Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149Passenger Transport SoftwareIT Security Overview
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149ContentsPassenger Transport Software..............................................................................................................................................1IT Security Overview............................................................................................................................................... 1Data protection policy............................................................................................................................................ 3Context and overview ..........................................................................................................................................................3Key details............................................................................................................................................................................3Introduction.............................................................................................................................................................................3Why this policy exists...........................................................................................................................................................3Data protection law...............................................................................................................................................................3People, risks and responsibilities.........................................................................................................................................4Policy scope..............................................................................................................................................................................4Data protection risks ............................................................................................................................................................4Responsibilities ......................................................................................................................................................................4General staff guidelines............................................................................................................................................................5Data storage..................................................................................................................................................................................6Data use ..........................................................................................................................................................................................7Data accuracy ...............................................................................................................................................................................7Subject access requests............................................................................................................................................................8Disclosing data for other reasons.........................................................................................................................................8Providing information ..............................................................................................................................................................8Passenger Transport Software..............................................................................................................................................9Cloud Hosted Services Document....................................................................................................................... 9.1. Encryption...................................................................................................................................................................183. Secure Network Protocols .....................................................................................................................................181. Data-in-Transit Encryption:..................................................................................................................................202. Key Management:// .................................................................................................................................................21Client Data Backups.......................................................................................................................................................22Security Management Plan.................................................................................................................................27Introduction..........................................................................................................................................................................27Compliance with Applicable Laws, Regulations, and Standards......................................................................28
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149Data protection policyContext and overviewKey details• Policy prepared by: Stephen Bennett• Approved by board / management on: 30/06/2025• Policy became operational on: 01/09/2019• Next review date: 01/06/2026IntroductionPassenger Transport Software Limited needs to gather and use certain information about individuals.These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the GDPR laws.Why this policy existsThis data protection policy ensures Mission Software:• Complies with data protection law and follow good practice • Protects the rights of staff, customers and partners• Is open about how it stores and processes individuals’ data• Protects itself from the risks of a data breachData protection lawThe Data Protection Act 1998 describes how organisations — including Passenger Transport Software Limited — must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials.To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.The Data Protection Act is underpinned by eight important principles. These say that personal data must:1. Be processed fairly and lawfully2. Be obtained only for specific, lawful purposes3. Be adequate, relevant and not excessive4. Be accurate and kept up to date5. Not be held for any longer than necessary6. Processed in accordance with the rights of data subjects7. Be protected in appropriate ways8. Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149People, risks and responsibilitiesPolicy scopeThis policy applies to:• The head office of Passenger Transport Software Limited • All branches of Passenger Transport Software Limited • All staff and volunteers of Passenger Transport Software Limited • All contractors, suppliers and other people working on behalf of Passenger Transport Software Limited It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:• Names of individuals• Postal addresses• Email addresses• Telephone numbers• …plus any other information relating to individualsData protection risksThis policy helps to protect Passenger Transport Software Limited from some very real data security risks, including:• Breaches of confidentiality. For instance, information being given out inappropriately.• Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.• Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.ResponsibilitiesEveryone who works for or with Passenger Transport Software Limited has some responsibility for ensuring data is collected, stored and handled appropriately.Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles. However, these people have key areas of responsibility:• The board of directors is ultimately responsible for ensuring that Passenger Transport Software Limited meets its legal obligations.• The data protection officer, Stephen Hill, is responsible for:o Keeping the board updated about data protection responsibilities, risks and issues.o Reviewing all data protection procedures and related policies, in line with an agreed schedule.o Arranging data protection training and advice for the people covered by this policy.o Handling data protection questions from staff and anyone else covered by this policy.
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149o Dealing with requests from individuals to see the data Passenger Transport Software Limited holds about them (also called ‘subject access requests’).o Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.• The IT manager, Stephen Bennett, is responsible for:o Ensuring all systems, services and equipment used for storing data meet acceptable security standards.o Performing regular checks and scans to ensure security hardware and software is functioning properly.o Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.o• The marketing manager, is responsible for:o Approving any data protection statements attached to communications such as emails and letters.o Addressing any data protection queries from journalists or media outlets like newspapers.o Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.General staff guidelines• The only people able to access data covered by this policy should be those who need it for their work.• Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.• Passenger Transport Software Limited will provide training to all employees to help them understand their responsibilities when handling data.• Employees should keep all data secure, by taking sensible precautions and following the guidelines below.• In particular, strong passwords must be used and they should never be shared.• Personal data should not be disclosed to unauthorised people, either within the company or externally.• Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.• Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149Data storageThese rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or data controller.When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:• When not required, the paper or files should be kept in a locked drawer or filing cabinet.• Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.• Data printouts should be shredded and disposed of securely when no longer required.When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:• Data should be protected by strong passwords that are changed regularly and never shared between employees.• If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.• Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services.• Servers containing personal data should be sited in a secure location, away from general office space.• Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.• Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.• All servers and computers containing data should be protected by approved security software and a firewall.
