Cyber Security Statement
This statement provides an overview of Foxhams' approach to cybersecurity.
Security Policy Our policies address the handling of personal, sensitive, and confidential information. These policies are regularly reviewed and communicated to all staff.
Organisational Information Security Approach & Compliance In addition to information security, our policies encompass data protection and compliance with the Computer Misuse legislation. We have dedicated roles for cybersecurity, as well as legal, compliance, and internal audit teams. To demonstrate our commitment to cybersecurity to our customers and staff, we have achieved accreditation from reputable cyber security standards such as Cyber Essentials in the UK.
Third Parties Similar to many organisations, we engage third parties to host or process customer information. We conduct technical due diligence to assess their cyber risks and ensure that our legal agreements appropriately address security and data handling. When personal data is processed outside the EEA, we implement necessary safeguards, such as model clauses, to ensure data protection.
Employee Security Practices We conduct thorough checks on employees' identities, references, and right to work. Cybersecurity is included in employee inductions, and ongoing training is provided, including bespoke training relevant to specific roles. Additionally, we conduct phishing tests against staff to improve awareness. Violations of relevant policies could result in disciplinary action, including potential dismissal through HR processes.
Physical Office & Data Center Facilities Entry controls and CCTV are implemented at entry/exit points in our major offices and all data centre facilities. We have measures in place to protect our systems from unauthorised access. Our data centres are located in the UK, EEA, US, and Asia.
Documentation & Process We have well-documented operational procedures and monitoring in place. Our change control process includes audit trails of changes for transparency and accountability.
Infrastructure Protection Laptops, desktops, and servers are equipped with anti-virus/malware and disk encryption where applicable. We prioritise applying critical security patches immediately and less severe updates within one month on servers, where practical. Our user and system networks are segregated, and we employ Network Intrusion Detection systems, regular vulnerability scans, proactive scans of encrypted connections using Transport Layer Security, and source code scanning for vulnerabilities. Security logs are centrally collected for monitoring and analysis using a Security Event Information Management system.
Data Protection We encrypt all public system traffic in transit to international standards and internally for all new systems. Our policy is to encrypt data at rest where possible and practical. We ensure secure and ethical disposal of old equipment and limit access to production environments to authorised personnel only. Additionally, we have separate environments for development, testing, and production.
Access Control We have standardised processes for managing access for starters and leavers. Central management of access to various services, two-factor authentication, named accounts for users, prohibition of shared users, and password complexity and rotation policies are in effect. Access and activity logs are maintained for audit purposes, reviewed regularly, and unauthorised access is promptly addressed.
Internal Processes Security requirements and design are integral to all projects and products, with a focus on secure development practices. Access controls are implemented on source code, and code access is managed. We undergo thorough testing of all releases and follow best application practices such as the OWASP Top 10. User credentials (passwords) are hashed for better security. Additionally, we engage third-party penetration testing, code review, and follow best practices for application security.
Business & Incident Management We have cybersecurity incident response policies and plans in place, covering detection, response, and reporting. We work with a dedicated Cyber Security team who are available to handle cybersecurity incidents. War-games and retrospectives are conducted to continually improve our incident response process and practices. Our business continuity and disaster plans undergo regular testing to ensure effectiveness.
