Last Updated at 2025-Jan

1.1 Purpose

This Security Policy outlines BrainPayroll UK Ltd.’s overall security posture and practices. Its goal is to establish a unified framework to ensure the confidentiality, integrity, and availability of payroll and personal data, safeguard organizational assets, and comply with legal and regulatory requirements, including ISO 27001, NIST, and UK GDPR.

This policy serves as an umbrella document that references detailed policies on specific security aspects and provides a holistic overview of our security practices. All employees, contractors, and third-party vendors are expected to comply with the principles set out in this policy.

1.2 Scope

This Security Policy applies to all employees, contractors, third-party vendors, and affiliates with access to BrainPayroll UK Ltd.’s systems and data. It covers the protection of sensitive payroll and personal data, access controls, compliance with legal requirements, third-party management, and secure software development practices. All individuals with access are responsible for following the security measures outlined in this policy.

1.3 Governance and Compliance

1.3.1 Security Governance

BrainPayroll follows a top-down approach to security governance, ensuring that information security is embedded in the organization's culture. The AVP IT Infra and Security is responsible for overseeing the execution of security policies and ensuring compliance with ISO 27001, and UK GDPR.

1.3.2 Legal and Regulatory Compliance

We comply with all applicable data protection regulations, including:

• UK GDPR for the processing of personal data.
• ISO 27001 for information security management.
• Cyber Essentials for information security
• OWASP top ten for application security management.

All security practices are designed to ensure compliance with these standards and to uphold the privacy and security of personal data

1.4 Data Security and Privacy

1.4.1 Data Classification and Protection

BrainPayroll classifies data based on its sensitivity and applies appropriate protection measures. Sensitive payroll data is classified as confidential and protected with encryption, access controls, and other security measures.

1.4.2 Data Minimization and Retention

We collect only the minimum amount of personal data necessary for payroll processing and retain it for only as long as needed to fulfil business or legal obligations. Data retention periods are defined and managed according to legal and operational requirements.

1.4.3 Data Processing Agreements (DPA)

We ensure that all third-party service providers who process payroll data are bound by a formal Standard Contractual contract (SCC) or Data Processing Agreement (DPA) that defines the terms of data handling, security obligations, and liability in case of a breach. These DPAs ensure that all data processors comply with the UK GDPR and other regulatory standards.

1.4.4 Data Subject Rights

We respect the rights of data subjects as outlined in the UK GDPR and provide mechanisms for employees and other data subjects to:

• Access their personal data.
• Rectify inaccurate data.
• Erase data when it is no longer required.
• Restrict processing or object to processing under certain conditions.

Requests are handled in accordance with the applicable legal timelines.

1.4.5 Data Breach Notification

In the event of a data breach, BrainPayroll will comply with UK GDPR Article 33 for breach notification. The breach will be reported to the relevant authorities within 72 hours, and affected individuals will be notified as per the guidelines in GDPR.

1.5 Access Control

Access control systems are implemented to protect the company’s IT resources and ensure a secure, accessible working environment. These systems perform user identification, authentication, and authorization to verify and grant access based on required credentials, including passwords, PINs, security tokens, or other authentication factors.

Access to confidential, restricted, and protected information is limited to authorized personnel whose job responsibilities necessitate such access. Requests for access permissions, including granting, changing, or revoking access, must be submitted in writing.

Password issuance, strength requirements, and management are controlled through a formal process, with settings for password length, complexity, and expiration enforced through the Windows Active Directory Group Policy and other required tools and technologies.

1.5.1 Role-Based Access Control (RBAC)

BrainPayroll employs Role-Based Access Control (RBAC) to ensure that employees and contractors only have access to payroll data and systems necessary for their roles. Access permissions are regularly reviewed to prevent unauthorized access.

1.5.2 Authentication and Authorization

• All users are authenticated via unique usernames and complex passwords.
• Two-factor authentication (2FA) is enforced for access to sensitive systems and data.
• Password expiration is set to 90 days to mitigate the risk of password compromise.

