Security

1) Introduction

This document is a technical Document for RentSpace Technologies Limited. The document is controlled by and is the property of RentSpace Technologies Limited. This version Is Issue 1.

The purpose of this Document is to provide an overview of the Company, the activities it carries out and the quality standards of operation it conforms to. 

  • Technical Requirements
  • Ensure secure and encrypted transactions for deposits and withdrawals.
  • Implement a robust backend system for calculating and storing savings, earnings, and transactions.

HIGH LEVEL SOLUTION

The rental landscape has witnessed a significant transformation with the advent of technology, particularly in the realm of tenant verification. Digital innovations have revolutionized the way landlords and property managers screen potential tenants, 

making the process more efficient, accessible, and reliable than ever before.

Below are some of the latest trends in digital tenant screening:

  • The Digital Revolution: Enhancing Tenant Verification
    The integration of technology has reshaped the tenant verification process, offering numerous advantages over traditional methods. Online application forms have replaced cumbersome paper-based applications, making it easier for applicants to submit their information and for landlords to access and review it quickly. Digital screening allows for automated background checks, enabling landlords to gather comprehensive information about applicants’ credit history, rental references, and criminal records efficiently.
  • Digital Identity Verification: Ensuring Accuracy and Security
    Digital identity verification is a game-changer in tenant screening. Advanced systems can authenticate applicants’ identities by validating their government-issued identification documents and cross-referencing them with reputable databases. 
  • This helps prevent identity fraud and ensures that the individuals applying for a rental property are who they claim to be. Digital identity verification provides a robust layer of security and enhances the accuracy of the tenant verification process.
  • Streamlining the Screening Process with Technology
    Various digital tools and services have emerged to streamline tenant verification. These platforms offer comprehensive solutions, enabling landlords and property managers to efficiently conduct background checks, credit assessments, and employment verifications. By centralizing the process within a user-friendly interface, these tools save time, minimize paperwork, and reduce the risk of errors. Additionally, they often provide customizable screening criteria, allowing landlords to tailor their screening process to their specific requirements.

Testing

  • Conduct thorough testing of all app features to ensure accuracy in earnings

calculation, smooth transactions, and a seamless user experience.

Documentation

  • Create user documentation explaining how to use the app features.
  • Provide customer support resources for any queries related to the app.

3) Registration

RentSpace Technologies Limited provides a savings platform to customers in various sectors.

RentSpace Technologies Limited has a commitment to quality and a formal information security management system (ISMS) that addresses the following areas:

  • Quality & Performance Monitoring / Reviews 
  • Policies & Procedures
  • Managing external relationships with CRM
  • Financial Management (Cash Flow, Balance Sheet, P&L) 
  • Strategic and business planning
  • Human resource development 
  • Service innovation

4.1) DOCUMENTED INFORMATION

4.1.1) Documents

All documents (statement of Intent) are maintained and controlled by the Information Security Officer. 

Policy and procedure documents are reviewed annually. Any documents requiring amendment are updated, authorised, 

and completed. All updates to documents are signed and dated by the Information Security Officer. Documents are re-issued as an electronic PDF document and a limited number of hard copies are produced. Obsolete documents will be

 archived in the Dropbox library and restricted by the Information Security Officer; electronic copies of all past versions are kept. All managers hold responsibility for cascading information to staff.

4.1.2) Records

All project records (evidence of past performance) are stored in appropriate electronic folders on Dropbox, Salesforce CRM, 

and managed by respective departments. Hard copies of documents are restricted to a minimum and should not be produced unnecessarily. Electronic records are encouraged over hard copies due to environmental concerns, available storage space and to prevent unnecessary expenditure.

5) MANAGEMENT COMMITMENT

5.1) Role of Senior Management

RentSpace Technologies Limited’s Senior Management Team are committed to the development and implementation of an Information Security Policy, an Information Security Management System, and to frequently review this system. Responsibility has been assigned to ensure that the ISMS conforms to the requirement of the standard and the provision to report on performance to the senior management team has been defined.

