1.1 The objective of this policy is to provide an overview of the e-Learn Design (ELD) information security program.

1.2 This policy applies to ELD staff, ELD clients, and all third parties.

2.1 ELD is a registered Data Processor (ICO reference: Z2107917).

2.2 For the purposes of ELD service provision, clients are Data Controllers, retaining control of their data and remaining responsible for their compliance obligations under GDPR/Data Protection Legislation.

2.3 All GDPR/Data Protection Legislation obligations can be found in our Data Protection Policy.

3.1 ELD gathers information on individual clients by request, particularly main client contacts and invoicing details, as well as through our helpdesk support system. The amount and type of information that we gather depends on the nature of the interaction. All client and support ticket information is held in a database; this is only accessible via users and/or accounts with sufficient privileges for support or administration.

3.2 Individual client Moodle installations collect personal information, such as names and email addresses, country of origin of account, and city of origin of account. Some client Moodle installations also collect additional user information, as identified in the optional user account profile fields chosen by the client, such as phone numbers and billing information. This information is stored in individual client Moodle databases that are only available to specified system accounts.

3.3 Our full Privacy Policy can be found here.

4.1 All ELD servers are located in OVH data centres in London (primary) and Frankfurt (secondary). These data centres are physically staffed 24/7, secured using a restrictive perimeter system and video surveillance, with access controlled and regulated through an identity/authorisation badge system.

4.2 OVH is certified ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, ISO/IEC 27701 and CSA STAR for providing and operating dedicated cloud computing infrastructures based on the ISO 27002 and ISO 27005 security management and risk assessment standards and associated processes. All physical hardware is PCI DSS compliant and bears the BSI Kitemark.

4.3 Every server is built to ELD specifications, designed specifically for hosting the Moodle/IOMAD application using the Ubuntu Server Operating System. Each server has its own individual firewall, Intrusion Detection Software (IDS), Intrusion Prevention Software (IPS), and DDoS Protection Software; the OVH infrastructure is anti-DDoS/IPS-enabled by default, with infrastructure-specific IDS automatically performing quarantine actions during any suspect network traffic.

4.4 Industry-standard encryption algorithms and technologies are used to protect data in transit and at rest.

4.5 ELD monitors all servers using Nagios and Munin to provide 24/7 alerts on emerging or critical issues such as filesystems filling up, high server load, or issues with web connections. Any emergencies are handled 24/7, with normal support available during office hours.

4.7 All ELD servers are backed up to an encrypted off-site location nightly. Backups are kept for 30 days.

4.8 All server backups are stored with AWS in Ireland. AWS is certified for compliance with ISO 9001, ISO 27001, ISO 27017 and ISO 27018.

4.9 Our full Data Security Policy, including redundancy provisions, can be found here.

5.1 All ELD systems are configured to only allow authorised and authenticated users, utilising Identity and Access Management (IAM) systems where possible, in line with Role-Based Access Management (RBAC) protocols.

5.2 All access rights require explicit authorisation/approval by ELD’s Head of IT before being granted.

5.3 Privileged access rights are grouped by role function, and all systems are segregated by access control lists to ensure ELD staff only have access to the information they require to fulfil their specific role.

5.4 All systems that support Multi-Factor Authentication (MFA) have been appropriately configured; if MFA is not possible, password complexity rules are increased accordingly.

5.5 All password policies are documented, including creation complexity rules and change protocols in the event of exposure, breach, or suspected breach.

5.6 All device-specific user accounts (e.g. laptops, tablets, mobile phones) are unique, as are user accounts on any system which permit the use of primary and secondary account types or separate accounts within the same application.

5.7 Where there is no capability to have child or linked accounts/separate users, logins are shared; password vault access for shared services is strictly managed and controlled in line with RBAC protocols.

5.8 System/OS and Moodle/application passwords are never stored in clear text.

5.9 A unique ELD Admin account is required for all installations for support purposes; clients are responsible for the management and implementation of all other access control policies for their own Moodle installation.

6.1 For the purpose of this policy, data security breaches include both confirmed and suspected incidents.

6.2 An incident in the context of this policy is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately.

6.3 An incident includes, but is not restricted to, the following:

• system failure;
• unauthorised use of, access to or modification of data or information systems;
• attempts (failed or successful) to gain unauthorised access to information or IT system(s);
• unauthorised disclosure of sensitive/confidential data;
• hacking attack;
• password compromise;
• human error; or
• ‘blagging’ offences, where information is obtained by deceiving the organisation that holds it.

6.4 Confirmed and suspected data breaches and information security incidents will be reported internally by ELD staff, following documented procedures and protocols.

6.5 Once notified internally of a confirmed or suspected data breach or security incident, ELD will take the appropriate steps for containment and/or mitigation of potential data loss.

6.6 Confirmed and suspected data breaches and information security incidents should be reported by clients via email to security(at)e-learndesign(dot)co(dot)uk, by calling 0845 474 4512, or through the helpdesk reporting web page.

6.7 Should a confirmed or suspected data breach or security incident potentially be due to a client password compromise, clients should update their passwords as soon as possible.

6.8 Once notified by a client of a confirmed or suspected data breach or security incident, ELD will take the appropriate steps to assist them in containment and, where possible, recovery of any lost data through backups.

7.1 ELD provides all hosting clients with a Warm Standby VM solution as standard, where a prepared server is kept available as a destination to recover client data from off-site backups. This secondary location will not be within the UK (if UK primary hosting) or EU (if EU primary hosting) and will only be used in the case of a severe outage in the primary location.

7.2 ELD offers an optional Hot Standby VM solution to dedicated server clients where the live server is mirrored to a redundant VM in a separate data centre location in real-time using Zerto. This secondary location will not be within the UK (if UK primary hosting) or EU (if EU primary hosting) and will only be used in the case of a severe outage in the primary location.

7.3 Disaster Recovery (DR) is initiated under the following circumstances:

• All connectivity to the primary location data centre is lost
• The primary location ESX Cluster suffers a catastrophic failure
• Corruption of a client server’s underlying disks
• Hostile takeover of the server OS (e.g. for ransomware purposes)
• Other catastrophic failure of the server OS, which requires a point-in-time recovery

7.4 In the event of a disaster, all network traffic will be internal to ELD’s data centre private networks (with respective UK or EU endpoints), so all locations will still be considered to be in the UK or EU for the purposes of cross-border data transfer laws.

7.5 DR testing is performed on a rolling basis for all servers every 6 months.

7.6 ELD-specific and client-specific Business Continuity Plans (BCP) are reviewed every 18 months.

7.6 Our full DR and BCP Policies can be found here.

8.1 This policy will be updated as necessary to reflect best practices and to ensure compliance with any changes or amendments to relevant legislation.