OFSM Information Documents
Download as: PDF
OFSM Data Security document
The SDA Online Free School Meals (OFSM) system, when hosted on our servers, will provide the highest level of data security and will comply with all appropriate regulations and codes of practice1. The SDA system will, of course, fully comply fully with the Department for Education (DfE) Eligibility Checking Service (ECS) connection requirements2. It is not the intention of this document to give detailed accounts of the provisions of the ECS connection requirements, or their attainment, but the following is a brief outline of some major issues.
Software for Data Analysis Limited
SDA have extensive experience in providing and managing systems involving the transferring and handling of large quantities of personal data, for example, the DfE’s Performance Tables and Key to Success (KtS) service. In addition to working on many projects and services for the DfE, SDA works for many other central government, local government and non-departmental public body organisations.
Most importantly SDA is fully and currently certified as ISO27001 compliant. ISO27001 is the definitive specification to ensure that businesses and organisations throughout the world conform to a compliant Information Security Management System (ISMS). Its auditing and certification requirements are stringent and its assurance is comprehensive. The standard is published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC).
Only trained SDA staff with experience of handling personal data will be permitted to access the OFSM system. All SDA staff are cleared to Baseline Personnel Security Standard3 and will have Enhanced Disclosure and Barring Service (DBS)4 clearance. SDA expect any Local Authority (LA) user of the OFSM system to be at least cleared to the Baseline Personnel Security Standard.
1For local authorities choosing to host the system on one of their own servers the responsibility for many aspects of compliance will, quite naturally, fall to them.
2Currently detailed in ECS Connection Requirements v1-5 (Rel 2e).xls – a copy of which SDA and the local authority will need to complete.
4Formerly Criminal Record Bureau (CRB)
SDA servers are located in one of TelecityGroup's data centres in London5. TelecityGroup is the leading operator of network-independent data centres in Europe and all of their data centres are certified to the ISO 270016 (Information Security Management) standard and have Payment Card Industry Data Security Standard (PCI DSS) accreditation. The data centre has a permanent manned security presence and uses multi-layered physical security including a secure perimeter, biometric and video surveillance.
Entry to the data centre is tightly controlled - with strict procedures in place to monitor and control visitor access both into and within the data centre. Extensive CCTV video camera surveillance is in place accross each facility, along with security braeach alarms, biometric checks and vontolled physical barriers.
Intrusion Detection, Monitoring and Access Control
Intrusion detection mechanisms (both within the OFSM domain and between the OFSM domain and connected networks) are in place to identify potential attacks. The OFSM service has mechanisms in place to detect suspicious activity and to identify suspected multiple applications.
Information Security events are reported through appropriate management channels as quickly as possible. Management responsibilities between SDA and the LA will be established to ensure quick, effective and orderly responses to Information Security incidents.
The OFSM service incorporates reliable user authentication, including measures concerning password strength, renewal and re-use.
Audit logs recording the activities of all users, exceptions and information security events will be produced to assist in future investigations and access control monitoring.
6Annex A contains a suite of 133 information security controls that are derived from and aligned with ISO/IEC 27002. ISO/IEC 27002 itself is an advisory standard only and cannot be accredited or certified.
7For those who have already entered into a contract with SDA, there will be no charge for accessing the premises but any incidental expenses, e.g. travel, food and accommodation, will be payable by the visitor. For those wishing a pre-contract visit a payment of a small administrative charge will be made for accessing the premises and all incidental expenses, e.g. travel, food and accommodation, will be payable by the visitor.