Guide to Security at Onfido
To identify and manage information security risks at Onfido, we have implemented a number of technical and operational initiatives, including establishing an information security management system (our “ISMS”), based on international best practice for information security (ISO27001:2013). The purpose of the ISMS, is to protect the confidentiality, integrity and availability of information and minimise security risks. Specifically, the ISMS has been designed to address the following objectives:
- Provide clients with the fastest and most robust Identity Verification Services within a secure environment.
- Take pride in how we protect information and promote Onfido as a secure and trustworthy business to our clients, users, and partners.
- Meet or exceed client and partner security requirements for information protection.
- Minimize the risk of a information leak by ensuring that user information is encrypted when in transit and at rest.
- Develop a secure application which provides our clients with robust automated checks with minimal human intervention.
- Protect user information from unauthorised access by minimising access to individuals with a legitimate business need.
- Underpin management’s commitment to embedding security practice into the business, which aligns with our culture and is compliant with ISO27001:2013.
- Identifying, managing and monitoring information security controls in our supply chain.
- Maintain our competitive advantage by protecting our know-how and intellectual property from unauthorised access.
- Work collaboratively to maintain a security aware culture, based upon sharing knowledge and continually improving how we manage information security.
If you think you have identified a security vulnerability or bug in our Identity Verification Services, please report it to the Onfido security team at firstname.lastname@example.org and as described in the Onfido Responsible Security Bug Disclosure Policy.
ISO 27001: Information Security
Onfido holds certificate number IS 660122 for operating an Information Security Management System which complies with the requirements of ISO/IEC 27001:2013, certified by the British Standards Institute.
This external audit takes place on an annual basis in order to maintain certification.
Roles and Responsibilities
Security and compliance work is collaboratively managed and executed by a dedicated group of highly skilled individuals within the business. Such individuals work across different business functions, including IT, engineering, security, legal, compliance, operations and facilities.
Onfido’s senior leadership team meet periodically to discuss security and compliance, and are presented with key metrics, current risks and potential blockers to managing security and compliance.
All Onfido employees receive information security and privacy awareness training to ensure that they are aware of their responsibilities and security risks. This happens in different forms, including group training, company wide presentations and E-learning on an ongoing basis.
Security Incident Management ("SIM")
The Onfido Disaster Preparedness and Recovery Team manages information security incidents at Onfido, including those that impact business continuity. This team is formed of individuals from parts of the business which includes security, legal, compliance, partnerships management, IT & engineering, public relations and human resources. We have the following in place to support our SIM efforts:
- A documented SIM policy;
- A documented SIM process and checklist with allocated responsibilities;
- Internal and external periodic testing;
- A 24/7 on-call team as a point of escalation; and
- Training material which includes E-Learning and presentations.
Clear Desk and Screen Policy
In order to reduce the risk of unauthorised access or loss of information, Onfido enforces a clear desk and screen policy as follows:
- Computers and laptops must be locked or protected with a screen locking mechanism controlled by a password when unattended.
- Care must be taken to not leave confidential material on printer docks.
- All business-related printed documents must be disposed of using shredders.
Pre-Employment Screening Policy
Onfido is committed to hiring exceptional talent into a secure working environment. This is to ensure the safeguarding of information and infrastructure at Onfido and to maintain an effective information security management system. As a result, it is Onfido’s policy to conduct background checks on all individuals who are given access to Onfido systems. The following checks are conducted at a minimum:
- Identity verification;
- Document check in support of right to work verification; and
- Criminal history check.
Onfido has implemented controls in order to prevent unauthorized physical access, damage and interference to Onfido’s information and information and information processing areas. These controls include:
- Removable media blocked company wide;
- CCTV monitoring;
- Enforced entry controls into our premises;
- Defined secure areas for authorised personnel; and
- Physical protection of hardware against natural disasters, malicious attack or accidents.
System, Application and Network Security
System, application and network Security is an ever evolving topic. This is why we have a dedicated team of security engineers driving the topic and developing, evaluating and integrating security technologies, solutions and frameworks.
- Onfido runs regular vulnerability scans against our full infrastructure and all applications. We also have external, independent, penetration tests conducted on a periodic basis.
- Code changes are always peer reviewed and static source code reviews are performed systematically and at a high frequency.
- All engineering and development operations staff are regularly trained on system, application and network security.
- Our IT and container infrastructure is continuously monitored and audited for change.
- Critical systems and information are protected with strong authentication mechanisms.
- All networks connections are protected by firewalls and are monitored by cyber security solutions to detect intrusions and suspicious activity.
- Machine learning is used to discover malicious behaviour of network endpoints and applications.
- All Onfido computers, laptops and servers utilise full disk/volume encryption and are installed with antivirus/malware protection which is automatically updated to the latest version and signatures available.
- All user information is encrypted using AES-256 at rest as well as in transit.