data-centre-london-uk.htm
6Annex A contains a suite of 133 information security controls that are derived from and aligned with ISO/IEC 27002. ISO/IEC 27002 itself is an advisory standard only and cannot be accredited or certified.
7For those who have already entered into a contract with SDA, there will be no charge for accessing the premises but any incidental expenses, e.g. travel, food and accommodation, will be payable by the visitor. For those wishing a pre-contract visit a payment of a small administrative charge will be made for accessing the premises and all incidental expenses, e.g. travel, food and accommodation, will be payable by the visitor.