Doherty Associates and client data flows
To provide support to #CLIENT-NAME# staff, Doherty Associates require their personal details to be recorded within our PSA tool, ConnectWise Manage. This data includes the following personal details;
- Full Name
- Job Title
- Direct, Office, Home, Mobile telephone numbers
- Email Address
- Office Address
- Manager Full Name
Access to this data, within ConnectWise Manage is via a HTTPS/SSL encrypted communications channel. Doherty Associates staff access into ConnectWise Manage is strictly controlled via role-based access controls, with a unique login for each member of Doherty Associates staff. Multi-Factor Authentication is enabled for all staff to login to ConnectWise Manage via a TOTP software token on a mobile phone. Full auditing is enabled within this system.
A secured API is used to fill some of this contact data into IT Glue, Doherty Associates documentation management system. This data includes;
- Job Title
- Email Address
IT Glue is secured using the same levels of security as ConnectWise Manage. Access to IT Glue is via a HTTPS/SSL encrypted communications channel and data is encrypted at rest on the server. Access control is strictly controlled via role-based access controls, with a unique login for each member of Doherty Associates staff. Multi-Factor Authentication is enabled for all staff to login to IT Glue via a TOTP software token on a mobile phone. Full auditing is enabled within this system. All technical staff are subjected to DBS checks. We operate a policy of “least privilege” meaning these systems are only available to staff requiring access to them, to perform their work.
Our Remote Management and Monitoring (RMM) tool, N-Central will be used to remotely monitor and administer #CLIENT-NAME# servers, workstations and network devices. Data relating to #CLIENT-NAME# systems in transit from N-Central is protected inside a HTTPS/SSL encrypted communication channel.
Access control is strictly controlled via role-based access controls, with a unique login for each member of Doherty Associates staff. Multi-Factor Authentication is enabled for all staff to login to N-Central via a TOTP software token on a mobile phone. Again, full auditing is enabled within this system.
Access to Doherty Associates systems containing #CLIENT-NAME# data will be from Doherty Associates staff only in our London and Kuala Lumpur office. Although our staff in Kuala Lumpur will have access to process #CLIENT-NAME# data, it will never be copied outside of the Doherty Associates network.
During support sessions, Doherty Associates staff may see data belonging to #CLIENT-NAME#, such as during remote support sessions where screen sharing is enabled, or whilst administering backend services such as the Office 365 Admin Centre. Under no circumstances will this data be captured or saved to Doherty Associates systems. All Doherty Associates employee contracts outline the non-disclosure commitment regarding client data Doherty Associates staff may encounter.
Doherty Associates Security Controls
Risk is managed internally via a risk register that is reviewed monthly by the Senior Management Team. New risks are identified and reviewed during these meetings and the risk register is updated accordingly.
Doherty Associates maintain security controls, policies and procedures to ensure that customer data is always protected. These include;
- IT Security policy - including access control and remote access policy
- Documented and regular review of risk register
- Role based access controls to systems containing #CLIENT-NAME# data
- Full auditing of systems containing #CLIENT-NAME# data
- Centralised logging of systems and network traffic into SIEM tool, monitored 24/7 by SOC team
- Strong technical access controls to systems containing #CLIENT-NAME# data
- Strong data encryption enabled at rest and in transit of systems containing #CLIENT-NAME# data
- Strong physical access controls to systems containing #CLIENT-NAME# data
- Security controls for all Doherty Associates systems including centralised patch management, breach detection agents, Endpoint Detection and Response (EDR), centrally managed anti-virus, hardened configurations, encrypted hard disks, next generation firewalls, strong password requirements and multifactor authentication.
- Doherty Associates systems regularly audited against known security baselines, and security configurations reviewed to ensure they are in line with industry best practice. These include Cyber Essentials auditing, ISO 27001 auditing, and internal security auditing scripts. Regular vulnerability scanning of systems is carried out along with periodic penetration testing. Breach detection software is in place to identify anything that bypasses all other controls.
More information on these controls can be found within our ISO 27001 Statement of Applicability available on request.