Information security is at the heart of everything Aridhia does from the start of the software development lifecycle right through to customer support. All employees are provided with security training when joining and refresher training on an annual basis.

Aridhia operates a transparent and supportive security program that empowers it employees to report issues, suggest improvements and is continually reviewed.

Certifications

Aridhia completed the ISO 27001 certification in June 2019 and has maintained this certification through multiple audits. Aridhia also hold several UK certifications and is now working to achieve HITRUST certification.

• Aridhia ISO27001 certificate
• Cyber Essentials Plus
• NHS Data Security and Protection Toolkit assessment
• ICO Registration Certificate
• Microsoft compliance documentation

General Data Protection Regulation

Aridhia achieves compliance with GDPR through the implementation of policies and processes which ensure that:

• Information is processed on a lawful and transparent basis
• Strong data security is achieved through design
• Information security governance and accountability within Aridhia is clear
• Individual privacy rights are respected.

Software Development Lifecycle

In developing the DRE, Aridhia follows the OWASP Top 10 guidelines and uses tools to ensure our software complies with the OWASP best practice framework and that a “security by design” approach is followed.

We have many measures in place to ensure we follow a secure software development process, including:

• Coding controls are implemented
• Privacy Impact Assessments are conducted
• Frequent regression tests both automated and manual to ensure any work for new features does not introduce security flaws
• Separate and secured development and test environments
• Vulnerability scanning process
• Regular penetration tests are conducted by independent security companies.

Digital Research Environment security controls

Within the DRE, security controls include:

• All user access is via HTTPS URL protected by a rooted certificate issues by DigCert SHA2 Secure Server CA, utilising sha256RSA signature algorithm with sha256 signature hashing algorithm. Will only utilise TLS 1.2 protocols or above.
• Encryption in transit. All internal network traffic is protected by HTTPS or, TLS 1.2 or above protocols.
• Encryption at rest. By default, Microsoft Azure encrypts data using FIPS 140-2 compliant 256 AES encryption for storage accounts and virtual machine disks.
• Two-factor authentication is required to access DRE services.
• The secure Workspace boundary is created through a virtual network configuration and enforced through a permissions model.
• An Intrusion Detection System and Intrusion Protection System is implemented with security alerts automatically raised to Aridhia’s Service Desk Team.
• Data upload and data extraction is only permitted through an approval process.
• All uploads go through a malware scanning process.
• Full audit reporting of events.