Oxford Economics Security Statement

Introduction

Oxford Economics understands the ever-increasing risk of cyber-related incidents such as security breaches and stolen assets. Incidents can be detrimental to the organisation’s reputation and have significant financial implications if there is a breach of regulations. We are also well versed in the provision of ethical walls or information barriers within our organisation to prevent exchange of information or communication that could lead to conflicts of interest. As a result, Oxford Economics has created this policy to help outline the security measures in place to ensure information remains secure and protected

Purpose

The policy’s purpose is to demonstrate the mechanisms and controls in place to help prevent security breaches and how Oxford Economics limits the impact if a breach were to occur.

References

The document will use several references to align with security best practices. These include but are not limited to:

National Cyber Security Centre (NCSC)
Center for Information Security (CIS)

Confidential Data

Oxford Economics defines “confidential data” as:

Unreleased and classified financial information.
Customer, supplier, and shareholder information.
Customer leads and sales-related data.
Patents, business processes, and/or new technologies.
Employees’ passwords, assignments, and personal information.
Company contracts and legal records.
Customer data classified as “Private” or “Confidential.”

Information Security

Oxford Economics has sub-processor agreements between all entities to ensure that data is consistently handled to the same level of confidentiality and security. The role of Data Protection Officer is assigned to the Chief Information Officer of the Oxford Economics Group.

Oxford Economics use the principle of least privilege and the CISSP “CIA” triad. Therefore, we will restrict access to only staff actively working on a project through technical measures. Permissions are further restricted to read/write or read-only access based on the staff members responsibilities. Staff must submit a request to the IT helpdesk, including authorisation from the folder “owner”. System changes are logged by the server for future reference, and the ticket is updated to include all actions taken.

Conditional access policies and Data Loss Prevention systems are in place to monitor all suspicious behaviour and prevent malicious activities. The system asks staff to provide an additional verification method or block the request based on the risk/impact “score”. In both instances, the IT team are notified.

The IT Support team use dedicated administrator accounts, separate from their “standard” account, to perform higher privilege tasks. This account does not have any means of communicating or distributing information and is solely to administrate core systems.

More information on Microsoft’s security and compliance can be found here.

Accreditations

The organisation is accredited with Cyber Essentials Plus and using a Barclaycard Payment gateway, PCI-DSS compliant.

We are also ISO27001 certified.

Data Classification

Classifications

Classifcation

Description

example

Measures

Public

Safe to distribute publicly. This information would not be harmful if it was available to a competitor.

Approved business development material, webinar recordings and publications.

Emails are tracked and audited through Data Loss Prevention systems.

Confidential

Sensitive business data that could cause damage to the business if shared with unauthorised people.

Contracts, security reports, forecast summaries, and sales account data.

Watermarks content, individual assigned permissions to the emails and documents, prevents forwarding using Azure Information Protection policies.

Projects

Sensitive project data that could cause damage to the business if shared with unauthorised people.

Client-supplied data, reports and data produced by Oxford Economics.

Watermarks content, restricts access and encrypts data to those associated with the project group (controlled by the IT Support team) using Azure Information Protection policies.

Highly Confidential

Very sensitive business data that would cause damage to the business if it was shared with unauthorised people.

Employee and customer information, passwords, source code, and private financial reports.

Watermarks content, restricts access and encrypts data, allowing only those specified by the owner to view the content. Data forwarding and extraction is not permitted, and staff must set an access expiry date using Azure Information Protection policies.

Measures

Our organisation use Microsoft Azure Information Protection policies to ensure that data is only visible to the intended recipients. In addition to the measures outlined in the sections below, projects and confidential data are assigned a higher sensitivity label set up by the IT Support team.

When a project commences, the Project Owner creates a support ticket with the following information:

Project Codename
Project Owner and, if applicable, authorised delegate
Project Members – Read-only access
Project Members – Read/Write access

The IT Support team create individual labels per project, which are only visible to the project members. The IT Support team rigously test access before authorising the use in production. Changes to the group members must be approved by the Project Owner before being applied by the IT team.

Data is uploaded to a secure repository and only visible to project members.

In the unlikely event of unauthorised access, the recipient would not be able to view the content. Instead, the following error will be presented, and the IT Support team notified:

“You are not signed in to Office with an account that has permission to open this workbook [or document].”

Staff must justify if they are attempting to downgrade the sensitivity level of data. The justification is recorded and available in the Microsoft365 audit logs.

Device Security

Company Use

All assets are on the corporate domain, allowing management through Group Policy for software deployment and access restrictions while connected to the corporate network. Furthermore, devices are protected by Microsoft Intune for continual management outside of the corporate network. Intune allows authorised staff members to remotely lock, wipe and rebuild assets.