1.5.3 Access Review and Revocation

Access to payroll systems is reviewed quarterly to ensure that permissions are still required. When employees or contractors leave the organization, their access is promptly revoked to prevent unauthorized access.

1.5. Network and System Security

1.5.1 Network Security

We implement a variety of network security controls to safeguard systems and data, including:

• Firewalls to filter network traffic and prevent unauthorized access.
• IDS/IPS detects and protects against potential security breaches.
• Virtual Private Networks (VPN) for secure remote access, protected with 2FA.
• DDoS Protection through Arbor solutions to mitigate the risk of Distributed Denial of Service attacks for our data centres.

1.5.2 Server Security

• All servers are hardened and configured to minimize vulnerabilities.
• Antivirus solutions are deployed at all endpoints and updated regularly.
• Patch management ensures timely application of security patches to prevent exploitation of known vulnerabilities.
• MFA is enabled for all production users.

1.5.3 Encryption

• Payroll data is encrypted at rest and in transit using industry-standard encryption protocols like AES, TLS, and SSL.
• Encryption key management is handled securely, and access to encryption keys is restricted.

1.5.4 Data Processing Security

Remote Support Team Infrastructure

• VDI Infrastructure: The support team operates on a UK/EEA-based remote Virtual Desktop Infrastructure (VDI) system and uses SSL VPN. This infrastructure ensures that all work is performed remotely on secure servers, preventing direct data communication between the remote machine and local machines.
• Secure Communication: Data communication between the remote VDI system and local machines is strictly prohibited. All data transfers are conducted within a secure remote environment to ensure that sensitive information is not exposed to unauthorized access.
• Multi-Factor Authentication (MFA): The VDI infrastructure, SSL VPN and Email accounts are protected with Multi-Factor Authentication (MFA), which ensures that only authorized personnel can access the system. MFA is a critical security measure to prevent unauthorized access to sensitive data.
• IP-Based Restrictions: The VDI system uses IP-based restrictions to limit access to authorized IP addresses only. This ensures that only authorized locations can access the secure environment, providing additional protection. At least one control must apply to MFA or IP-based restrictions.
• Separate VLAN: The support team operates on a dedicated VLAN (Virtual Local Area Network) to isolate their work environment from other departments within the organization. This segregation ensures that there is no unauthorized data communication between different teams or departments.

1.6. Incident Management

1.6.1 Incident Response

BrainPayroll has a formal Incident Management Policy and Data Breach Policy that define how security incidents are identified, reported, and resolved. All employees are trained in how to report security incidents.

1.6.2 Security Logging and Monitoring

We log and monitor all critical system activities to detect suspicious behaviours or potential security threats. Logs are stored with a centralized SIEM solution, retained for 3 years for forensic analysis, and protected from tampering.

Alerts are generated for unusual activities, such as unauthorized access attempts, and are reviewed by the Security teams.

7. Vendor and Third-Party Management

1.7.1 Third-Party Security Risk Assessment

All third-party vendors who access payroll data are subject to a thorough security risk assessment. Third-party vendors must meet BrainPayroll's security standards, including data protection requirements and the implementation of appropriate controls.

1.7.2 Third-Party Audits

We conduct regular third-party security audits to verify that our vendors comply with the necessary security standards, including ISO 27001, NIST, GDPR and Cyber Essential.

8. Business Continuity and Disaster Recovery

1.8.1 Business Continuity Planning

BrainPayroll maintains a Business Continuity Plan (BCP) to ensure the availability of critical services even in the event of a disaster. The BCP includes procedures for maintaining operational functionality during disruptions.

1.8.2 Disaster Recovery Plan

We have a Disaster Recovery Plan (DRP) to ensure the quick recovery of payroll systems and data in the event of an incident. The DRP is tested at least annually through simulation exercises.

1.8.3 Data Backup

• Backup Policy: Critical payroll data is backed up regularly and stored offsite in secure locations.
• Backup Security: Backups are encrypted and protected from unauthorized access.

