iSAGE Hosting - under the covers

Through our work with young people, our developers have considerable experience in the software, protocols and processes required to ensure the security of data online. We strictly adhere to the requirements of the UK’s Data Protection Act and, building on a close working relationship with the Department of Law at University of Bristol, we support our clients and partners to ensure that the necessary data sharing and management involved in using online systems is undertaken appropriately. We currently securely manage and store educational and personal data for over 1 million learners in England.

We use industry standard security measures to safeguard learner and administrator data and ensure that all personal information supplied is held securely against unauthorised access in accordance with the Data Protection Act 1998. To do this we implement a layered approach to security (from physical infrastructure through to application logic).

Infrastructure Security

Our solutions use secure protocols (HTTPS) where any data is accessible. We utilise auto logout functionality after a pre-determined time of inactivity. We have firewalls in place for the production system, using two Cisco ASA5510 appliances. Our website data tier is separated from our application tier and therefore rendered inaccessible externally. Further detail can be provided about technical set-up if required.

Application Security

All i-Sage products operate on a password access basis with passwords being linked to specific individuals. Visibility of learner passwords is restricted to the individual learner only and if passwords are to be reset, this can be done by either the learner or the Home Learning Provider of the learner. All user access is restricted and controlled at a local authority level with permissions granted based on the roles of individuals. The restricted access ensures that users accessing the system need to have a valid username and password and are only able to see information available for that permission level.

Data Security

All your data is backed up on a nightly basis and data is kept in a secure storage unit accessed only by those staff members with rights. Data that includes personal and sensitive information is required to be sent to our servers through our secure data transfer tool. Access to this site is given only to authenticated and named individuals in an area who can only access the site using a personal login and password. We require that data is sent to our servers via a secure data transfer tool, to ensure learner data is fully protected. Once data has been downloaded from the tool, it is deleted and a copy is kept in a permission restricted storage folder.

Learner/user data is only otherwise accepted if it is encrypted to the Advanced Encryption Standard (AES) or equivalent in line with commercial best practice and use a minimum bit strength of 256 bit encryption. The password shall be a minimum of 15 characters and should be communicated to data recipients via separate email. As registered data controllers, i-Sage adheres and works to the 8 principles of the UK Data Protection Act 1988. We work with our clients and partners to ensure that any data sharing and processing is appropriate and secure. Within each of our products there are privacy policies outlining the data that is collected and stored in relation to each product and the uses of the data that is collected. The policies are updated and reviewed annually to reflect changes to our products and to keep it in line with amendment to the Data Protection Act. All of our employees with access to personal data and/or have any direct contact with end users in order to fulfill their roles and responsibilities, are Enhanced CRB (Criminal Records Bureau) checked.

Data Centre Connectivity

Our servers have 100Mb connectivity with all data centre connections above server level of 1Gb. This ensures that data travels from the server to the client as quickly as possible. Please note that connection speeds can vary due to connectivity and physical conditions along the entire connection including ISage client’s equipment and environment. We guarantee 99.9% network uptime.

Secure transmission and sessions

Connection to the iSage application is via SSL. Secure Socket Layer (SSL) is a global standard security technology. SSL creates an encrypted link between a web server and a web browser to ensure that all data transmitted remains private and secure. Millions of consumers recognize the "golden padlock" which appears in their browser to indicate they are viewing a secure web page.

Network Protection

Our Firewall has been configured only allow external access to the server via the http and https protocols, all other protocols are blocked.

Security Monitoring

Our servers run Security Enhanced Linux, this ensures the sanity of our servers by limiting the resources an application can use. This safeguards data, as in the unlikely event of system malfunction, the operating system will not let any program access any data that it shouldn't or in a way that as such, would compromise the overall stability of the system.

Application Security

The application has been developed with security at its core. There are stringent checks constantly being made to ensure you are working on your data, and that nobody else has access to your data. Site Monitoring Our servers are constantly monitored to ensure it is constantly available for our clients. In the event there might be connection interruptions, our servers issue alerts to system administrators 24/7 so that they can investigate and rectifying the issue. Our services are operated from one of the largest server farms in the UK which is directly connected to the international and trans-continental data pipes coming into London. The bandwidth available to our SaaS services expands as required, and would not be restricted even if our contractually agreed limits were suddenly met. In any case, we would have access to many times the bandwidth requirements for the number of users we have, and constantly monitor our systems and usage to ensure we are not operating close to our limit. Should our London server farm have a catastrophic failure (for example, due to terrorist attack), our virtual server setup would allow us to immediately start providing the service from an alternative location anywhere in the world. We have a preprepared list of suitable locations, and would be able to resume a full service within a matter of hours.

Documentation and Training

i-Sage products are designed to run with minimum support and training. However, the following documentation and support is available (there are two versions of every document, one for users and one for administrators): 1. Summary and Quick-start guides 2. Detailed user guides 3. Frequently asked questions 4. Online help