DVELP is committed to delivering an Information Security framework, in line with the ISO 27001 Information Security Standard, to improve the resiliency of business processes and foster awareness across our distributed team and amongst our customers.
DVELP engages with its parent group Sabio to maintain Information Security standards across both parties, ensuring processes are appropriate and followed.
Security is represented at the highest level within the company. Our CEO meets regularly with the Information Security Management Team to discuss issues and co-ordinate company wide initiatives.
The framework, approved by management, is designed as a functional tool, to be referred to in the day-to-day, to improve awareness, define best practices and crystalise key processes for prevention and resolution of information security related issues.
DVELP is ISO27001 certified by the British Standards Institution. You can view our certification document here and our certification status here.
The framework includes programs covering:
- Access Control
- Anti-Virus and Malware Policy
- Asset Acceptable Use Policy
- Asset Management
- Backup and Recovery
- Business Continuity Security
- Classification of Information
- Cryptographic Controls
- Data Protection Policy
- Database Limits
- Incident Responses
- Information Security Management Meetings
- Information Transfer
- Internal Security Audits
- People Security
- Physical Security
- Special Interest Groups
- Statement of Applicability
- Vulnerability Management
The scope of our Information Security Management System comprises all DVELP employees operating in the UK and the European Union, and all processes that we use to deliver on our client's requirements.
DVELP will endeavour to comply with all legal and regulatory obligations and constraints associated with information security, fraud and theft prevention and detection.
DVELP will take reasonable and proportionate actions to facilitate and assist law enforcement agencies (and other appropriately authorised investigators) pursuant of their duties and responsibilities, and in this respect shall make available in a timely manner all records, audit trails, system logs as may be requested by them by legal authority (i.e. subpoena, court order, search warrant, etc.).
The legislation that DVELP has to comply with includes:
- UK Data Protection Act 1998
- EU Data Protection Directive (95/46/EC)
- EU General Data Protection Regulation (2016/679) (“GDPR”)
- EU Privacy and Electronic Communications Directive 2002/58/EC
Additionally, DVELP has an obligation to some clients for Payment Card Industry Data Security Standard (PCI DSS) compliance. DVELP has created a PCI DSS Charter to manage this obligation.
DVELP is a software consultancy, building solutions for clients in a number of industries, including retail, health, and financial services. We are based from a headquarters in London, and maintain a remote team that operates internationally.
DVELP’s management team has identified the following stakeholders as being key to the design and maintenance of their information security management system:
- Company Board
- Contractors
- Financial Regulation Authority
- Information Commissioner's Office
- Our Clients (including end-users of the software solutions that are built by DVELP)
- Staff
These stakeholders trust us with sensitive and confidential information. They need to know that we treat this information with the appropriate level of care and have state of the art systems and processes in place to protect it from unauthorised access, manipulation and duplication. Our Information Security Management System sets out to provide this assurance.
DVELP's Board of Directors and Management Team are committed to delivering a robust Information Security Management System.
To that end, senior management has established the Information Security Management Team. Our CEO attends the Information Security Management Meetings and encourages the entire organisation to build security into it's DNA.
A full list of organizational roles, responsibilities and authorities is captured in our Contacts Table.
Information Security risks and opportunities are reported to our [email protected] email address and evaluated within 24 hours.
We assess risks in our business in line with our Risk Management Policy and take action to improve our systems in accordance with our Vulnerability Management Procedure.
Opportunities can also be identified internally by our developers by adding them to the Backlog in our Information Security Trello Board.
The objectives of our Information Security Management System include:
- Continuously improving our processes by acting on reported vulnerabilities within one month in all cases, as tracked by our Information Security Trello Board
- Continuously reducing risks by mitigating risks with significant potential impact as per our Risk Management Policy
- Obtaining and maintaining ISO27001 accreditation
We commit resources to Information Security Management by:
- Maintaining Information Security Roles and responsibilities as laid out here.
- Holding regular Management Meetings with our Information Security Management Team.
- Regularly conducting internal audits as per our Internal Audit Policy
- Monitoring our [email protected] inbox with a 24h response time
We ensure that we remain aware of latest trends and developments and have the competencies to protect against latest threads by attending a number of Special Interest Groups.
We ensure our staff are aware of our policies by:
- Ensuring new joiners read and understand our Information Security Policy
- Regularly auditing our compliance internally
- Regularly providing quizzes on our policies to all staff
We communicate our policies and documentation via our Information Security GitHub page. This provides a medium our developers are familiar with from their everyday workflow and it is public to everyone to see online.
At our regular Information Security Management Meetings we assess our recent performance against our security objectives and agree any controls that need to be put in place to enable us to achieve our objectives.
Risks are assessed and treated in accordance with our Risk Management policy.
We measure the performance of our Information Security Management System in three main ways:
- the number of unmitigated risks with significant impact in our Risk Register
- the number of questions our staff answer incorrectly during our Internal Security Audits
- the average resolution time of enquiries submitted to [email protected]
Internal Audits are conducted on a regular basis in order to ensure our staff are aware of our policies and enact them in their day-to-day work. The results of these audits are tracked for continual improvement as part of our regular Information Security Management Meetings.
The Information Security Management Team meet to review:
- reports to [email protected]
- the results of recent internal audits
- our internal policies and objectives relating to Information Security as per our Information Security Management Meetings Policy.
Any non-conformities with the ISO27001 standard that the Information Security Management Team becomes aware of is given highest priority as part of our Vulnerability Management procedure in order to ensure we maintain ISO27001 compliance and accreditation.
We are committed to continuously improving our processes and becoming more secure over time. We ask our staff and customers to report any queries, uncertainties, potential vulnerabilities and potential opportunities for improvement to [email protected] so that we can take the appropriate steps to remedy any shortfalls and implement any improvements in line with our Vulnerability Management.
All violations of this Charter will be reviewed and discussed by the Information Security Officer and the Executive Team. Any violation may result in formal disciplinary action.
In the event the violation is in breach of any legal or regulatory obligations, DVELP may take legal action against the individual or organisation concerned.
Stephen Smith is the owner of this document. You can contact him on <[email protected] >.