Frequently Asked Questions
Security
Security is job zero at Wealth Wizards. We recognise that we are only as strong as our weakest link, and everyone buys in to the philosophy that security is the critical, shared responsibility.
We are a regulated business, comply with all relevant data protection standards, and employ cutting edge cybersecurity to keep our customers safe.
Security Frameworks
Q: What security frameworks do you have in place?
We are a regulated business, comply with all relevant data protection standards, and employ cutting edge cybersecurity to keep our customers safe. We have a company-wide, ISO 27001/27018 certified Management System built out from Atlassian products.
We are independently BS ISO/IEC 27001:2022 and ISO/IEC 27018:2019 Certified by the British Standards Institute. We are aligned with ISO/IEC 27701:2019 and ISO/IEC 42001:2023.
We are compliant with the EU Data Protection Directive. To learn more, please read our Data Protection Policy.
- BS ISO/IEC 27001:2022 Certificate of Registration
- ISO/IEC 27018:2019 Certificate of Registration
- Information Security Statement of Applicability
- Data Protection Policy
Risk Management
Q: What risk management approach do you have in place?
We have a unified approach to risk management. Based on internationally recognised best practice (specifically ISO27001, IS1 and CISSP), it has been designed to be engaging and understandable across our organisation.
The approach covers the assessment and treatment of risk against our agreed risk appetite, and includes consideration of the confidentiality, integrity and availability aspects of each risk.
Our impact and probability assessment scales are consistent to allow us to compare risks across all domains. Our treatment methods are tailored according to best practice in each area.
Q: How often do you identify and assess risks?
Risk assessments are triggered:
- When any new software system is implemented
- When there is a significant change to our risk appetite
- When there is a significant change to our security requirements
- We take on a new supplier
- At a frequency appropriate to the area of risk (at least annually)
- Ad hoc when raised as a concern via our incident management system
- On a specific event such as a near miss incident
- As required by best practice relating to data protection and privacy requirements
Q: In what areas of your business are risks assessed?
Risk assessments cover all aspects of our business including:
- Our physical assets and security
- Our people
- Our processes (in particular those relating to data security and handling)
- Our suppliers
- Our systems
- Our platform
Organisational Controls
Q: What Information Security Policies and Procedures are in place?
We have a complete set of security policies which are independently certified to comply with ISO 27001 and ISO 27018 by the British Standards Institute.
These include:
- Artificial Intelligence Usage Policy
- Business Continuity Management
- Continuous Improvement
- Data Encryption Policy
- Data Handling Policy
- Data Protection - Data Retention Policy
- Data Protection - Impact Assessments (DPIA)
- Data Protection - Legitimate Interest Assessment (LIA)
- Data Protection - Subject Access Request Process
- Data Protection Policy
- Data Retention Schedules
- Information Security Consolidated Communication Plan
- Information Security Incident Handling Procedure
- Information Security Policy
- Information Security Roles & Responsibilities
- Internal Audit Process
- Personal Data Breach Notification
- Privacy Policy
- Risk Management Policy
- Security in the Software Delivery Life Cycle
- Third Party Purchase Procedure
All policies and procedures are reviewed on a rolling basis at a frequency apprpriate to their sensitivity and risk profile (but at least annually). The conduct of this rolling review programme is managed, monitored and audited via our management system.
Supplier Relationships
Q: How do you manage security with your suppliers?
In order to protect the data we hold, we employ a number of controls to manage our interaction with suppliers:
- We have a supplier risk assessment tool (Dora) which covers the supplier's financial and security obligations.
- Our contractual terms cover all aspects of Data Protection compliance, including notification requirements.
- We regularly review supplier service delivery in line with the agreements we have in place.
Q: Who are your key suppliers?
Our key suppliers are large, world class organisations at the forefront of each of their fields of expertise (notably Amazon Web Services who host all our application infrastructure). This presents some challenges during contract negotiation, and in particular backing off the requirements our customers have of us as an organisation.
Our policy on this is:
- Where a regulatory or legislative obligation exists (e.g. audit under the GPDR) this must be included in the contractual arrangements between us and the supplier.
- Where no such obligation exists, we will negotiate our contract with our customer and notify them of any differences between those arrangements and those with our key suppliers.
Incident & Business Continuity Management
Q: How do you manage security incidents?
We have controls in place which ensure a consistent and effective approach to the management of security incidents:
- We have a dedicated Service Desk which allows customers and our own people to raise incidents quickly and easily
- We have established an open culture which encourages the raising of incidents
- We have dedicated roles and responsibilities which cover all aspects of incident management:
- Identification
- Triage
- Containment
- Resolution
- Communication
We retrospectively analyse all priority 1 and 2 incidents to allow trends to be analysed (we also review priority 3 and 4 incidents at a high level for trend purposes), and improvements to be put in place. We track key metrics for incident levels and monitor at each appropriate board.
