Security

Tiller Technologies implements robust Technical and Organizational Measures (TOMs) to ensure the secure and robust operation of its systems and services, and to uphold the security and integrity of the data it manages. As a company that utilizes managed cloud services for hosting its IT infrastructure, systems, services, and data, Tiller employs a comprehensive set of technical safeguards.

These include encryption for data at rest and in transit, such as Blob Storage Account Encryption, SQL Transparent Data Encryption, SSL/TLS, and VPNs. Access controls are meticulously managed through user identification and authentication, role-based access authorization for Tiller Production systems, and stringent password policies, including requirements for length and character sets for both non-user service accounts and user accounts which also enforce MFA.

Network security is layered, including continuous threat detection and monitoring, leveraging Azures comprehensive suite of security tools. Malware protection is enforced across all servers, desktops, and laptops with anti-virus/malware/ransom screening at all levels.

In parallel with technical controls, Tiller maintains strong organizational measures crucial for safeguarding its information assets and services. All Tiller staff are trained on Cyber Security and Data Protection Awareness with refresher training performed every 6 months.

Tiller's risk management policy covers the identification, analysis, treatment, monitoring, and reporting of risks. Furthermore, a structured incident management process, with defined procedures for detection, assessment, escalation, and resolution of security incidents (including specific processes for data breaches, denial of service and ransomware incidents)

Change management procedures ensure all modifications to Tiller's systems and services, whether internal or initiated by third-party providers, undergo security risk assessments, formal testing, and approval, with specific penetration security testing performed by independent external security specialists.

Tiller Technologies prioritizes robust Access Control as a fundamental element of its defence-in-depth information security strategy, ensuring the confidentiality, integrity, and availability of classified data. This policy applies to all systems, people, and processes within Tiller's information systems. Tiller implements industry-standard best practices, including the principle of "Least Privilege," meaning that the default approach is to assume no access is granted unless explicitly justified by business needs and authorised. This is complemented by the "Need to Know" principle, where access is granted only when necessary to perform a role. This applies to both users and system components. User access management procedures are formally documented and cover the entire lifecycle, from initial registration to final de-registration, with regular reviews of user access rights to ensure their continued appropriateness.

• Least Privilege: the default approach taken must be to assume that access is not required, rather than to assume that it is

• Need to Know: access is only granted to the information required to perform a role or task, and no more

• Need to Use: users or systems will only be able to access physical and logical facilities required for their role

Tiller employs Role-Based Access Control (RBAC) to provision user access rights and permissions to computer systems and data, ensuring they are commensurate with the tasks users are expected to perform. Each user account is unique and associated with a specific individual, prohibiting generic or shared accounts. Privileged access rights, such as administrator-level accounts, are tightly controlled. Multi-factor authentication is also enforced on all access authentications. Furthermore, Tiller enforces a strong password policy. Regular access reviews are conducted by asset and system owners (at least annually) and by the Information Security Manager for privileged access accounts (quarterly), to identify and rectify any non-compliance with the access control policy.

Tiller prioritizes the security of all client data and information assets through the rigorous application of data encryption. All customer data is encrypted while at rest using Transparent Data Encryption (TDE), ensuring that sensitive information is protected even when stored. Our commitment to data protection extends to backups, which are encrypted using AES 256. For data in transit, Tiller utilizes industry-standard protocols, encrypting all data exchanged using Transport Layer Security (TLS) v1.2 or v1.3, both externally and internally.

Our cryptographic policy, guided by ISO/IEC 27001:2022 standards, dictates our approach to the use and ongoing management of encryption techniques. Our encryption framework employs robust key management, where cryptographic keys are protected throughout their entire lifecycle—from generation, secure storage and use. Regular testing, including penetration tests, is conducted to identify any weaknesses and continuously enhance the security of our encryption measures

We maintain a proactive and robust security posture through regular and comprehensive penetration testing of our platforms. These security assessments are a critical component of our commitment to safeguarding information assets and ensuring the resilience of our systems. Our platforms undergo at a minimum annual penetration testing by an external security specialist organization (Pentest People). This ensures an independent and thorough evaluation of our defences against potential cyber threats.