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149Data usePersonal data is of no value to Passenger Transport Software Limited unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:• When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.• Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.• Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorised external contacts.• Personal data should never be transferred outside of the European Economic Area..• Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.Data accuracyThe law requires Passenger Transport Software Limited to take reasonable steps to ensure data is kept accurate and up to date.The more important it is that the personal data is accurate, the greater the effort Passenger Transport Software Limited should put into ensuring its accuracy.It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible. • Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.• Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.• Passenger Transport Software Limited will make it easy for data subjects to update the information Passenger Transport Software Limited holds about them. For instance, via the company website.• Data should be updated as inaccuracies are discovered or requested. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.• It is the marketing manager’s responsibility to ensure marketing databases are checked against industry suppression files every six months.
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149Subject access requestsAll individuals who are the subject of personal data held by Passenger Transport Software Limited are entitled to:• Ask what information the company holds about them and why.• Ask how to gain access to it.• Be informed how to keep it up to date. • Be informed how the company is meeting its data protection obligations.If an individual contacts the company requesting this information, this is called a subject access request. Subject access requests from individuals should be made by email, addressed to the data controller at [[email protected]]. The data controller can supply a standard request form, although individuals do not have to use this.Individuals will be charged £10 per subject access request. The data controller will aim to provide the relevant data within 14 days.The data controller will always verify the identity of anyone making a subject access request before handing over any information.Disclosing data for other reasonsIn certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.Under these circumstances, Passenger Transport Software Limited will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.Providing informationPassenger Transport Software Limited aims to ensure that individuals are aware that their data is being processed, and that they understand:• How the data is being used• How to exercise their rights To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company.[This is available on request. A version of this statement is also available on the company’s website.]
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149Passenger Transport SoftwareCloud Hosted Services Document
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149This document is to gather information from suppliers to gain assurance around the security of data that is collected, stored, and transferred as part of your solution.Key Reference Information (must be completed):Questionnaire Completed by:Stephen HillOn Behalf of: Passenger Transport Software LimitedDate Completed: 16th July 2025 to 22 July 2025Project Title: SEN Passenger Transport Management SystemYour responses should comply to the following standards as appropriate:CCM v3.0, ISO/IEC 27001:2017, CHECK, CREST, Cyber Essentials Plus, GDPR.1. Governance Framework1.1 Provide details of how governance processes are reviewed for the cloud hosted services to ensure consistent practices and that they account for risks that the supplier inherits from the cloud provider.Your responseIn the UK we are termed a “Micro” company as we have less than 10 full time staff. We have our own development studio in India that employs 11 full time staff. These workers have no access to UK systems and supply codes and builds to the UK for us to implement. In the India office we have developers, testers, QA & Security testing. In the UK, we have monthly meetings to discuss all aspects of systems, requests, issues found and AOB. We have dedicated testers and their roles include AWS systems and security tests. When building systems we have checklists of tests and explanations of how our systems must meet acceptable standards. Staff are taught how to test for issues and vulnerabilities. We have independent external testers as well who analyse our systems regularly. We host with AWS which means we selfmanage our systems, but we also use Cloudflare and other tools that we fully control. We outsource certain roles as it is not practicable or reasonable to have them as full time staff –DPO is one of these roles as an example.1.2 Please provide contact details of the person responsible for the security of the cloud service. This is typically someone with the title Chief Security Officer, Chief Information Officer or Chief Technical OfficerYour responseJalpa Joshi, [email protected] and also [email protected] Do you have a documented framework for security governance, with policies governing key aspects of information security relating to the service. If so, please provide a copy.Your responseWe work with a freelance fully certified DPO. Our staff have checklists, project plan requirements, monthly testing tasks and analysis but we don’t have a single written document as such. Every client has a team allocated to them – Account Manager, Head of Programming, Developer and Tester. Some projects also have App developer and graphics if required. Each of these people has a tasklist for every stage of the system and this includes regular daily/weekly and random testing. We know and have lists of what we need to do internally but not a single document.
