This Security Statement is intended to provide a high-level overview of First AML’s security practices.
If you have additional questions, please email these to [email protected].
Compliance and auditing.
First AML is audited every twelve months by the British Standards Institute as part of our ISO27001:2013 certification requirements. First AML complies with relevant privacy legislation within the United Kingdom, New Zealand, Australian, and European countries (GDPR).
First AML has been awarded the privacy trust mark by the New Zealand privacy commissioner. Access to information is restricted to authorised parties who have a legal basis for information access.
For more information, please refer to First AML’s Privacy Statement.
Reliability and availability.
First AML has a Site Reliability Engineering team and On Call engineers to provide 24x7 support for platform issues and incidents. All production systems provide resiliency (providing multi availability zone and regional redundancy for disaster recovery scenarios).
First AML has implemented a Business Continuity and Disaster Recovery programme which is validated throughout the year, including activities intended to reduce platform recovery time. Database snapshots are taken hourly, plus continuous backups with a 5 minute restore granularity to ensure recovery of data with as little data loss as possible. Uploaded files and documents are stored in a versioned write-only manner, with documents continuously replicated to another region to provide regional redundancy for disaster recovery scenarios.
First AML utilises the following AWS regions for delivering its service:
- APAC: primary region: ap-southeast-2 (Sydney) with us-west-2 (Oregon) for disaster recovery scenarios.
- EU: primary region eu-west-1 (Ireland) and eu-central-1 (Frankfurt) for disaster recovery scenarios.
External security testing.
The First AML platform is penetration tested on a quarterly basis by an independent third party.
Data centre security.
First AML production data and systems are hosted in Amazon Web Services (AWS), and physical security is managed by AWS at the Perimeter, Infrastructure, Data and Environmental layers.
More information on AWS Data Centre physical security can be found on the AWS Data Centres site.
Network security.
Network segmentation is applied to prevent guests provided WiFi access to access any resources on the First AML internal network. All public facing production systems utilise firewalls to protect against malicious traffic and requests. Anomalous network activity is automatically identified, logged and will raise alerts 24x7.
Authentication and authorization.
First AML issues employee system access on a least privilege basis, and reviews internal user access on a quarterly basis. First AML Site Reliability Engineers and On Call team are the only staff with access to production AWS systems, controlled by MFA. All production access is audited and logged for review and forensic analysis.
Logging and monitoring.
First AML leverages industry standard tooling to provide 24x7 monitoring of all production systems. Anomalous behaviour and activity is automatically identified and alerted upon. All platform events and activity are securely logged, with up to a year of retention to assist with analysis and forensics. Audit logs for all customer specific platform operations are securely stored for the lifetime of that customer.
Vulnerability management.
All operating systems, dependencies and container images are continuously scanned using best in class tooling, and vulnerabilities addressed in accordance to severity and impact. Developers are made aware of potential vulnerabilities early in the software development life cycle, to ensure remediation early. A database of scanned components provides the ability to identify new and critical zero-day vulnerabilities as soon as they are released.
Human resources security.
First AML employees undergo criminal background and reference checks prior to commencing employment. All employees are required to accept our information security policies. All staff undergo security awareness training including secure development training for our software engineers.
Data security.
All data transmitted and stored via the First AML platform is encrypted both in transit and at rest using the industry standard AES-256 encryption algorithm to encrypt data. All data in transit utilises TLS 1.2+ encryption. Access to customer data is highly secured and audited.
All First AML issued devices have full disk encryption, anti-virus/anti-malware protection and can be remotely wiped. All cloud storage is encrypted, private by default, and is continually monitored for changes in configuration that could expose data.
Office security.
First AML physical offices have restricted entry, protected with badge reader access controls, and security cameras at entry points. All visitors must sign in, be escorted by First AML staff, and are restricted to common areas only. Office work areas are restricted to staff members only, with no visitor access permitted.
Supplier security.
First AML’s suppliers undergo a security and legal review prior to being engaged. Suppliers are monitored on an on-going basis with annual and ad-hoc reviews as required.
Secrets management.
All secrets and sensitive configurations are stored and encrypted in AWS. Only a small subset of senior On Call engineers have the ability to view and modify this information.