Q: How is security managed as part of your Business Continuity Plan?
Information security is an integral part of our Business Continuity Plan (BCP):
- We maintain a central BCP, with processes for the containment and communication of any continuity event.
- By storing all aspects of the configuration of our systems in code, we are able to rapidly rebuild and redeploy them to other geographical locations in the event of a disaster.
- We train all our people in remote working safely.
- Our use of an Infrastructure as a Service model means we maintain very little of our own infrastructure. We are, therefore, largely unaffected by non-availability of any of our office locations.
Compliance
Q: How do you ensure you comply with all relevant legislation?
We are a regulated business, and maintain a range of controls to ensure we comply with legal, statutory, regulatory and contractual obligations:
- We conform to all the requirements placed upon us by the FCA, Information Commissioner and our certification auditors.
- We maintain registers for all compliance related events in our management system.
- We maintain a registry of relevant legislation, and its impact on the organisation of security.
- We run an internal audit programme which verifies our adherence to our obligations.
- We have an exception process to respond to non-conformances.
- We employ third party experts to validate our technical approach, and to ensure we are up to date with expert community best practice.
People Controls
Q: What background checks do you conduct on your teams?
We undertake the following checks on all our people:
- Verification of name and address
- Verification of identity
- Verification of previous two years employment history
- Disclosure and Barring Service (DBS) check
All our people are required to sign a restrictive deed of covenant as part of their contract of employment. This sets out their responsibilities for handling confidential information. In addition, anyone who handles client data is required to sign an additional Non Disclosure Agreement.
We also perform the background checks required by the Financial Conduct Authority (FCA) for our Financial Advisers.
Q: What security awareness training do you provide to your teams?
Security responsibilities are included in all job descriptions, and people receive security awareness training (and undertake qualifications) appropriate to their role. Individual awareness, training and qualifications are reviewed as part of our learning and development framework.
Security is job zero for all Wealth Wizards’ employees. All role descriptions make this clear, and we provide a continuous programme of security training in bite sized pieces throughout the year to keep our people’s knowledge fresh.
Security is incorporated into the employee and contractor onboarding and exit via our Joiners, Movers and Leavers (JaML) process. We conduct internal phishing campaigns each month, and assess security awareness across the organisation formally on an annual basis.
Q: Who is ultimately responsible for security at Wealth Wizards?
Executive accountability lies with the CTO, with the Head of Data Engineering and CISO responsible for the design, implementation and monitoring of our security training programme and Information Security Management System.
Physical Controls
How do you ensure the physical security of your data centres?
We use third parties and our own controls to prevent unauthorised access to our locations:
- We use Amazon Web Services (AWS) to host our applications. Details of their approach to physical security can be found here.
- We operate a paper free environment, scanning and shredding all paper documents.
- Our office location is protected by key and fob access and appropriate alarm systems.
- Our office has an external CCTV system for added security.
- Additional physical devices (such as screen protectors) are used where necessary.
Technological Controls
Asset & Access Management
Q: How do you manage data on end user devices?
We maintain a complete, real-time inventory of all our company end user devices. Our workstations and laptops have anti-virus software included as part of the standard build we deploy across all devices:
- We don't store any data locally on laptops, and we do not allow the use of detachable, portable media (e.g. memory sticks).
- We encrypt all local disc storage (to protect cached information).
- We use Mobile Device Management to monitor laptop usage, and to remotely wipe/lock down devices.
- Only engineers, certain product owners and administrators have administrative rights to their machines.
- Internet access and network connectivity is routed through our network, with access to restricted services locked to our office locations.
Q: How do you ensure all data assets are appropriately protected?
We ensure that all data has an appropriate level of protection, and unauthorised access or deletion is prevented:
- All data we hold is classified and processed in accordance with our data handling policy.
- We have procedures in place to ensure that all data is deleted in accordance with the retention period applicable to its classification.
- We have procedures in place to ensure that any data transferred between us and our customers is secure.
- Data is encrypted at rest, and in transit across public internet, in accordance with industry best practice.
- Personal identifying information (PII) data is further encrypted at column level in data stores.
Q: What controls are in place to prevent IT operators viewing or updating sensitive data?
Access to our systems is limited to those who are authorised to do so:
- User responsibilities are documented, and users held accountable for safeguarding the data they have access to.
- We employ multi-factor authentication, and password complexity requirements in line with the National Cyber Security Centre guidelines.
- Access is managed by designated administrators of each given system, and processes are in place to manage access and removal from all systems.
- Customer and user requests are administered via our Service Desk.
- Access is segregated where required to ensure that it is controlled and appropriate to the system content.
- Processes are in place to ensure that access rights are removed in a timely fashion.
Q: Does the Wealth Wizards platform support standard federated identity protocols, such as SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation?
