Appendix 2: Information Security Technical and Organisational Measures
The Radius group adopts a best practice approach to Data Protection, following guidance from the ICO and aligning itself to the principles of current Data Protection Legislation and Regulation. Since 2014 we have invested heavily in new IT Infrastructure and key personnel as we worked towards the ISO 27001 standard for Information Security Management, with support and advice from a prominent Information Security (IS) consultancy. In February 2018 we achieved ISO 27001 Accreditation. In January 2018, we also achieved re-assessment for Cyber Essentials Plus certification.
The following is a structured synopsis of our Information Security Technical and Organisational Measures we have adopted, framed around the ISO 27001 Standard for an Information Security Management System (ISMS):
Management – Radius management recognise that the information it manages must be treated with appropriate care (whether that information is owned by the organisation, clients of the organisation, or users of services provided by the organisation), and is committed to preserving its Confidentiality, Integrity and Availability.
Information Security Policy – There is a complete IS Policy set comprised of an Overarching IS Policy with an Executive Statement and defined Objectives, Primary IS sub-Policies that impact all workers, Secondary IS sub-Policies that impact some workers and Reference IS sub-Policy documents for general guidance.
Organisation of Information Security – The ISMS is managed by a team comprising IS Officer, IS Auditor and IS Analyst, reporting directly to the Board – IS considerations are a mandatory requirement of all new project work.
Human Resource Security – All staff are screened to a BPSS standard, with key staff DBS checked as well – There is a formal Starter/Mover/Leaver process and a formal Disciplinary process in place – IS Training and Awareness is a mandatory requirement of all workers, which is delivered through a mainstream Learning Management System.
Asset Management – There are 3 types of Data Classification defined with appropriate handling guidelines provided – Information assets are recorded and managed within a master Asset Register, indicating assigned owners and locations – All assets no longer required are securely disposed of through WEEE registered processors.
Access Control – All users are issued standard user accounts comprising an ID and password – Administrators are issued an additional user account with elevated privileges – 2 Factor Authentication is increasingly adopted across the estate – Recertification of user accounts is frequent with some account reviews carried out monthly.
Cryptography – A rapidly evolving and growing aspect of the business, with Keys managed centrally.
Physical and Environmental Security – All Data Centre’s are hosted in environments with strict physical security measures – Several offices, including the HQ, have proximity ID Card based Access Control, which is being deployed to all offices – The same applies to CCTV and ANPR coverage – Monthly Clear Desk sweeps of offices.
Operations Security – IT teams follow ITIL principles – Change management is controlled by a Change Advisory Board process – Production environments are separated from Development and Test environments – Every user endpoint is encrypted and has anti-malware protection – All systems are NTP synchronized – Logs are retained for 12 months – Software is deployed, patched and managed centrally – Vulnerability Assessments carried out weekly.
Communications Security – Segregation of networks is in place with some DMZ’s – Information Transfer processes in place – Email management double filtered in the cloud – Non-Disclosure Agreements (NDA) in place as required
Systems Acquisition, Development and Maintenance – Information Security is an embedded part of the Security by Design principles adopted, with Data Protection Impact Assessments (DPIA) carried out by the Project Management Office, for all mandated changes – Several Development Environments used – Testing carried out on all changes by an Internal Testing team – Independent Penetration Testing and Vulnerability Assessments carried out on externally exposed applications.
Supplier Relationships – Suppliers are Risk assessed on their interaction with Radius Data and Systems – Compliance Monitoring ongoing – Contracts/Agreements/NDA’s being reviewed in line with GDPR requirements.
Information Security Incident Management – Incident Reporting managed through a Register with a Secure Evidence Repository – Various automated monitoring tools in place – Data Breach Reporting process supplemented with a 3rd party Data Breach response service from a prominent UK Information Security Consultancy.
Information Security aspects of Business Continuity Management – Business Continuity Plan in place and successfully invoked twice in 2017 – Disaster Recovery Plans defined for all key systems – Test schedule being formalised.
Compliance – All relevant Legislation and Regulation has been identified and acted on – DPIA’s carried out in line with GDPR – Independent Penetration Testing – ISMS independently assessed – Management IS Forum provide internal review of ISMS.