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 21491.4 Is security and information security as part of the service provider’s financial and operational risk reporting mechanisms. If so, please provide evidence.Your responseWe actually analyse our systems and issues every single day. Our testers start at 5am UK time and spend three hours checking every single system. They have to list everything they did and everything they found, so we know every single day if there are any issues, weaknesses or vulnerabilities on every single system build and server system. These are discussed at monthly meetings and if clients want this data we can provide this, firewall, access information all sorts of things – most don’t though as we work with transport teams rather than IT staff. We can report if required.We do not publish an Information Rights Document as the data on our systems does not belong to us. Our clients must keep these to cover the data they store on our systems. We have our own GDPR documents and these can vary depending on contracts and GCloud contracts we sign.1.5 How do you manage risk for services provided by third parties, such as data centre providers? Your responseWith AWS we get control panels and we also have our own login and management permissions. It is not 100% as good as having our own servers and we have to trust that AWS adhere to the ISO standards and rules we cannot actually do ourselves.1.6 Describe governance and risk management processes. Your responseWeAssess all risks to data assets and implement blocking and mitigation strategies. Establish roles and responsibilities for data security. Include incident response plans for potential data breaches. Ensure ongoing monitoring and review of data security practices. Check control policies to ensure only authorized personnel can access data. Use risk management processes to identify and mitigate potential threats. Use our policies and procedures to guide data security practices. Use our incident response plans to address and recover from security breaches. Train new employees on data security policies and procedures. Conduct regular audits to ensure compliance and identify gaps. Update our framework in response to anything we find and regulations.2. Operational Security2.1 Can you confirm that your cloud services/products will only be operated within those geographic limits of the UK or EEC to process, transmit and store any data involved?Your responseYes, AWS servers and Fasthosts failover servers are all UK based, data never leaves the server DMZ. All data received by secure email must ONLY be opened within the DMZ. SQL Backups are stored on the Failover server which is also UK based.2.2 Who is the data centre owner?Your response
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149Amazon Web ServicesFasthosts Gloucester (Owned By Ionos)2.3 Please provide a technical diagram that demonstrates connectivity, ports and traffic flows between your solution and the Council’s network, including connections from the Council’s network, VPN or direct connection over the internet.Your responseOur system is a web based solution – but we have attached a document showing our architecture.MPS Schema & Architecture 2025.Note – We have also added Cloudflare to this system and we use Avast Premium Business AV.3. External Interface Protection3.1 Do you carry out regular Penetration (Pen) Tests against the relevant infrastructure and/or application and when was the last one carried out?Your responseYes – we can supply a full Black Box and Grey Box test and have put examples in the shared online folder.3.2 Can the Pen Test highlight/management report be shared with the Council if requested?Your responseSee Above 3.13.3 Who was the Pen Test carried out by?Your responseWe work with an independent, fully qualified engineer with the following details:I am a Senior Application Security Engineer and Penetration Tester with extensive experience in cybersecurity. I specialize in penetration testing (black box, grey box, and white box), vulnerability assessments, and red teaming. I have a deep understanding of security vulnerabilities across various platforms and a proven track record of implementing effective mitigation strategies. Over the course of my career, I have performed thousands of penetration tests and worked with a wide range of tech stacks and programming languages. I've also discovered numerous critical vulnerabilities through bug bounty programs for renowned companies. I have completed over 100 successful projects across various sectors, including banking, government, insurance, healthcare, universities, and private companies. I am also skilled in providing security consultations and collaborating on technical software testing and environment assessments. Additionally, I am capable of managing and optimizing your company's Bug Bounty program to ensure vulnerabilities are reported and addressed effectively, strengthening your organization's security posture. Certifications: -
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149CREST Registered Penetration Tester (CRT) - CREST Practitioner Security Analyst (CPSA) - OffSec Certified Professional (OSCP) - Certified Red Team Professional (CRTP) - Certified Red Team Analyst (CRTA) - Multi-Cloud Red Teaming Analyst (MCRTA - AWS/Azure/GCP) - eLearnSecurity Web Application Penetration Tester eXtreme (eWPTX) - eLearnSecurity Certified Professional Penetration Tester (eCPPT) - Certified Ethical Hacker (Practical) - EC-Council (CEH) - eLearnSecurity Mobile Application Penetration Tester (eMAPT) - eLearnSecurity Junior Penetration Tester (eJPT) My Services Include (but are not limited to):✅ Web Security & Application Testing: -Web Application Penetration Testing (Black Box, Grey Box, White Box) - Mobile App (Android & iOS) Penetration Testing - API Security & Penetration Testing (REST, SOAP, GraphQL) - Thick Client & Desktop Application Penetration Testing - Source Code Reviews (Secure Code Audits) ✅ Network & Infrastructure Security: - Network Penetration Testing (Internal & External)- Active Directory (AD) Security Assessment - Cloud Security Assessments (AWS, Azure, GCP) - Cloud Audit & Configuration Review - Wireless Security Assessments - IoT (Internet of Things) Penetration Testing - Network Configuration & Firewall Rule Review - Infrastructure Security Assessments ✅ Red Teaming & Advanced Security Assessments: -Red Teaming & Adversary Simulation - Multi-Cloud Red Teaming (AWS, Azure, GCP) - Social Engineering (Phishing, Vishing, Smishing) - Physical Security Assessments & RFID Cloning - LLM (Large Language Model) Security Testing - OSINT (Open-Source Intelligence) Investigations - Attack Surface Management (ASM) ✅ Security Consulting & Risk Management: -Bug Bounty Program Management & Optimization - Security Awareness Training & Workshops - Security Policy & Compliance Audits (ISO 27001, SOC 2, PCI-DSS) - Risk Assessment & Threat Modeling - Incident Response Readiness & Tabletop Exercises - Secure SDLC Implementation & DevSecOps Integration I ensure that organizations are protected against both external threats (hackers, cybercriminals, APTs) and internal risks (insider threats, misconfigurations, weak security policies).3.4 Are the Pen Testers from a CHECK or CREST registered company?Your response
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149Yes3.5 Is the 3rd party infrastructure ISO27001: 2017 certified or working towards certification? If the latter, then when?Your responseAWS – ISO27001https://aws.amazon.com/compliance/iso-27001-faqs/Fasthostshttps://www.fasthosts.co.uk/about/international-data-centres3.6 Please provide a copy of or link to the relevant ISO27001 certificate.Your responsehttps://proactive.fasthosts.co.uk/our-data-centres3.7 What element of the infrastructure is ISO27001 certified? Does it cover all the elements in use for this implementation?Your responseThese are the two infrastructure items we use.https://www.fasthosts.co.uk/about/international-data-centreshttps://aws.amazon.com/compliance/iso-27001-faqs/3.8 Have you had any serious or major security related incidents in the last 2 years and were they reported to the ICO?Your responseNone.3.9 Please describe your process for upgrading and maintenance of both infrastructure and software. You should include routine patching scheduled and emergency patching timescales.Your responseWe run all upgrades and patches automatically within AWS. Fasthosts on the failover systems we run manually as soon as critical releases are available or every weekend when we also reboot to install if required.3.10 Is the application developer/owner Cyber Essential Plus certified?If yes, please provide the certificate.Your responseNo – we don’t have this yet but we are Cyber Essentials Certified - document attached. In the UK we do not have an office network lan and server system and all of our development is done by an overseas development company we own. Client data on AWS servers is highly restricted and no UK data ever goes to the development company as we have created a huge database of “made up” data for development and testing purposes. Cyber Essentials Plus doesn’t work for our smaller UK operation and many of the requirements are done by our security and management contractors for us.4. Asset Protection & Resilience
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 21494.1 Describe business continuity and operational resilience configuration of the cloud infrastructure services. Has it been tested?Your responseWe do regular failover tests of our systems. We have both daily SQL backups and we also have Failover server options. Additionally we have extra AWS systems that we can use in the event of a complete loss of services for one client. We also have business plans for continuity as well. Document attached.4.2 What processes and measures are in place to prevent unauthorized software installation on the application servers?Your responseThe only people with install rights are the Head of Programming and the Client Manager – so nobody has logins or permissions that allow this in our organisation.4.3 Describe your datacentre physical and technical security measures in place?Your responseWe only access servers using Plesk or Remote Desktop. Two people have admin rights all other people only have user rights – limited windows profiles. Passwords are regularly changed and always changed on change of staff.4.4 Describe how change management is handled at the cloud infrastructureYour responseWe don’t have much change here - our server builds are pretty standard and we tend to only run windows updates once a system is live. We give our clients a LIVE system and a TEST system so all new dev and builds have to be signed off first on the TEST system before being allowed to go live.5. Audit Information Provision to Clients5.1 What processes are in place to ensure application security?Your responseAccess rights and user permissions/Roles within the servers and system.5.2 What audit logging and intrusion detection services are available?Your responseOther than the standard windows logging data we do not use any third-party tools for logginghave any other tools I think.5.3 What change detection services are available to assure the integrity of deployed systems in the cloud infrastructure?Your responseWe don’t have this as such. We know what every single build and version number should be and this is tested every single day. We have a whole security list as well for testing so are pretty confident we are both locking out and also restricting change access proportionately to the size and value of the system and sensitivity of the data.
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 21495.4 Describe the security incident, e-discovery and forensics processesYour responseOn discovery of any breach or issue a full document has to be filled in – attached.
