Data Security
.Overview
Conforming to ISO 27001
ISO 27001 uses a top-down, risk-based approach and is technology-neutral. The specification defines a set of security controls, objectives and activities to help organisations reduce the risk of data breaches and other security incidents.
ISO 27001 is currently the most widely adopted international Information Security standard and is used by organisations all over the world.
Precision Group’s ISO 27001 certification ensures our Information Security Management System is up to date and complies with current best practices.
We are PCI DSS Compliant
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud.
Precision is PCI DSS compliant with regular penetration testing conducted by certified PCI penetration tester (ASV certified by PCI Security Standards Council via Serverscan). The attestation of compliance for penetration testing is available on request.
While specific data security protocols may vary slightly client to client based on individual requirements, the following summary provides an overview of some of the ways we protect client data, specifically PII (Personally Identifiable Information).
-
Build and maintain a secure network and systems
-
Install and maintain network security controls
-
Sophos Firewall, proxy, monitoring and logging on systems on the network.
-
-
Apply secure configurations to all system components
-
Configurations are regularly reviewed to ensure they are sufficient.
-
-
-
Protect client data
-
Protect client data with strong cryptography during transmission
-
Traffic for data is fully encrypted with SHA-256 with RSA encryption.
-
Data storage drives are encrypted at rest with AES-256 encryption.
-
Access to data is limited by permission-based access controls.
-
Automated data retention/destruction.
-
-
-
Maintain a vulnerability management program
-
Protect all systems and networks from malicious software.
-
Develop and maintain secure systems software.
-
Data Security Training completed for all employees to conform to ISO 27001.
(People are the weakest link in any security scenario). -
Systems are protected with Sophos Firewall which is capable of deep packet inspection.
-
Workstations are protected with Bitdefender.
-
Specialized Sophos router.
-
Internal penetration testing performed (Kali Linux) to ensure network security is tested and maintained.
-
-
-
Implement strong access control measures
-
Restrict access to system components and customer data on a need-to-know basis.
-
Identify users and authenticate access to System components.
-
All activity/movements across systems are logged on a user level.
-
Access and permission controls employed - users can only access what they need to access.
-
-
Physical access controls.
-
The server room is locked with access limited to key IT and senior management staff.
-
Premises are fully secure with a swipe card system currently being implemented.
-
CCV cameras were deployed throughout the site.
-
Physical forms are stored in a secure locked area.
-
The site is secured with an alarm system, monitored 24/7.
-
Visitor Management System.
-
-
-
Regularly monitor and test networks
-
Log and monitor all access to systems components and client data.
-
Test the security of systems and networks regularly.
-
-
Maintain an information security policy
-
ISO 27001 – Information Security Management System.
-
PCI DSS Compliant.
-
Support information security and organizational policies and programs.
-
Constantly updated to comply to PCI DSS and ISO 27001.
-
ISMS policies and procedures accessible to all staff members via intranet.
-
Key takeaway points:
-
Secure Sophos firewall and Bitdefender on workstations
-
Policies and configurations are regularly reviewed and updated.
-
Information security policies are accessible to all staff.
-
Data security training is performed for all employees - people are the weakest link in every security scenario.
-
All traffic is encrypted with data stored on drives that are encrypted at rest.
-
Access and permissions are controlled on a user level.
-
Activity across systems is logged on a user level.
-
Automated data retention/destruction.
-
Regular PCI penetration testing by certified PCI penetration testing (ASV certified by PCI Security Standards Council via serverscan)
-
Internal penetration testing was conducted (Kali Linux).
-
Physical security controls throughout the site.
Individual policies are available upon request.