The Information Security Officer will ensure that RentSpace staff are aware of the importance of meeting customer as well as statutory and regulatory requirements, and overall, to contribute to achieving RentSpace Technologies Limited’s Information Security Objectives which are aligned with the current business plan. A separate Information Security Policy document is sent to staff annually.

The Senior Management Team is responsible for implementing the ISMS and ensuring the system is understood and complied with at all levels of the organisation. They are responsible for ensuring that;

  • The information security policy and objectives are established and in line with the strategic direction of the organisation
  • Integration of the ISMS into the organisations processes. 
  • That resources needed for the ISMS are available
  • Communication covering the importance of effective information security management and conformance to the ISMS requirements is in place.
  • The ISMS achieves its intended outcome(s)
  • The contribution of persons involved in the effectiveness of the ISMS by direction and support. 
  • Continual investment is promoted
  • Othermanagementroles within their area of responsibility are supported.

An internal audit of procedures and policies is conducted annually in June. A review of the Information Security Objectives takes place in April. In addition achievement of the quality objectives are measured against quarterly targets 

set in 

relation to the business plan. Staff contribution towards the Information Security Objectives is measured in supervision and documented annual appraisals in September.

6) ISMS POLICY

6.1) Introduction

This describes the company’s corporate approach to Information Security and details how we address our responsibilities in relation to this vital area of our business. As a company we are committed to satisfy applicable requirements related to information security.

Information Security is the responsibility of all members of staff, not just the senior management team, and as such all staff should retain an awareness of this policy and its contents and demonstrate a practical application of the key objectives where appropriate in their daily duties.

We also make the details of our policy known to all other interested parties including external parties where appropriate and determine the need for communication and by what methods relevant to the information security management system. These include but not limited to customers and clients and their requirements are documented in contracts, purchase orders and specifications etc.

Verification of compliance with the policy will be verified by a continuous programme of internal audits.

6.2Scope 

The scope relates to use of the database and computer systems operated by the company at its office in Ikeja, Lagos, in pursuit of the company’s business of providing software as a service across all markets. It also relates where appropriate to external risk sources including functions which are outsourced.

Integration – we maintain a number of flow charts which illustrate key business activities and their correspondence to ISMS requirements.

6.3Legal and Regulatory Obligations

The scope of this policy relates to legislation outlined in the ISO27001 manual.

6.4Roles and Responsibilities

Our Information Security Manager (This role is carried out by our designated Technical Manager) is responsible for randomly sampling records to ensure that all required data has been captured, and that data is accurate and complete.

It is the responsibility of all staff to ensure that all data is treated with the utmost confidentiality, and that no data is given out without the prior authority of any person affected.

6.5Strategic Approach and Principles

6.5.1) Information Classification

All staff have access to the data stored on our Office environment and this is structured to have different access and permission levels. Data retrieved from the preformatted forms completed on the web site are automatically attached to the correct fields.

6.5.2) Access Control / Company Passwords

User Accounts are partitioned by access level. With senior management having wider permissions than other employees. There are specifically privileged accounts and therefore there is potential reason for anyone to desire access to another persons account.

Passwords MUST NOT be written down either on paper or retained electronically. Passwords will be changed on a 45 day basis and the last twenty passwords may not be reused.

Passwords should be no less than 8 characters in length and consist of both numbers, letters and a special character.

6.5.3) Incident Management

Any and all incidents must be reported immediately in the first instance to the Technical Manager who also fulfils the role of Information Security Manager.

6.5.4Physical Security

The office building is also manned 24/7 by security personnel or reception staff accordingly.

6.5.5) Thirdparty Access

Access to records is available to only those authorised to view the individual records.

6.6Business Continuity Management

Our telephone system is a hosted IP based one. We use different broadband service providers, so in the event of a failure, we can easily switch to the other provider.