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 21496. Secure Service Administration6.1 How are tenants segregated in the cloud infrastructure?Your responseEvery Client gets their own server and DMZ system. Additionally the software is written to be Multi-tenant so uses ID referencing within the SQL database.6.2 What threat and vulnerability management services are implemented?Your responseWe use Cloudflare as standard.Avast Premium Business AV to check vulnerability –https://www.avast.com/en-gb/premium-security#pc6.3 How are workloads secured (e.g. hardening, workload protection etc.)Your responseSecuring workloads involves implementing practices and technologies to protect applications, systems, and data from threats.→We do not have any third-party tools installed on our servers.→Our APIs are secured by implementing authentication & authorisation.→ All request and response parameters transit with Encryption using TLS 1.2 and above and at rest→ Our standard practise is to Enforce secure coding practices to prevent vulnerabilities like SQL injection or cross-site scripting (XSS).6.4 How are hypervisors secured?Your responseWe have not set up any virtual machine on our serverOur database server is network isolated and has IP filtering enabled. Only the specified IP address is permitted to connect to the SQL Server via RDP and the system.6.5 What API protection measures are implemented for services?Your responseWe have several methods including - Authentication Protocols, we Encrypt Data in Transit & at Rest, we always Update & Patch APIs and we Use API Gateways.We use the following points to Protect our APIs→Authentication1)Ensuring that only authorised users or systems can access the API. Examples: i) API Keys: Unique keys provided to clients. ii) OAuth2: A robust framework for access delegation using tokens. iii) JWT (JSON Web Tokens): Tokens that verify a user's identity.→Authorisation2)Controlling access to specific resources or operations based on user roles or permissions. i) Example: Role-Based Access Control (RBAC).→Encryption
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 21491)Protecting data in transit by using HTTPS and TLS to encrypt communication between the client and the server.2)Encrypting sensitive data at rest, like user credentials.→Use of Web Application Firewalls (WAFs)1)Protecting APIs from common attacks like DDoS or malicious bots by using WAFs.7. Data in Transit7.1 How is data in transit secured? (Include transit between all locations e.g. offices and storage locations)Your responseWe encrypt data at rest and in transit. We have been tested and analysed for this so encryption, keys management is a large part of the programming managers system work and checklists.Here is a description of “what, how and when” of our protocols and methods for data transit:.1. Encryption• Encryption is one of the most critical aspects of securing our client’s data in transit. It ensures that data is transformed into an unreadable format during transfer, and only the intended recipient can decrypt it back into its original format. This helps to prevent unauthorized access to sensitive data as it moves across our networks.• Common protocols we use for encryption in transit include:o TLS (Transport Layer Security): for securing communications over the web (HTTPS).o SSL (Secure Sockets Layer): Similar to TLS but an older version, still used in some systems though.o VPN (Virtual Private Network): This secures data by encrypting the entire connection between two systems or locations.2. Authentication• Authentication Certificates, usernames, passwords, and multi-factor authentication to prevent impersonation or unauthorized access.• API keys, OAuth tokens, and JWT (JSON Web Tokens to authenticate systems and users during data exchange.3. Secure Network Protocols• We protect data using secure communication protocols that define how data is transmitted. These protocols include:o HTTPS (Hypertext Transfer Protocol Secure) for web communication.o SSH (Secure Shell) for secure remote access to systems.o FTPS (FTP Secure) or SFTP (Secure File Transfer Protocol) for secure file transfers.4. Firewalls and Intrusion Detection Systems (IDS)
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149• Our Firewalls help prevent unauthorized access to networks and systems by filtering traffic.7. End-to-End Security• Secure from the point of origin to the destination, including during storage and processing. Even if a data transmission path is intercepted, the data remains encrypted, and unauthorized parties cannot read it.7.2 How do you protect exposed network interfaces at the service? Your responseWe use the following ways to protect exposed network interfaces:→Firewalls:• control traffic to and from exposed interfaces, only trusted IP addresses or specific ports access the services, blocking all others.→Encryption (TLS/SSL):• Traffic is encrypted using protocols TLS (Transport Layer Security) or SSL (Secure Sockets Layer) to secure communication between the client and the service. This prevents interception and tampering with our sensitive data.→Authentication and Authorization:• We have implemented strong authentication mechanisms (such as username/password, API keys, OAuth, or multi-factor authentication) to verify the identity of users or services accessing the exposed interfaces.• We use authorization to ensure that only authorized users or systems can access specific resources or perform actions.→Access Control Lists (ACLs):• We use ACLs to specify which IP addresses, subnets, or users can access the exposed network interfaces, limiting exposure to trusted entities only.7.3 What segmentation measures are in place to achieve network defence in depth?Your responseI would say we use the following Key Segmentation Measures to Achieve Network Defence in Depth:→VLANs (Virtual Local Area Networks):• Our VLANs logically separate different types of traffic or different groups of usersto ensure sensitive data is only accessible by the right people.→Firewalls:• We have Implemented firewalls between different network segments to control which traffic is allowed to pass through, rules based on IP addresses, ports, protocols, etc., between segmented network zones.→Access Control Lists (ACLs):
