Security
Security Practices
Last updated: 25 July 2023
Overview
We take the security of our customers’ data, and LUSID platform seriously at FINBOURNE. Driven by our company values to be open and transparent all the time and in every direction, we endeavour to be clear and consistent in our communications around security.
As a software engineering company we design, build and test on the assumption that all technology is prone to failure. By bringing this ethos to our approach to security we strive to avoid reliance on individual mechanisms, instead constructing defence in depth and building to anticipate compromise.
The security landscape is a constantly evolving one and we endeavour to always challenge both traditional and our current approaches to security to determine whether they are still the best way to protect our customers, partners and products.
Compliance
The following security related audits and certifications are applicable to LUSID:
Service Organisation Control (SOC) Reports: FINBOURNE has undertaken a SOC 2 Type II and SOC 2 Type II Privacy independent audit and the most recent reports are available on enquiry for contracted FINBOURNE customers.
International Standard for Assurance Engagements: FINBOURNE has undertaken an ISAE3000 independent audit and the most recent report is available on enquiry for contracted FINBOURNE customers.
LUSID is an entirely cloud based platform and the environments that host our technology and data maintain multiple certifications for their services and infrastructure. AWS is responsible for protecting the infrastructure that runs all of the services it offers in the AWS Cloud. For more information please visit the AWS Security website, AWS Compliance website and AWS Shared Responsibility Model website. For more information about Okta please visit Okta’s Security and Compliance website.
LUSID’s security features
By default LUSID provides integrated Role Based Access Control capabilities that provide feature and data access based on a user’s specific organisational roles. As security is a primary concern, access is always denied unless explicitly granted by an administrator.
LUSID user login identity information is stored externally from LUSID in Okta and any generated logging is done using pseudonymised alphanumeric identifiers.
By default, all interactive users of LUSID require Multi-Factor Authentication (MFA) to use to the service.
Data encryption
LUSID services encrypt all data at rest and sent to, from or between its servers using the latest industry standard encryption protocols.
Disaster Recovery
Maintaining the availability of our services and our customers’ secure access to their data is of paramount importance to us.
The LUSID platform is designed, and automatically tested, to have no single points of failure. No individual hardware failure should cause an outage. It is through this design that FINBOURNE can deliver its services effectively, while running exclusively in cloud environments.
Customer data and our source code is continually backed up to an alternate local data centre, with a full backup to another geographic region performed every 24 hours.
In the event of an issue with our critical service providers we will work with them to promptly resolve the issue. If any unforeseeable issues do arrive we will promptly communicate what information we can to our customers to help them manage the impact within their organisations.
Internal infrastructure and Network Protection
Across our internal systems and platform we follow and enforce the Role Based Access Control paradigm, where FINBOURNE users may only access the systems and data appropriate for their role in the business. To login to any of our systems requires Multi-Factor Authentication (MFA).
Firewalls are configured according to industry best practices and automatically checked regularly. We use AWS Security Groups to lock down any unnecessary externally available resources.
Telemetry
LUSID collects a large amount of logging and metric information from its various systems, and environments. That information specifically relevant to identity, security and access management is automatically monitored for security events or anomalies. These processes and their output are managed through our security team.
Incident management
In the event of a security incident or breach, FINBOURNE will strive to promptly notify you of any unauthorised access to your data. FINBOURNE has, and maintains, incident management policies to guide our handling of any such event.
Our team
We work hard to nurture a security conscious and vigilant culture throughout our team and partners. Some of the ways we do this are to require mandatory security training for all staff and regularly get the team together to share experience and pertinent advice.
Every employee at FINBOURNE undergoes a background check.
External security audits
We partner with respected external security organisations to perform regular targeted audits of FINBOURNE’s products to verify our security practices are sound. In line with our values we are always eager to learn about ways which we can improve our security policies and processes.
Product security practices
As part of our Software Development Life Cycle (SDLC) all code is peer-reviewed, then automatically scanned for known vulnerabilities, before being subjected to our full suite of automated testing ahead of release.