9. Security and Awareness Training

1.9.1 Employee Training

All employees undergo mandatory security awareness training when they join BrainPayroll and annually thereafter. The training includes topics on GDPR compliance, data protection, recognizing phishing attacks, and reporting security incidents.

1.9.2 Secure Coding Training

BrainPayroll follows secure coding practices to minimize vulnerabilities in software development. Developers adhere to industry standards such as OWASP guidelines to prevent common security issues like SQL injection and cross-site scripting (XSS).

Security is integrated throughout the SDLC, with regular code reviews, static and dynamic analysis tools, and penetration testing to identify and fix vulnerabilities. These practices ensure that all payroll applications are secure and compliant with data protection standards.

10. Service and data availability

BrainPayroll ensures the availability of its critical systems and data through a variety of measures designed to prevent disruptions. This includes the use of multiple internet lines for redundant connectivity, ensuring continuous access to our systems even during outages.

For power reliability, DG sets (Diesel Generators) and UPS (Uninterruptible Power Supply) systems provide backup electricity, enabling uninterrupted service during power failures.

All critical data is stored on RAID disks (Redundant Array of Independent Disks), which provide redundancy and fault tolerance in case of disk failures.

Additionally, data backup is performed regularly, with offsite backups stored securely at our Disaster Recovery (DR) sites, ensuring that data can be recovered quickly in case of system failures, natural disasters, or other emergencies. These measures are continuously tested to ensure high availability and business continuity.

1.11. Secure Software Development Life Cycle (SSDLC)

At BrainPayroll, security is embedded throughout each phase of the Software Development Life Cycle (SDLC) to ensure that applications are developed with the highest security standards. The following outlines our approach to security, from architecture design to monitoring.

1.11.1 Architecture: Threat Modelling of Application Design:

• Threat Modelling: During the architecture and design phase, we conduct thorough threat modelling to identify and address potential security vulnerabilities in the application design. This proactive step helps ensure that the design minimizes exposure to attacks such as SQL injections, cross-site scripting (XSS), and other security risks.
• Design Security: Security requirements are integrated into the architecture, and risk mitigation strategies are applied to reduce vulnerabilities early in the SDLC.

1.11.2 Secure Coding Guidelines

• Secure Coding Practices: BrainPayroll has established a set of secure coding guidelines to ensure that all codes written follows industry security standards. These guidelines help prevent vulnerabilities like buffer overflows, SQL injection, and cross-site scripting (XSS).
• Developer Training: Developers undergo regular training on writing secure codes, keeping them updated on the latest security practices and threat landscape.
• Code Reviews: Regular source code reviews are conducted to ensure adherence to secure coding standards and to identify potential vulnerabilities before the code is deployed.

1.11.3 Testing: Security Test Cases and Penetration Testing

• Security test cases are developed during the requirement analysis phase and executed during the testing phase. These test cases validate that all security features, such as encryption, authentication, and access control, are implemented correctly.
• Penetration Testing: Regular penetration testing is performed by internal teams and third-party vendors to simulate real-world attacks and identify security vulnerabilities that could be exploited in the production environment.

1.11.4 Continuous Integration (CI): Automated Security Testing

• SAST on Build Server: As part of the Continuous Integration (CI) process, Static Application Security Testing (SAST) is performed on the build server to automatically scan code for security vulnerabilities before deployment.
• Automated and Manual Security Testing: Both automated and manual security tests are executed during the CI process to ensure comprehensive validation of security requirements and the detection of potential vulnerabilities.
• Endpoint Security: All release packages are scanned using endpoint security tools during the building process to identify potential threats before they are released to production.

Once deployed, continuous system monitoring is conducted to track system performance and identify any abnormal activity that could indicate a security breach.