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149• We have configured ACL’s on routers/switches to restrict access between segments or to certain services. This could also be used to block unwanted traffic or allow only authorized devices and users into a specific network zone.7.4 Detail which opened ports are required for complete system operation. (Please include on the network diagram)Your responseFollowing Ports are required to be open• HTTP (Port 80): Required for web traffic to and from your website.• HTTPS (Port 443): Used for secure web traffic (SSL/TLS).• SSH (Port 22): For secure remote access to your servers.• FTP (Port 21): For file transfer.• The web server needs ports 80 and 443 open.• The database server (in the DMZ) needs ports 1433 (for SQL Server).7.5 What (if any) authentication is in place between the cloud system and the CouncilYour response1)We use two factor authentications2)our apps use two or three factors with biometric choices.3) If Azure Single Sign On is used there is also a check at the time as well.7.6 Describe how a user is authenticated to the system prior to upload or download of data to/from the system.Your responseLogin page loads which uses SSL and other coding protections. User has to enter a username and password, password restrictions and complexity rules are enforced. An OTP is sent to user email account but a “Remember me for 7 days” option is available. Sessions are timed and auto logout is enforced.7.7 Can the cloud infrastructure or Council source be locked down by IP so only authorised IPs can initiate a connection to/from Council for 3rd party / Council transfers?Your responseWe could do this but as a web system supporting WFH, devices for transport site managers it would be very restrictive.7.8 If data is being transferred in bulk between The Council and the hosted service, what is the method of this transfer?Your responseWe ask for Egress or equivalent data transfer. We also support secure FTP options as well.7.9 Describe key and certification management processes for data in transit encryption. Your responseThis is a description of our process:1. Data-in-Transit Encryption:Protecting data while it is being transmitted over a network ensuring that even if the data is intercepted, it cannot be read or altered.
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 21492. Key Management://The processes involved in handling cryptographic keys used in our encryption. For data in transit encryption, the key management process typically includes:• Key Generation: Creating encryption keys used for encrypting and decrypting data.• Key Storage: We are stored key in code level protection, not storing in browser level on local, or session storage• Key Exchange: Safely exchanging keys between parties. This often involves protocols like Diffie-Hellman or RSA to securely exchange encryption keys over an insecure network.• Key Rotation: Periodically changing encryption keys to reduce the risk of a key being compromised.3. Certificate Management:Certificates establish trust in our secure communication channel. Certificates often contain public keys and are part of the process of securing data-in-transit using protocols like SSL/TLS.7.10 Describe how keys are generated for use protecting dataYour responseThe algorithm we are using employs Triple DES (3DES) encryption with MD5 hashingfor key generation. Here are the key details:1. Encryption Algorithm: Triple DES (3DES)o 3DES is a symmetric encryption algorithm that applies the DES cipher algorithm three times to each data block.2. Key Size:o Triple DES uses a 192-bit key (3 * 64-bit key blocks), but we are using MD5 hashing to generate the key from the string \"XXXXXX\", which produces a 128-bit (16-byte) hash.o Key Generation: The key used in the 3DES encryption is derived from an MD5 hash of the string \"XXXXX\", resulting in a 128-bit key. 8. Secure Development8.1 Describe how the data held will be separated from the data of other organisations / customers?Your responseEvery client gets their own AWS server instance.8.2 What strength encryption is applied to the data while it is being stored?Your responseEncryption algorithm: Triple DES (3DES)Key size: 128 bits (derived from the MD5 hash of the cryptoKey)
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149Block size: 64 bits (DES block size)Initialization Vector (IV): 8 bytes (64 bits)8.3 How is access to the data restricted from unauthorised access?Your responseThe SQL system is on a separate database within the DMZ so our staff may have a logon to the IIS server but would not usually have any login to the SQL database – this is all managed by the Head of Programming.8.4 How does your cloud solution facilitate compliance with individual rights requests under GDPR?Your responseIf a client asks us about “their” data we will help but we are the processor rather than the controller. In the first instance our clients deal with these requests directly and if further assistance is required we help. We have a rule never touch, never change, never view client data. This only happens as a direct request from our clients.8.5 How can the Council access our own data in the solution using data analytic tools for query and reporting purposes?Your responseWe will provide API for direct access or SOAP or FTP if required.8.6 Can a copy of the data retention and deletion policy be provided?Your responseClient Data BackupsWe have changed our policy on the storage of daily database backups. We used to keep a single daily backup for every single day of a client contract, but with the increasing costs of web storage we cannot now keep this system as standard and free. We are now going to only store 90 days of daily backups and each day one backup will be added and the oldest backup will be deleted. Should clients want to store additional, older backups on their own system we can offer an FTP, SOAP or other system for storage on client’s own systems, for a fee, including set up costs.Retention and Deletion we will agree with you whether you want deletion, anonymisation or automatic deletion of older data with time periods. This is client specific and method specific. We will not automatically delete client data unless we have agreed a plan with you.8.7 At the end of the contract what data will be returned and how will it be returned?Your responseEnd of contract document attached.8.8 Describe key and certification management processes for data at rest encryption. Your responseI asked about this and was told:Data at RestAll sensitive data at rest is encrypted using secure cryptographic algorithms.
