Information Security, Quality & Sustainability

Insight

A central part of Autolomous’ client engagement strategy is to surpass the current quality and security requirements expected of critical suppliers to the sector. Autolomous utilises a blend of people, processes, and technology along with a proven development methodology to build an integrated security, quality and sustainability programme that protects our organisation’s assets and those of our customers.

Our integrated management system (IMS) has been certified against both Quality Management Systems (ISO 9001) and Information Technology Security Techniques and Information Security Management Systems Requirements (ISO 27001) standards. Our certification can be verified here by using the certificate number 369092021. Furthermore, in 2022 Autolomous achieved ISO 14001:2015 certification concerning environmental management requirements – this can be checked here with certificate number 402582022.

Programme foundation

As foundational components, we have devised a policy set aimed at outlining how to protect the organisation from threats, including computer security threats, and how to handle situations when they do occur, along with supporting processes and frameworks.

Senior Management, represented by our Executive Management team, has the ultimate responsibility for information security within Autolomous. Operational responsibility for information security is delegated to the Compliance team, which works to the standards set out in this framework, and the risk assessments agreed upon by the Management & Compliance Review Committee. Within teams, accountability for security rests with team leads/managers.

Regarding personal and sensitive data, while our processing of such information is extremely limited, we are committed to maintaining the privacy and security of the data we hold. We actively monitor our compliance against the UK and EU GDPR and have appointed an internal team to oversee this – the Data Protection Office. Detailed roles and responsibilities are defined in Autolomous’ Global Data Protection Policy. All types of data processed, alongside protective measures and lawful basis are monitored through our internal Data Inventory.

Our Security Awareness Programme consists of monthly e-learning courses, complementary learning tools such as security newsletters, and the dissipation of relevant security policies and procedures. We also have an ISMS portal where all employees can search for documentation and an internal communications channel where questions can be raised to the Security and Compliance team. All joiners go through a Security and Compliance induction session.

Technical controls
In terms of technical controls, we have focused our efforts on access and vulnerability management and robust security architecture.

Application security
Autolomous’ internal application development is supported by guidance during the systems development life cycle (SDLC) and by following base security principles, including confidentiality, integrity, and availability. Our development is reviewed and evaluated in accordance with best practices.

Third-party security
Autolomous suppliers are selected based on the quality services and security guarantees provided and must be aligned with our own standards and vision. Our suppliers are to be periodically assessed and monitored according to quality and information security expectations; upon entering any agreement, we will share with third parties our Supplier Security Requirements Policy which they must acknowledge and adhere to.

Infrastructure security
Autolomous’ core systems and applications are hosted in several secure and certified data centres across the globe. Client deployments will be hosted at data centres in specified regions in line with the client’s location and managed in accordance with local regulations. These data centres are layered with operational and security controls, ISO/IEC 27001 certified and not only – among the other certifications included are ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27018, SOC 1/2/3, PCI / DSS and HITRUST CSF.

The autoloMATE backend is mostly composed of Google Cloud Platform services. The services employed encompass the initial configuration, security, and setup, including authentication, database, storage, and hosting. More details on the provider’s certifications can be found here https://cloud.google.com/security/compliance

The autoloMATE platform uses ledger technology to immutably store data and ensure provenance; this is hosted on the Amazon Quantum Ledger Database (AWS QLDB), which offers service with 99.9% SLA with enhanced security, built-in high availability and embedded ledger backups for continuous operations.

Incident management
Autolomous’ Security Incident Response Team (SIRT) responds and proactively monitors information security incidents. High-level guidelines have been defined in the Information Security Incident Response (IS IR) Policy. Incidents can be reported to us either via email – compliance@autolomous.com, or via our internal IMS portal.

Why is autoloMATE® a secure solution?
Security is paramount to Autolomous and we aim to use best-in-class account security practices where this is practically possible.

Passwords

To this end, we have implemented a password security system that is practical, secure, and future-proof. Autolomous aligns its password security measures with Google’s ‘Modern Password Security for System Designers’ whitepaper, as well as established scholarship in data system security.

autoloMATE uses a passphrase system that requires users to define a phrase of any length but with minimum requirements for the number of words and total character length – good passphrases are generally easier to remember than complex passwords.

The system enforces passphrase strength based on two measures:

– The number of words in the passphrase (X)

– The number of characters in total in the passphrase (Y)

These values are configurable by administrators but Autolomous strongly recommends against values lower than the defaults.

Two-factor authentication
The app supports 2FA, configurable on the individual account level. The 2FA is email-based, in order to work with clean room environments where computers are shared and mobile phones are disallowed.

Enforced timeout
Users are automatically logged out of the application after a period of inactivity as and if configured in the customer configuration.

Encryption
Personal or sensitive data in eBRs/forms can be encrypted using the secured AES-256 encryption standard. This is configurable at the field level. All data is encrypted at rest and in transit. For web browsers, we enforce the use of TLS 1.3.

Audit trail
Our platform uses ledger technology to immutably store data and ensure provenance. As such, our solution allows users to access a reliable, complete, and searchable audit log of all events in a product eBR/form. Quality Assurance personnel can regularly review and approve product eBR/form audit logs. A system audit functionality is available to our clients’ system administrators providing an overall useful tool for investigative and record-keeping purposes.

e-Signatures
Users are required to sign using a unique 6-digit passcode generated by the platform.

Segregated user permissions
Roles can be defined by the customer and permissions enabled/disabled per role.

Secure exports
No possibility to email content from the app, only to export on the device. Note that emails sent are enforced with TLS encryption (TLS 1.3).

Regular pen-testing
Regular penetration testing is conducted for the autoloMATE platform. This is done on a quarterly basis unless major upgrades/infrastructure changes occur and justify earlier testing.