Technical and Operational Security
e-shot™ by Forfront is built by design to protect your company and its data, in store and in transit.
Forfront, has over 20 years’ experience of delivering services to the Public and Private sectors in the UK and globally.
Our commitment to information security is reflected in strict policies, and robust application of processes and standards such as ISO 27001:2013, Cyber Essentials, National Cyber Security Centre (NCSC) 14 principles of Cloud security and NCSC Software as a Service (SaaS) security guidance.
Detailed information on our security strategy and practices are not made publicly available, but the following information gives an overview of how we ensure information security and implement cybersecurity protection.
The information security challenge
e-shot offers bulk email and SMS services to public and private sector organisations. There are two main focus points for information security; data stored and data in transit.
Data Stored
e-shot stores each client’s data in their own database which ensure robust and complete separation of your data from other clients. All data is stored in secure data centre facilities with no unauthorised access.
Data is encrypted and stored on industry standard, enterprise level database applications. Infrastructure, network equipment and servers are protected by enterprise grade firewalls, antivirus, antimalware, and anti-ransomware end point security protection. All equipment is kept up to date with firmware and critical software updates.
Information and data are stored and controlled internally in the e-shot data store and processing facilities.
Account data is backed up regularly.
Data in transit
We define two main categories of data in transit; internal systems, information processed in the e-shot facility, between the database, microservices and the MTAs (Mail Transfer Agents - responsible for sending communication externally), and external communication leaving e-shot to be delivered to its destination.
e-shot internal and external data in transit uses cryptographic protocols with correctly configured certificates using Transport Layer Security (TLS) version 1.2 or higher to encrypt all traffic and ensure secure communications.
e-shot operations and deliverability teams are responsible for correct infrastructure configuration and authentication. We manage and maintain SPF, DKIM, DMARC and TLS to ensure that every single email sent from the e-shot platform is correctly configured and authorised to send on behalf of the sending organisation.
We use sophisticated forensic analytics to identify and monitor external activity.
We use pseudonymisation in e-shot data management and de-identification procedures by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms.
Accounts (and the data within them) are deleted 30-90 days after cancellation.
The e-shot platform is configured to enforce TLS 1.2 encryption (or higher) to all .gov.uk organisations.
All other email campaigns are sent using opportunistic TLS to which offer a way to upgrade a plain text connection to an encrypted connection.
Access to data
e-shot offers its clients a variety of protection levels.
User access
Individual users are set up and managed by account administrators.
Basic authentication uses complex strong one-way hashed passwords, and each user can set up themselves up to use MFA.
The account administrator can:
enforce MFA sign in across the organisation
can enable and disable access to users
set up MFA individually
set up IP or IP range restricted access
enable users to use SSO with their Microsoft 365 sign in credentials
Prompt users to reset their passwords
User privileges (roles) – account administrators set up e-shot users with low basic read only privilege or role-based privileges restricted to activities related to their job and responsibility.
Audit users activity – account administrators have access to users sign in and main actions performed.
e-shot Chief information security officer's (CISO) team have access to sign in activity, and constantly monitor our environment for unauthorised activity.
API access – Protected by TLS 1.2 encryption and secured token authorisation.
Internal Security
Forfront and e-shot offices are secured by security access cards and monitored with infrared CCTV.
Forfront employees have Government baseline personnel security standard (BPSS) clearance and access to data is controlled by role-based permissions.
Forfront employees are subject to a strict onboarding process which introduces security policies and awareness from the moment they join the team.
A CPD program is in place to maintain awareness throughout their term of employment.
External Security – data centres
Forfront uses world class, accredited data centres and cloud services located in the UK or UK regions.
All data centres manage round the clock physical security, equipped with strict role-based biometric scanners for access and CCTV.
All hold a broad set of industry standard accreditations such as ISO27001 and ISO9001.
Application security
Access to the sign in and application pages is protected by
Encryption with TLS 1.2 or above
DDoS protection
All traffic generates security logs
We perform annual penetration testing and improve security with new technology, policies and processes.
Cybersecurity
We deploy a variety of anti-cybercrime measures including
DDoS protection
DDoS mitigation
Brute force protection
Web Application Firewall
Physical enterprise grade firewalls
Business Continuity
We maintain plans for disaster recovery that are reviewed and regularly tested
Infrastructure continuity plan
Regular backup of data securely kept at multiple UK sites, sufficiently distant to ensure data is not lost in the event of a disaster
We operate policies for patching internal system and change control
We maintain outage logs and incident response policies
e-shot maintains service status live monitoring page
e-shot uptime in the last 24 months: 99.9483% and 99.8315% including scheduled maintenance
More detailed security information is available on request.