Security
How Do We Keep Your Data Safe?
At Employeeconnect the security of your data is paramount. We adhere to the ISO 27001 framework, which ensures a systematic approach to managing sensitive company information, guaranteeing its confidentiality, integrity, and availability. This page outlines our comprehensive security practices, including our utilisation of Azure data centres and the detailed policies and controls we have implemented.
- Governance and Risk Management
1.1 Information Security Management System (ISMS)
Our ISMS is the cornerstone of our security strategy, based on the ISO 27001 standard. It provides a structured approach to managing information security risks and ensures continuous improvement in our security practices.
- Leadership and Commitment:
- Our senior management is fully committed to the ISMS, ensuring that adequate resources are allocated for its implementation and maintenance. Regular management reviews are conducted to assess its effectiveness and alignment with business objectives.
- Scope of ISMS:
- The scope of our ISMS covers all information assets, including data, people, processes, and technology, across all locations and departments.
1.2 Risk Assessment and Treatment
- Risk Identification:
- We conduct comprehensive risk assessments to identify potential threats and vulnerabilities to our information assets. This includes identifying both external and internal risks that could impact the confidentiality, integrity, and availability of data.
- Risk Evaluation:
- Risks are evaluated based on their likelihood and potential impact. We use a risk matrix to prioritise risks, ensuring that the most significant threats are addressed promptly.
- Risk Treatment Plan:
- For each identified risk, we develop a treatment plan that includes implementing appropriate controls, accepting the risk, transferring it, or mitigating it through alternative measures.
- Residual Risk Management:
- After implementing controls, residual risks are reassessed to ensure they fall within acceptable levels. Ongoing monitoring and review processes ensure that risk management remains effective over time.
- Azure Data Centre Security
2.1 Physical Security
- Data Centre Locations:
- Azure data centres are strategically located worldwide, offering geographical redundancy. Each location is equipped with state-of-the-art physical security measures, including perimeter fencing, security guards, biometric access controls, and video surveillance.
- Environmental Controls:
- The data centres are designed to be resilient against environmental threats. This includes fire suppression systems, advanced cooling systems, and redundant power supplies to ensure continuous operation even during extreme conditions.
2.2 Network and System Security
- Network Segmentation:
- Azure employs network segmentation to isolate critical systems and limit the spread of potential attacks. This ensures that even if one segment is compromised, others remain secure.
- Intrusion Detection and Prevention:
- Continuous monitoring and advanced intrusion detection systems are in place to identify and prevent unauthorised access. Any suspicious activity is flagged and responded to in real-time.
- Encryption Protocols:
- All data stored within Azure is encrypted using industry-leading encryption standards. Data in transit is secured using TLS encryption to prevent interception and unauthorised access.
2.3 Compliance and Auditing
- Third-Party Audits:
- Azure undergoes regular third-party audits to verify compliance with global standards such as ISO 27001, SOC 1/2/3, and GDPR. These audits provide independent assurance of Azure’s security posture.
- Internal Audits:
- We conduct regular internal audits to ensure our own adherence to security policies and controls. Any non-conformities are addressed promptly through corrective actions.
- Access Control and User Management
3.1 Access Control Policy
- Role-Based Access Control (RBAC):
- Access to information and systems is granted based on the principle of least privilege. Employees are provided with the minimum level of access necessary to perform their job functions.
- Authentication Mechanisms:
- Multi-factor authentication (MFA) is mandatory for all access to critical systems. This adds an additional layer of security by requiring multiple forms of verification.
- Access Reviews:
- Regular access reviews are conducted to ensure that permissions remain aligned with employees’ roles. Any unnecessary access rights are promptly revoked.
3.2 User Management
- Onboarding and Offboarding Processes:
- Access controls are tightly integrated with our HR processes. New employees are granted access based on their roles, and all access is immediately revoked upon termination or role change.
- Monitoring and Logging:
- All access to sensitive data and systems is logged and monitored. Logs are regularly reviewed for suspicious activity, and alerts are generated for any unauthorised access attempts.
- Asset Management
4.1 Asset Inventory
- Comprehensive Asset List:
- We maintain a detailed inventory of all information assets, including hardware, software, data, and personnel. Each asset is classified based on its sensitivity and criticality to business operations.
- Ownership and Responsibility:
- Each asset is assigned an owner responsible for its security. Asset owners are accountable for implementing and maintaining appropriate security controls.
4.2 Asset Classification and Handling
- Data Classification Policy:
- Data is classified into categories such as public, internal, confidential, and restricted. Each classification level has specific handling requirements to ensure that data is appropriately protected.
- Data Lifecycle Management:
- We have established processes for data creation, storage, use, sharing, and destruction. These processes ensure that data is managed securely throughout its lifecycle.
- Information Security Incident Management
5.1 Incident Response Plan
- Incident Detection:
- We utilise advanced monitoring tools to detect potential security incidents in real-time. These tools are configured to alert our security team immediately upon detection of any suspicious activity.
- Incident Reporting:
- Employees are trained to recognise and report security incidents promptly. A formal reporting mechanism is in place to ensure that incidents are documented and escalated as necessary.
5.2 Incident Handling and Resolution
- Incident Response Team:
- Our dedicated incident response team is responsible for managing and resolving security incidents. The team follows a structured process to contain, eradicate, and recover from incidents.
- Post-Incident Review:
- After an incident is resolved, a thorough post-incident review is conducted to identify root causes and lessons learned. This information is used to improve our security posture and prevent future incidents.
- Compliance and Legal Requirements
6.1 Regulatory Compliance
- GDPR Compliance:
- We are fully compliant with GDPR, ensuring that personal data is processed lawfully, fairly, and transparently. We have implemented processes to uphold data subject rights and to manage data breaches in accordance with regulatory requirements.
- Industry-Specific Regulations:
- In addition to GDPR, we comply with other relevant industry regulations, such as HIPAA for healthcare data and PCI-DSS for payment card data. Compliance is achieved through rigorous internal controls and regular audits.
6.2 Internal Compliance Audits
- Audit Programme:
- We have established an internal audit programme to regularly assess our compliance with the ISO 27001 standard and other relevant regulations. The audit programme includes both scheduled and ad-hoc audits to ensure continuous compliance.
- Corrective Actions:
- Any non-compliance identified during audits is addressed through a structured corrective action process. This includes identifying the root cause, implementing corrective measures, and verifying their effectiveness.
- Continuous Improvement
7.1 Monitoring and Review
- Security Performance Monitoring:
- We continuously monitor our security performance against established metrics and key performance indicators (KPIs). This includes tracking the effectiveness of security controls and the frequency of security incidents.
- Management Reviews:
- Regular management reviews are conducted to assess the overall performance of the ISMS. These reviews consider audit results, incident reports, and the effectiveness of risk treatment plans.
7.2 Security Awareness and Training
- Employee Training:
- All employees undergo mandatory security training upon joining the company, with regular refresher courses provided. Training covers topics such as phishing awareness, secure data handling, and incident reporting.
- Security Culture:
- We foster a culture of security awareness throughout the organisation. Employees are encouraged to take an active role in protecting company assets and to report any security concerns.
- We foster a culture of security awareness throughout the organisation. Employees are encouraged to take an active role in protecting company assets and to report any security concerns.
We are deeply committed to protecting your data. By leveraging the advanced security features of Azure and adhering to the ISO 27001 framework, we ensure that your information is safeguarded against current and emerging threats. Our comprehensive approach to information security includes rigorous risk management, robust access controls, continuous monitoring, and a commitment to compliance and continuous improvement. Should you have any questions or require more information about our security practices, please contact us.