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149The algorithm we are using employs Triple DES (3DES) encryption with MD5 hashingfor key generation. Here are the key details:1. Encryption Algorithm: Triple DES (3DES)o 3DES is a symmetric encryption algorithm that applies the DES cipher algorithm three times to each data block.2. Key Size:o Triple DES uses a 192-bit key (3 * 64-bit key blocks), but we are using MD5 hashing to generate the key from the string \"XXXXXX\", which produces a 128-bit (16-byte) hash.o Key Generation: The key used in the 3DES encryption is derived from an MD5 hash of the string \"XXXXX\", resulting in a 128-bit key. Data in Transit→We are using following protocol in Data in Transit.Certificate Management for Data in Transit:• Public Key Infrastructure (PKI): SSL/TLS certificates (based on public-private key pairs) are used to secure communication between systems. A certificate is issued by a trusted Certificate Authority (CA) and is used to authenticate the identity of the communicating parties and to encrypt the data being transmitted.• Key Management for Data in Transit: This involves the secure handling of private and public keys for encryption and decryption of the data in transit. It also involves ensuring the certificates are updated before they expire and revoking them if necessary.TLS/SSL Protocols: All data in transit is encrypted using TLS 1.2 or higher to ensure secure communication and prevent interception by unauthorised parties.8.9 Describe how keys are generated for use protecting dataYour responseThis all happens when the initial SQL database and failover servers are built. Backups of keys are stored on these servers too – one servers keys are stored on the “other” server within the DMZ.1. Create a Database Master Key (DMK)2. Create a Certificate for Encryption3. Create a Database Encryption Key (DEK)4. Enable Transparent Data Encryption (TDE)5. Backup the Certificate and Private Key8.10 Who is responsible for holding the inventory for data stored? How is this achieved?Your responseOur nominated server system Admin.
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 21498.11 Describe how keys are generated for use protecting dataYour responseThis is done at the time the initial databases are built and we use the normal SQL process and options for encryption.8.12 Describe methods to protect against data leakage.Your responseWherever we put the encryption key files we have to ensure restricted access only. We decided to keep keys on the alternate servers each within the DMZ.8.13 How are physical computing devices securely wiped after use?Your responseWe pay for this service from the server providers Ionos/fasthosts/AWS8.14 Who is responsible for classifying the data? How is this achieved?Your responseAll of our data is extremely sensitive because it is children’s medical and special needs. We don’t consider any data less important or “safe” so don’t multi-layer classifications of data.9. Identity & Authentication9.1 How are non-SSO accounts secured within the application?Your response2FA, User password and OTP to registered email address -every time or user can set a “remember Me for” option to avoid OTP’s for a number of days.9.2 What is the password policy for non-SSO accounts?Your responsePasswords must be changed regularly, cannot be re-used and we have a complexity rule as follows:9.3 What is the process for the Council to remove accounts that are no longer required?Your response
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149Admins can disable and manage all of their own users – complete access and permission controls.9.4 Is user access periodically reviewed to assure least privilege?Your responseOur clients set their own rules for all of their users, we do not manage, touch, view or analyse and Client data – it is the responsibility of the admins to manage their own users.We have standard roles etc within the software but clients must set rules to match their own requirements.9.5 Are all privileged accounts enforced with multi-factor authentication?Your responseYes – 2FA at least.9.6 Does the hosted system have SSO functionality?Your responseYes we include it as a standard option.9.7 Where non-SSO accounts are used, where are the accounts held?Your responseAll data is within our own SQL database, encrypted and in the DMZ.9.8 What is the process for user self-service for password reset and account unlock, including identity verification?Your responseThis is on the Web login screen, We send a URL to the registered email address for that account, the user must then create new password and comply with complexity and re-use rules. 9.9 What processes are in place to assure segregation of duties between system and service administrators?Your responseOnly server admins get the login details, no other users, there is no reason for any staff to have server access except the 2 server admins.9.10 What processes are in place to limit user access to management consoles, diagnostic and configuration ports?Your responseOnly two people in our organisation have login details and these are regularly changed.9.11 How is access authorized at the 3rd party?Your responseWe don’t really give 3rd party access – nobody except our team get server access.
