People Security
Before anybody joins the company, Cronofy conducts background checks. The depth of these background checks can vary dependent on the position that the individual is taking. Background checks include verifying education, previous employment and references, as well as a background check with a credit reference agency.
The Cronofy Employee Code of Conduct outlines what is expected of everybody at Cronofy. All employees agree upon a set of principles that are adhered to and are asked to respectfully challenge each other when this may not be the case.
Employees agree to the Code of Conduct as part of their on-boarding, and are asked to re-read it every year, or whenever there’s a change to it.
All employees must complete security training as part of their orientation when joining Cronofy. Awareness training is rolled out continuously, either when updates are made to policies, or on an annual basis.
Security awareness training includes training on, but is not limited to, good security practices, such as password security and multifactor authentication, handling incidents and preserving evidence, and information security responsibilities.
All Software Engineers must also undergo additional training on threats, vulnerabilities and secure coding practices.
Cronofy maintains a robust suite of policies and processes which underpin the everyday operation of the business.
Cronofy’s Information Security Management System (ISMS) controls the day-to-day management of Information Security, including the writing and distribution of policies. Policies are available to review by any member of staff, at any time, within the ISMS. All policies are reviewed at least on an annual basis.
Access Control Policy
Access to operational applications, platforms and data is strictly limited according to an employee’s role. Cronofy operates a general rule of least privilege, meaning that, employees only receive the access they need to perform their role, and nothing more.
Access Reviews
Cronofy conducts quarterly access reviews, ensuring that employees’ access to critical systems has not changed, and is still appropriate for their role. Where this isn’t the case, the event is recorded, investigated, and the access adjusted.
Employee Account Authorisation
All employees are trained to use 1Password to generate a random, unique password for each service, using a password as long as the service will support.
Cronofy employees will always use two-factor authentication when available. Where supported, Cronofy uses a service’s own security policies to ensure secure authentication methods are used (eg. forcing the use of MFA).
Customer Account Authorisation
Passwords for Cronofy customer accounts must be at least 9 characters and not on a denylist of 10,000 common passwords.
Cronofy also offers support for multi-factor authentication and SSO, should Cronofy customers want to use it.
Incident Management Policy
Cronofy’s Incident Management Policy defines how Cronofy responds to events that threaten the security or privacy of confidential information, ensuring that incidents are properly identified, contained, investigated, and remedied.
The policy is supported by an Incident Response Playbook, which assigns roles, responsibilities and general guidelines on how to handle an incident. This ensures consistent handling, no matter who is managing the incident at the time.
The Information Security Responsibilities help all Cronofy employees understand their role within Cronofy, in relation to Information Security.
Cronofy has a Business Continuity Plan which ensures that the organization can quickly recover from unexpected events while continuing to support customers and other stakeholders.
The Business Continuity Plan is tested by Cronofy on at least an annual basis, in line with the requirements outlined in ISO27001.
After each test of the Business Continuity Plan, improvements are documented, actioned and resolved, to better improve the Business Continuity Plan.
Cronofy’s Disaster Recovery plan exists to prevent and minimize a period of loss of service for Cronofy customers. Cronofy’s recovery objectives vary dependent on the circumstances.
For example, if AWS were to completely fail, our RTO would be six hours, and our RPO would be 24 hours.
This, however, is very much a worst-case scenario.
Cronofy closely manages IT systems and the data that they contain from purchase to disposal. All pertinent information concerning assets is recorded within an Asset Register.
All laptops have end-user compliance tooling installed, to ensure that assets are not misused.
To appropriately protect our constituent’s data, all equipment being disposed of must be disposed of per the Equipment Disposal Policy. This ensures that data is appropriately destroyed, and equipment is disposed of, both securely and in an environmentally responsible manner.
The Vendor Management policy helps to ensure that Cronofy, and Cronofy’s customers, are protected and that the vendors used are assessed appropriately. All new vendors must complete a Vendor Risk Assessment before Cronofy will start using them.
All vendors are reviewed, and risk assessed annually, to ensure that they still meet the strict data protection requirements outlined by Cronofy.
The organization conducts Internal Audits on its employees, policies and controls to ensure the best level of service to its customers. If or when gaps are identified, training takes place to ensure those gaps are filled.
Security Team
Cronofy employs security and privacy professionals as part of our Engineering and Operations teams. This team is tasked with maintaining the company’s security posture, while developing security processes and staying aware of new vulnerabilities.
Our Privacy and Compliance program is led by our CTO, who is involved in ensuring Cronofy meets the expectations set out by our external accreditations, by government agencies, and by our customers.
Cronofy leverages Amazon’s AWS suite of services to deliver a robust, reliable and scalable infrastructure to ensure continuity of service.