We have an automated backup process, which backs up customer data to multiple data centres across the globe.

6.7Approach to Risk Management

We have carried out a full risk assessment of the potential for a breach of security as documented within our separate Risk Assessment Document.

We aim to reduce all opportunities for data to be compromised. This includes the possibility of theft of data.

6.7.1) Action in the event of a policy breach.

Access to internal and customer systems is centrally controlled and removal of access to the system is a simple procedure, which is controlled by the Information Security Manager or by the Head of Customer Services at the request of the Information Security Manager.

Similarly access to the premises is also controlled by the Information Security Manager. 

Immediately a policy breach has been detected any relevant user is either removed or reset depending upon the most appropriate action in the circumstances.

6.8) Information Security Objectives

Our objectives are set out in our business plan2018-2020 and arethen disseminated to each department/project for incorporation into their management roles. 

Each department is responsible for delivering its objectives and this is monitored via individual, appraisals & team meetings. RentSpace Technologies Limited’s Quality Objectives are as follows:

Objective 1: Existing services -We will continue to deliver its services withina secure environment.

Objective 2: Development – We will conduct annual risk assessments to ensure that risk to information in our care is minimised or eliminated.

6.9Responsibility, authority and communication

The management structure of RentSpace Technologies Limited is shown as an organisation chart.  the chart shows functional relationships and responsibilities.

6.9.1) Management Representative

The InformationSecurity Officer is responsible for the maintenance, measurement and review of our Information Security Management System. The Information Security Officer will ensure that the processes needed for 

the Information Security Management System are established, implemented and maintained within RentSpace Technologies Limited.

 In addition he/she will report to Senior Management about system performance.

6.9.2) Internal Communications

Senior Management utilise  RentSpace Technologies Limited’s internal communications framework in order to distribute information about the effectiveness of the Information Security Management System.

Regular security meetings are held internally to discuss appropriate items. We also makes use of google mail and calendar to ensure staff can be notified instantly when in the office or on the move.

6.9.3) Implementation

Following the annual audit, results will be collated and disseminated through our internal communications framework:

6.10) Management Review

6.10.1) General

Senior Management ensures:

  • That the ongoing activities of RentSpace Technologies are reviewed regularly and that any required corrective action is adequately implemented and reviewed to establish an effective preventative process.
  •  That internal audits are conducted regularly to review progress and assist in the investment of processes

& procedures. The reviews will be discussed as part our SMT meetings.

6.11) Review Input

The weekly Security Group meetings review the following information:

  • Risk management and the status of risk assessments and treatment plan 
  • Monitoring and measuring of results including internal audits
  • Fulfilment of information security objectives 
  • Serious untoward incidents
  • Status of preventive, non conformances and corrective actions 
  •  Follow up actions from previous management reviews
  • Changes in external and internal issues that are relevant to the ISMS 
  • Recommendations / opportunities for continual investments.
  • Feedback from interested parties

6.11.1) Implementation

  • Meetings are scheduled
  • Asuggested agenda is prepared by the chair 
  •  Members invited to add items to the agenda  
  • Agenda is circulated to members
  • Meeting take place and actions defined
  • Meetings are minuted by a designated staff member 
  •  Minutes are approved by Chair
  • Minutes are circulated amongst members
  • Completion of actions is reviewed at the next meeting.

6.12 Review Output

The Security Group reviews produce the following outputs:

  • Policies and procedures are updated to make operations more efficient
  • Operations and services are improved through measurement against targets and actions to improve or rectify specific areas.
  • Where resources are lacking actions are put in place to rectify this.

6.12.1) Implementation

  • Corrective actions are identified 
  • Targets created
  • Improvements actioned
  • Situation re-evaluated at a specified later date.

7) PROVISION OF RESOURCES

We will provide all the resources needed to implement and maintain the Information Security Management System

 and improve effectiveness of the system. We will also ensure that the resources needed to enhance the satisfaction and requirements of service users, service commissioners and staff are identified and in place through audit and continual review.