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149Security Management PlanIntroductionWe’re committed to maintaining the security and wellbeing of our staff, service users, partners and the surrounding community. Our Security Management Plan is but one aspect of our overall workplace safety efforts. Together, these efforts span personnel, information and asset security and include training and education activities to help ensure our programs’ success.Responsibility for this program has been vested in by PTS management. Your cooperation with these efforts will help us all maintain a program that accomplishes all of its goals.We take specific actions toward identifying security-related threats from cyber crime to workplace violence. You (our employees) can expand these efforts by reporting concerns and any security breaches immediately.Your ongoing knowledge and cooperation as well as participation with the Security Management Plans’ efforts will be appreciated, and again, help ensure its success.Thank you, Signed by Data Protection Officer
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149Compliance with Applicable Laws, Regulations, and StandardsThere are various laws, regulations, and standards that apply to our organisation. We are committed to comply with these. Details can be found in the following network documents - Data Protection Policy and Confidentiality Policy, Information Security Policy.Our organisation has an Information Security Policy that is:• supported by management• reinforced by basic information security principles regarding:o confidentialityo integrityo availabilityo regulatory obligationsDetails can be found in the following network documents: Information Security Policy, Data Protection Policy and Confidentiality Policy Management Commitment and Responsibilities.Management commitment and responsibilities include:• Program management• Program review and updates• Development of a review team if hazards are identified, or for deployment after an event to assist in its review• Assisting with training• Enforcing disciplinary actions as needed• Interaction and assistance with regulatory agenciesDetails can be found in the following network document: Examples Information Security PolicyRisk Assessment and AnalysisWe will perform:• Frequent Risk and/or Vulnerability Assessments• Business impact analyses• Both Personal and Physical Risk AssessmentsSecurity risk assessments will be conducted as we become aware of new or potential threats.We have complied with Cyber Essentials and have reviewed Cyber Essentials Plus Certification. We do not currently have enough UK staff to warrant Cyber Essentials but will complete this certification during 2025.The latest penetration test was performed on January 22nd 2025. We will maintain our annual Cyber Essentials Plus Certification, and regular penetration tests.Asset Management and RecordingWe have a current list of information security assets (i.e., an Asset Register) including details of who is responsible for them.CommunicationsWe ensure secure communications by using Office 365 on Microsoft Cloud Servers.Access ControlWe have policies that enforce Access Control principles.
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149Information Systems ProtectionWe have taken steps to protect data in whatever form it may take including being bound to the GDPR and Data Protection guiding principles as evidenced by our Cyber certification.Preparedness & RecoveryWe have Procedures in place to ensure the continuation of services after a critical incident (e.g., including everything from evacuation plans to backing up servers).Details can be found in the Business Continuity PolicyData ClassificationWe classify data based on the data's sensitivity (i.e., Data Labels, Data Handling, Data Access levels).We only store minimal employee data on our servers. We do not store, review or analyse any Client data in their DMZ’s.Incident ResponseDuring an incident we will work through and manage an up-to-date contacts list and also a checklist of responsibilities until the incident is over.We have a post incident requirement to review any 'lessons learnt' that may help to reduce the possibility of such an incident happening again.Details can be found in the following documents: Data Breach report Layout.Human Resources Security ProcessesWe have HR processes that cover; • pre-employment checks• employee screening• termination of employmentTraining & AwarenessWe have a training program that ensured all staff are aware, understand and comply with the policies and procedures covered by this Security Management Plan.We employ best practices for teaching security training (e.g., create strong passwords, don’t open suspicious emails, give hackers fewer opportunities to hack a system).Details can be found in the following documents: Data Protection Policy, Training Register, Security Access Control Policy, Staff Handbook.Supplementary InformationProactive Measures in Security ManagementWe are proactive in preventing security incidents by using such measures as: AVAST business anti-virus, Cloudflare & ISO270001 cloud hosting suppliers.Teach Best Security PracticesWe employ best practices for teaching all staff security and our policies. Specifically, staff are trained in GDPR and Data Privacy, Understanding Phishing Signs, creating strong passwords, recognising suspicious emails and ways to give hackers fewer opportunities to hack the system.Intrusion Prevention System (IPS)We employ technology that helps to detect or prevent unauthorised access to the network. Specifically: Examples Cloudflare & Sophos at the perimeter of the office network that is controlled by our IT provider.
Passenger Transport Software Limited, 86-90 Paul Street, London EC2A 4NEWeb: www.passengertransportsoftware.com EMail: [email protected] Tel: +44 (0) 333 920 2149Updates and PatchesAll IT equipment automatically downloads all updates to ensure the latest security.Employees’ End User Device PermissionsWe have AVAST controls in place that prevent the end user from downloading harmful content onto the system. Review of this policy: this will be reviewed annually by the Director.Next review date: 1st June 2025