Pentest People is a highly accredited firm, holding distinguished credentials:

• CREST Cyber Security Incident Response (CSIR)

• CREST OWASP Verification Standard (OVS) (Level 1 and Level 2)

• NCSC CHECK (National Cyber Security Centre) authorization to conduct IT Health Checks (ITHCs) for the government

• Approved HM Government G-Cloud Supplier

• ISO 27001:2022

• ISO 9001:2015

• Cyber Essentials Plus

The expertise of their team is further underscored by individual certifications:

• CISSP (Certified Information Systems Security Professional)

• CEH (Certified Ethical Hacker)

• CPSA (CREST Practitioner Security Analyst)

• CRT (CREST Registered Penetration Tester)

• OSCP (Offensive Security Certified Professional)

The findings from these penetration tests are formally reviewed, and lessons learned are applied to enhance our security measures, ensuring continuous improvement of our defensive capabilities

Tiller Technologies maintains a comprehensive Technical Vulnerability Management Policy designed to identify, assess, and remediate technical vulnerabilities across all information systems, including network devices, servers, workstations, mobile devices, operating systems, databases, and applications. This proactive approach ensures the timely and effective mitigation of potential weaknesses that could be exploited by threats. Vulnerabilities are identified through a variety of sources, including regular internal and external vulnerability assessment scans and reports, vendor security advisories, security forums, and incident management processes.

Each identified vulnerability undergoes a thorough assessment to determine its risk level, considering the likelihood of exploitation and potential impact on Tiller’s operations and data. Once assessed, vulnerabilities are prioritized, and appropriate treatment options are applied, which include patching, reconfiguring systems, or hardening configurations by disabling unnecessary services to reduce the attack surface.

Identified issues that require corrective action are managed through a formal nonconformity process. Tiller also conducts continuous monitoring, measurement, analysis, and evaluation of security events and system logs to detect unusual activity that could indicate vulnerabilities or attacks. Furthermore, security awareness training is conducted for all employees every 6 months to enhance their ability to recognize and avoid vulnerabilities.

We maintain a robust Incident Management framework to effectively detect, respond to, and recover from information security events and incidents, ensuring the protection of information assets and service continuity. Tiller has established a clear Information Security Event Assessment Procedure to distinguish between routine events and those that require escalation to incidents based on criteria such as evidence of malicious intent, high classification level of involved information, or a clear breach of policy. Once an incident is identified, the Information Security Incident Response Procedure is activated, guiding a structured response through stages of detection, detailed analysis, containment to prevent further damage, eradication of the root cause, and recovery to restore normal operations. All actions and decisions are logged throughout this process.

Furthermore, Tiller has developed specialized incident response plans tailored to specific threats, including dedicated procedures for Ransomware, Denial of Service (DoS) attacks, and broader Data Breaches. In the event of a personal data breach, a specific notification procedure is followed to ensure timely communication with relevant supervisory authorities and affected data subjects, in compliance with regulatory requirements such as GDPR. Following the resolution of any incident, a formal post-incident review is conducted to identify lessons learned, implement corrective actions, and continuously enhance Tiller's security controls and incident response capabilities, thereby strengthening our resilience against future threats.

Tiller takes staff training on security matters extremely seriously. Our staff are an important part of the company's overall 'security in depth' approach to cyber threats.

All new staff as part of their induction and on a 6 monthly basis, thereafter, are required to complete full Cyber Security and Data Protection training. In conjunction with the training, staff are also tested on their understanding and ability to detect cyber threats and how to mitigate them.

Staff completion of the training and the results of the tests are tracked and monitored to ensure all staff are full up to date with their training and can apply it effectively.