Yes, we support SAML 2.0 and OpenID for all user types.
Q: Is Single-Sign-On (SSO) available with the Wealth Wizards platform?
Yes, SSO is supported using AWS Cognito. This can federate sign-in using OIDC or SAML 2.0. The Wealth Wizards platform also supports native authentication, but SSO is preferred where possible to ensure alignment with our tenant’s authentication standards.
Q: Does the Wealth Wizards platform use MFA for privileged user account authentication?
Yes, we support MFA for privileged user account authentication.
Encryption
Q: How do you ensure data is encrypted in transit and at rest?
We operate an encryption policy to protect confidentiality and integrity of information:
- PII data is encrypted at column level in data-stores.
- All data is encrypted at rest.
- Real time application data is transmitted over encrypted TLS connections.
We use unique encryption keys for each customer and secrets management and rotation to protect API keys and other access related information.
Q: How do you secure communications between your systems and those of your customers?
We employ a variety of processes and technologies to ensure that our communications are protected within our network, and in transit to/from our customers:
- We use WPA2 and Active Directory authentication to protect our wi-fi network.
- We use encrypted VPNs for all remote connections to our internal systems.
- We use a third party, managed Host Intrusion Detection System (HIDS).
- We employ a separate third party to conduct penetration testing on our Infrastructure and applications.
- We segment our networks by security value.
- We separate our proving and production environments (and never store user data in non-production environments).
We have procedures in place to ensure that any transfer of information to and from customers is protected by Transport Layer Security.
Operations Security
Q: Does the Wealth Wizards platform have DDoS protection?
Yes. We make use of our cloud provider’s DDoS service (AWS Shield), which provides always-on detection and automatic inline mitigations to defend against most common, frequently occurring network and transport layer DDoS attacks.
Q: How do you achieve segregation of client data?
We have multiple layers of segregation for each tenant to protect against accidental or malicious damage.
Network segregation:
- Per tenant logic separation of resources.
- Per tenant certificates and associated private keys to be used for network encryption.
- Per tenant logical networks and associated network policies to:
- prevent traffic being visible between different tenants
- prevent traffic originating from one tenant services (or network) accessing services for a different tenant (or network)
Data at-rest segregation:
- Per tenant data stores.
- Per tenant unique encryption keys.
- Per tenant database credentials accessible only to the same tenant services.
- Per tenant persistent storage for backups using per tenant unique encryption keys.
Some B2B applications have a concept of subtenant - multiple customers using the same application. Data is segregated using per subtenant databases and credentials.
Q: How do you ensure all your systems are patched and up to date?
Our approach to patching is driven by three factors:
- The criticality of the system and the update required.
- The potential impact of the update on the system.
- Ease of back out in the event of a problem.
We ensure systems are up to date in a number of ways including:
- For server instances we ensure all instances are built from a standard image which is hardened and built on a weekly basis.
- Existing instances are updated using an instance terminator (meaning all images will be applied over a cycle of one month maximum).
- Container images are patched automatically using the latest available image when they restart.
We rely on AWS's patch regime for serverless services.
All deployments to live are managed in the same way with the new instance being built before traffic is switched over to it. There is no interruption to live service as a result.
System Development & Maintenance
Q: What industry standard secure software development lifecycle practices do you implement?
We have an established set of Engineering principles which are shared with, and understood, by all our Engineers from induction onwards; this includes designing components with the least-privilege principle in mind. These cover all aspects of our engineering practice with particular security attention on:
- Encryption
- Dependencies
- API keys
- Images
- Logging
Teams are aware of and develop code using the OWASP best practices. Our pairing and peer review process helps developers to enforce good practice and to identify potential problems. We run a comprehensive annual security education programme based on an industry leading platform, and use SAST products (Static Application Security Testing) in our CI (Continuous Integration) pipelines for fast feedback to engineers.
Q: What security preventative controls do you have in place?
We front our applications with a Web Application Firewall (WAF) that inspects all traffic and blocks any requests to our services that come from countries known to be the source of hostile traffic or matches rules that check for common attacks.
Our detection controls include:
- Network Intrusion Detection - all network traffic is collected and sent to our security provider for analysis. The security provider SOC (Security Operations Centre) will engage with us if any anomalies are identified.
- System log collection and provision to our security provider for analysis. The security provider SOC (Security Operations Centre) will engage with us if any anomalies are identified.
- Secrets management system (vault) audit trails - a detailed log of all requests and responses which is centrally stored on the log collection system for further inspection if needed.
- Cloud provider threat detection service that continuously monitors for malicious activity and unauthorised behaviour (specifically AWS GuardDuty).
- Cloud provider service to assess, audit, and evaluate the configurations of resource against a desired state (AWS Config).
- Cloud provider audit trail of all user activity against cloud resources (AWS CloudTrail).
Updated 1 October 2024