Devices are running the latest version of Windows 10 and set to automatically update as part of Microsoft’s monthly schedule. All third-party applications are also set to update automatically, ensuring that vulnerabilities are patched as quickly as possible.

Oxford Economics use an advanced antivirus and antimalware software installed on each client called Bitdefender. The software uses a database to detect and block known “signatures” from executing. Bitdefender also has the advantage of signatureless monitoring through AI and Machine Learning, meaning that new unknown threats will also be blocked based on behaviour.

Bitdefender scans files whenever they are opened, saved, copied or renamed to ensure that staff are not at risk. Furthermore, Bitdefender will run a daily “quick scan” and weekly “full scan”.

All users are assigned individual accounts. User accounts must follow complex password requirements and be changed every 45 days.

Personal Use

Oxford Economics permits the use of personal devices for the management of email only. Devices are enrolled in the corporate Microsoft Intune account, where a standard policy is applied. The policy enforces PIN authentication and Oxford Economics’ right to remove corporate data from the device remotely.

Cloud Security

Oxford Economics use Microsoft365 as our primary Identity and Access Management platform. We synchronise our on-premise Active Directory and Microsoft Azure accounts using Microsoft’s AD Connect utility to maintain a consistently secure experience.

All accounts (except service accounts) must enrol in Multi-Factor Authentication to minimise the risk of a breach in the event of a leaked password. Using Microsoft Azure Premium, we monitor account activity for suspicious behaviour. Behaviour deemed to be “high” risk will lead to the user’s account locking and them having to contact the IT Support help desk.

Conditional access policies control users’ access rights depending on the device they are using, their location, and the associated risk.

Email Security

Our Microsoft365 Exchange is configured to use opportunistic TLS encryption. On request to the IT helpdesk, we can work with the client’s IT department to enable enforced-TLS.

In addition to the advanced security features provided by Microsoft365’s Exchange service, Oxford Economics use the industry-leading email security solution, Mimecast. Mimecast’s superior monitoring algorithm monitors and blocks malicious emails based on the following criteria

IP and Domain reputation
Keyword search
Attachment content and extension type
URL reputation
Sender’s location

Mimecast will still protect end-users post-delivery by scanning, rewriting and executing URLs and attachments within their sandbox environment. Furthermore, as we have Mimecast’s S2 subscription, the system will automatically extract emails from the end-users mailbox if it is found to be malicious later on. This task can also be completed manually by an authorised IT Support representative.

The organisation has the highest level of support provided by Mimecast, resulting in a one hour response time for incidents and six working hours for service requests.

Teams Security

Our chosen business communication platform is Microsoft Teams, as part of the Microsoft 365 family of products. Teams provides our staff with workspace chat and videoconferencing, file storage, and application integration.

Meeting options allow organiser to decide who from outside your organisation can join your meetings directly, and who should wait in the lobby for someone to let them in. PSTN callers will join via lobby. Meeting organisers can also remove participants during the meeting.

All recordings of meetings are accompanied by a notice that a recording is taking place. The notice also links to the privacy notice for online participants, and the meeting organiser controls which attendees have permission to record.

Channel owners can moderate a channel conversation and control who is and isn’t allowed to share content in channel conversations. This helps ensure only appropriate content is viewed by others.

Multi-Factor Authentication requires users to provide additional forms of verification to prove their identity, helping protect their accounts from attacks that take advantage of weak or stolen passwords.

We utilise an Endpoint Manager to manage devices and apps and enforce conditional access on any device and external access controls provides an authenticated connection to another organisation, enabling collaboration between organisations.

We have also invested in recent data loss prevention (DLP) extentions that now include Microsoft Teams chat and channel messages, including private channel messages. This means we can define policies that prevent people from sharing sensitive information in a Microsoft Teams channel or chat session. Some examples of how this protection works are:

Protecting sensitive information in messages. Attempts to share sensitive information in a Teams chat or channel with guests (external users) can be automatically deleted within seconds
Protecting sensitive information in documents. For documents containing sensitive information, DLP policy can ensure the document won’t open for aunauthorised users.

Other key policies:

Advanced Threat Protection - Protects users from malicious software hidden in files, including files stored in OneDrive or SharePoint.
Information barriers - Controls communication between users and groups in Teams to protect business information in cases of conflict of interest or policy.
Retention policies - Manages content in the organisation by deleting or preserving information to meet organisational policies, industry regulations, and legal requirements.
Data residency - Data in Teams resides in Microsoft’s secure network of data centers to help you meet compliance requirements.
Settings and policies - Meets organisational requirements with org-wide settings and tailor experiences to your users with policies for teams, messaging, meetings, calling, and more.
Recording access - Access to the recording is limited to people on the call, or those invited to the meeting, unless the meeting organiser authorises others to access it. Recordings are uploaded to Microsoft OneDrive and may be shared and downloaded according to permissions enabled by account administrators.
Communication compliance - This enables organisations to foster a culture of inclusion and safety by identifying and preventing negative behaviors like bullying and harassment.
Conditional access - Set risk-based policies for access specific to user context, device health, location, and more.
Secure guest access - Allows users to collaborate with individuals outside the organisation while still controlling their access to organisational data.
Encryption - Teams encrypts data in transit and at rest and uses Secure Real-time Transport Protocol (SRTP) for video, audio, files, chat, and desktop sharing.
Sensitivity labels - Regulate who can access a team by controlling the privacy and guest settings.
Cloud App Security - Identify and mitigate suspicious or malicious activity, including the large-scale deletion of teams or addition of unauthorised users.
eDiscovery, legal hold, audit log, and content search - Easily identify, hold, and manage information that may be relevant in legal cases.
Safeguarding your privacy - Access related data any time, for any reason. It’s never used for advertising and is deleted after the termination or expiration of your subscription
Data management reports - Access reports from the Transparency Hub, detailing how we have responded to requests for data.

Customer Relationship Manager

Oxford Economics use a cloud-hosted Salesforce environment to store client information. Only authorised staff members are allocated the licence required to access the system.

Staff must authenticate using the Microsoft Azure Single Sign-on connector. This means that all security measures and access control mechanisms (Multi-Factor Authentication, Conditional access and password policies) are active when the user attempts to sign in.

Following the principle of least privilege, access rights are restricted based on the user’s role within the organisation.

More information on Salesforce’s security and compliance can be found here.

Network Security

Oxford Economics use Cisco Meraki enterprise devices to provide network and internet connectivity to staff in the office. The Cisco Meraki product line offers centralised management of devices through a cloud portal. Cisco’ datacentres are ISO27001 and SSAE18 Type II accredited, delivering 99.99% availability.

All dashboard management and device logs are stored within Cisco’s cloud environment.

Boundary Devices

The Cisco Meraki Firewalls contain comprehensive security features such as; Identity-based policies, Intrusion Detection/Prevention, Content filtering, Malware protection and Application control. Devices are configured to be security bias where possible.

Only authorised personnel have access to the Meraki Dashboard. Further, read/write, and read-only restrictions are in place to avoid accidental or malicious activity. Furthermore, we use Multi-Factor Authentication to verify the user’s identity.

Corporate LAN

The corporate LAN is configured to be security-focused. Devices are logically separated depending on their role within the environment. Access-control lists are in place to prevent unauthorised activity.

Access to the corporate wireless is controlled through RADIUS. Devices must be on the domain and have the configuration distributed by Group Policy.

The guest wireless does not have access to any corporate resources. However, connected devices are protected by the same boundary security measures.

Virtual Private Networks - VPN

Staff can access the corporate network using an SSL VPN that is distributed by Group Policy. They must authenticate with their domain credentials, and access is controlled through RADIUS.

The VPN profile forces devices to use the most secure routing method, known as “full-tunnel” mode. Full-tunnel encapsulates all corporate and internet traffic to provide end-to-end security and prevent malicious actors from compromising the network from a public network.

Penetration Testing

Oxford Economics use an automated vulnerability scanning and penetration testing tool called AppCheck. The environment is scanned monthly to find new vulnerabilities and a more in-depth penetration test is performed half-yearly.

The IT Support team creates a remediation plan that documents the vulnerabilities found, priority/impact, steps required to resolve and a deadline. Vulnerabilities are prioritised based on the risk and impact on the organisation.

Summary – 5 Steps To Preserve Client Confidentiality

Use common sense

Don’t be tempted to talk about confidential client topics with unauthorised colleagues, or even your closest friend, spouse or family members
Never talk to clients on the phone when someone else is listening or can overhear your conversation
Do not share any work related news on your social media accounts no matter how proud you are of the project

Document Security

Keep paper copies of clients’ files in a safe cabinet and use a shredding machine when disposing of the documents. Never leave documents where people can get them
Lost documents are much more likely to happen during travel, be extra vigilant when checking-in luggage and consider alternative secure carriers

Data security

Secure the transmission of important documents using encrypted channels described in this policy document
Store clients data on our secured cloud storage whenever possible, but if the only option is to store files on local devices, ensure your keep the password secret and do not write this down

Proper Organisation

Label folders containing confidential information, both physical and online folders to serve as a reminder that you have to take good care of the files inside
Make client folders password encrypted, so that if someone does hack your computer, they then have to hack the confidential folders.

Integrity

Prioritise clients interests when faced with moral decisions where the confidentiality of your client’s case is at stake
Carefully review and follow the policy advice and guidance, seeking input from line managers on how they protect their clients’ information and adopt any helpful strategies that can help you and your client from issues of confidentiality breaches.