1.12. Source Code Security and Management

BrainPayroll implements comprehensive Source Control Security and Management practices to safeguard the integrity, confidentiality, and security of code throughout the development lifecycle. All source code is stored in a secure version control system, with access restricted to authorized personnel only. Key aspects of the management process include:

• Version Control System: All codes are stored in a secure repository with access controlled by role-based permissions.
• Code Review Process: Every code change is subject to thorough peer review before being committed to the repository
• SAST (Static Application Security Testing) Scanning: Code is regularly scanned for security vulnerabilities using SAST tools, which help identify potential weaknesses early in the development process.
  1. Code Scanning: Automated tools are used to scan for security flaws and ensure that all code meets secure coding standards.
  2. Third-Party Vulnerability Scanning: All third-party libraries and dependencies are regularly scanned for known vulnerabilities to prevent introducing security risks.
  3. Secret Scanning: Tools are employed to detect hard-coded secrets (e.g., API keys, passwords) in the source code, ensuring they are removed or replaced with secure alternatives.
• Branching Strategy: A formalized branching strategy ensures that development, testing, and production environments are isolated and secure.
• Automated Testing: Security tests are integrated into the CI/CD pipeline, ensuring continuous validation of code quality and security.
• Backup and Access Control: Regular backups of the source code repository are performed, with strict access control measures to prevent unauthorized changes.
• Code Audits: Periodic audits are conducted to review security practices and ensure compliance with internal security standards and the industry's best practices.

1.13. Standard Release Process

The release process at BrainPayroll ensures that all software deployments, whether planned or emergency, are conducted securely and efficiently. We have defined processes for Planned Releases, Emergency Releases, and General Releases, each with its own set of procedures, testing, and approval mechanisms

1.13.1 Planned Release

• Regression Testing and QA: Full regression and QA testing are conducted before deployment to ensure functionality and security.
• Automated Release and Rollback: Releases are automated using CI/CD tools, with rollback procedures in place.
• Deviation Monitoring: Any deviations from the plan are monitored using the four-eyes policy, ensuring that at least two individuals review and approve changes.
• Approval Process: Releases are approved by the following stakeholders: Change Manager, QA Team, Infrastructure and Security Team, & Business Stakeholders.

1.13.2 Emergency Release

• Unplanned Release: Emergency releases are initiated to fix critical production issues that require immediate attention.
• Approval: Initial release approval may be verbal but must be documented afterwards.
• Documentation: Release documentation is completed retrospectively.
• Sanity Checks and Review: Basic sanity checks, and a review of the release plan are conducted before applying the fix.
• Expedited Testing: Expedited and white-box testing is conducted, depending on the urgency of the issue.
• Root Cause Analysis: After the release, a root cause analysis is performed to prevent similar incidents in the future.

1.13.3 General Release Process Highlights

• CI Server: All Release Packages are generated by a Continuous Integration (CI) server to ensure the latest code is compiled consistently.
• QA Approval: Only QA-passed code packages are deployed, with the process halting the release of any untested (QA pending) packages.
• Automation: The release process is automated through CI/CD tools, ensuring efficient, secure, and consistent deployments.

1.14. Vulnerability Management

BrainPayroll follows a structured approach to Vulnerability Management to address and mitigate security risks based on their severity. Vulnerabilities are categorized using the Common Vulnerability Scoring System (CVSS), and corrective actions are taken based on their priority:

• Critical (CVSS 9.0-10.0): A corrective action plan is created immediately, with remediation completed within ten working days.
• High (CVSS 7.0-8.9): A corrective action plan is created within one week, and remediation is completed within four weeks.
• Medium (CVSS 4.0-6.9): A corrective action plan is created within two weeks, and remediation is completed within eight weeks.
• Low (CVSS 0.1-3.9) & Other Vulnerabilities: These are addressed within sixteen weeks or resolved based on the availability of staff resources.
• Info (CVSS 0-0): These vulnerabilities are addressed as per available resources, without a strict timeline

1.15. Policy Enforcement and Review

1.15.1 Policy Enforcement

This Comprehensive Security Policy is enforced through regular audits and reviews. Employees and contractors are required to comply with all aspects of the policy, and non-compliance may result in disciplinary action.

1.15.2 Policy Review

The policy is reviewed annually, and updates are made as necessary to address emerging threats, changes in regulatory requirements, or improvements in security practices.