Financial Times Cyber Security Statement
This statement provides an overview of The Financial Times Limited’s approach to cyber security.
Our policies address the handling of personal, sensitive and confidential information. Policies are reviewed and communicated to all staff.
Organisational information security approach & compliance
In addition to information security, our policies cover data protection and the Computer Misuse legislation. We have roles dedicated to cyber security, as well as, legal, compliance and internal audit teams. In order to demonstrate our commitment to Cyber Security to our customers and staff we have achieved UK Cyber Essentials accreditation.
Like many organisations, we use third parties to host or process customer information. We conduct technical due diligence against these third parties for their cyber risks, and ensure our legal agreements with them appropriately address security and data handling. Where personal data will be processed outside the EEA, we ensure appropriate safeguards (such as model clauses) are in place.
Employee security practices
We check our employee’s ID, references, and right to work. Cyber security is covered at employee inductions and training is offered on an ongoing basis, including bespoke training if relevant to the role. We also run phishing tests against staff. Violations of relevant policies could result in HR process enacting disciplinary action, up to and including dismissal.
Physical office & data centre facilities
Our major offices and all data centre facilities we use have entry controls and CCTV at entry/exit points, and we have controls in place to protect our systems from unauthorised access. These data centres are in the UK, EEA, US, Asia.
Documentation & process
We have documented operational procedures and monitoring. Our change control process includes audit trails of changes.
We install anti-virus/malware on laptops and desktops as well as disk encryption on laptops. We install anti-virus/malware on servers that are normally affected. Our policy is to apply critical security patches immediately, and less severe updates within one month on servers, where practical. Our user and system networks are segregated. We deploy Network Intrusion Detection systems, run regular vulnerability scans, proactively scan encrypted connection (Transport Layer Security) configurations, and source code for vulnerabilities. Security logs are collected centrally (Security Event Information Management system).
We encrypt all public system traffic in transit to international standards, and internally for all new systems. It is our policy to encrypt at rest where possible and practical. We dispose of old equipment securely and ethically. We limit access to production environments to only those who need access, and have environments for development, test and production.
We have a standard starters and leavers process. We centrally manage access to many services. We use two-factor authentication wherever possible, especially for administrative access on key systems and for all staff using our remote access VPN. Our users have named accounts, and we prohibit shared users. We log activity and access for audit reasons, and have password complexity and rotation policies in place. Users who have privileged or network access are reviewed on a regular basis and those who no longer need this access are removed.
Security requirements and design are considered for all projects and products, and we follow secure development practices. We have access controls on source code, and access is managed. All releases are tested. Our release checklist includes considering security issues. Where we do store user credentials (passwords) they are hashed. We use a third party to run periodic penetration tests of our systems, and review code, and we follow best application practices (e.g. OWASP Top 10). We also have a bug bounty program to encourage responsible disclosure.
Business & incident management
We have cyber security incident response policies and plans in place. These cover detection, response, and reporting. We also have an 24×7 incident team. We run war-games and retrospectives to improve the process and practices, and our business continuity and disaster plans are regularly tested.