7.1 Human Resources General

7.1.1 Competence, Awareness & Training

We maintain a detailed Training Matrix demonstrating who has received what training and when.

7.2 Infrastructure

RentSpace Technologies Limited’s buildings, workspace, and associated utilities are properly managed. The procurement and management of hardware, software and supporting services such as communication and information systems are coordinated by various members of the technical team.

We maintain a detailed asset register, including serial numbers, description and location or person to whom assigned.

7.2.1 Implementation

Buildings, workspace and associated utilities requirements are regularly reviewed to ensure we make efficient use of

office space. 

Both hardware and software is reviewed on an ongoing bases to ensure that head office staff are equipped with fit for purpose IT equipment and software.

IT systems are maintained and serviced internally an external IT company in conjunction with the office manager.

Head office prepares and distributes a wide range of information including Management Accounts, Management & Performance information & Training updates.

8) RISK ASSESSMENT METHODOLOGY

We have identified the following process as a means of conducting regular risk assessments relating to 

Information Security Issues.

Within each of these areas the risks (if any) are identified together with a rating as to the importance of the risk. 

The associated consequence or severity of the risk is also rated together with the probable likelihood of the risk occurring.

We use an Excel spreadsheet to collect and analyse the risks identified in the following assets / asset groups :

  • Buildings, offices, secure rooms security
  • Hardware– desktops
  • Laptops, removable media  
  • Software applications
  • Infrastructure/ servers
  • Client information and data  
  • Paper records
  • People and reputation 
  • Key contacts
  • Critical third party suppliers  
  • Utilities

All typical / likely threats have been assessed based on their potential effects on Confidentiality, Integrity and Availability (CIA attributes) using a ratings scale of;

Very Low – 1, Low – 2, Medium – 3, High 4 and Very high – 5 and expressed across key areas of Vulnerability,

 Probability and Impact

Following this analysis evaluations are drawn as to what the most appropriate action is together with the estimated cost of implementing action to address the identified issue and an estimate of the cost of ignoring the risk. Key evaluation criteria use is 

1 – Accept risk, 2 – Apply controls, 3 – Avoid risk, 4 – Transfer the risk.

8 .1) Risk Treatment Plan – Statement of Applicability

The approach to our risk treatment plan has been designed and implemented using the main headings within the standard as a guide to establish that all controls required have been considered and that there are no omissions.

The document identifies controls to mitigate risks following the process of identification, analysis and evaluation 

and is directly linked to the aspects of the organisation.

This document is kept digitally on Dropbox.

9) MEASUREMENT, ANALYSIS & IMPROVEMENT

9.1) Information Security Standards

In all our services there are a specific set of quality measurements developed to be used to audit each service to enable a purchaser to be assured of the quality of delivery.

Service Level Agreements  are used to identify the areas of a contract that will be measured and monitored.

9.2) Implementation

We review our performance as part of a continuous review of Management Information. These reports help us to assess whether we are meeting our performance targets and provide us with month on month business performance benchmarking information. RentSpace Technologies conducts annual audits, and provides quarterly reports to the Board of Trustees.

All security and implementation matters are reported by the Security Group to the Board, reviewed accordingly and implementation is planned by the Technical Manager.

 9.3) Implementation

The data is collected by the Information Security team and submitted to the Research Department. Data is monitored.

 9.4) Continual Improvement

Through the use of the quality policy, quality objectives, audit results, analysis of data, corrective and preventive measures are taken.

9.5) Corrective Action and Improvement

Both these areas are reviewed within the agenda for the Management Review meetings and typically cover the themes which may be evident.

In terms of continual improvement, we also review the suitability, adequacy and effectiveness of our ISMS.

9.6) Preventative Action

nonconformities can be introduced, documented and seen through till completion to address the initial problem. 

However, RentSpace  also uses internal and external audits and risk assessments to continuously

 improve its service delivery, financial, HR, and operational functions.