Information is the most important asset for any organisation. Without suitable protection, this information can be compromised and become a risk to the business and reputation of Secure. Being a responsible business, we are committed to maintaining the integrity of this information through technology, processes, and policies and are constantly alert to take prompt actions in the event of any actual threat, or suspected breaches of security or confidentiality.
Secure is committed to ensuring utmost confidentiality, integrity and availability of personal and business sensitive data that is supplied, generated or maintained by employees, suppliers, and customers. By implementing robust security processes and infrastructure Secure ensures:
- organisation security with an appropriate level of access control and privileges for all information assets;
- information security through timely availability, accuracy and accessibility of data and information, safeguarding where necessary against inappropriate disclosure;
- system security mechanisms for protective monitoring of events and managing any deviations from steady state of operation;
- no single point of vulnerability by having anomaly detection mechanisms that detect attempts to compromise and attack;
- data privacy and confidentiality of personal information through lawful, fair and transparent practices, complying with the applicable data protection laws, including GDPR.
Secure’s information security management system, has been built around the below set of security goals::
- establish an IT Security Infrastructure that prevents, detects and disrupts both internal and external attacks and breaches, at earliest opportunity, while minimising the business impact;
- implement security practices that ensure the integrity and confidentiality of our business data and allow us to comply to SEC Section-G, NCSC, GDPR and ISO 27001 security standards;
- continuously enhance IT Network Infrastructure to help achieve service availability while improving the reliability of IT systems and ensuring increased capacity utilisation;
- have risk and business continuity management systems that help to minimise disruption to business and customer services from IT failures.
Every Semsite is committed to safeguard the security and privacy of all such information by:
- abiding to the information security management processes and understanding their own responsibilities for protecting the confidentiality and integrity of the data that they handle as a part of performing their role;
- ensuring that any data or other confidential information provided by suppliers or partners are maintained in a manner that respects the legal and contractual obligations, as per the defined privileges;
- reporting any information security breach or possible compromise of information to someone who shall initiate immediate action to prevent further compromise or loss;
- being aware that violation of the policy could result in action that may include, but is not limited to suspension, termination, civil and/or criminal prosecution or any other disciplinary action.
The information management system of Secure is built around some overarching guiding principles.
- Secure shall design, operate and maintain a robust, secure and resilient IT infrastructure, protected through appropriate network controls and security mechanisms, to continuously improve in a cost-effective manner.
- Information assets shall be uniquely identified, classified, labelled, accounted for and kept up to date. Any movement or disposal of these assets shall be in accordance with a process that ensures the information content is not compromised in any way.
- Systems, services, assets, facilities, business applications and tools used in Secure shall be protected by authentication mechanisms that help prevent unauthorised access, and the disclosure, modification, removal or destruction of information stored on any of the available media. A standard for the creation of strong passwords, the protection of those passwords, and the frequency of change, shall be established to protect network, systems and devices from unauthorised intrusion.
- Technology and management processes shall be put in place to safeguard and protect the privacy of any business sensitive or personal data required to operate and carry out the functions of the company.
- Any likelihood of a negative event impacting the business operations shall be managed through a clear and proactive risk management framework, that will help identify threats and vulnerabilities at the earliest opportunity so that they can be treated in a timely manner.
- Secure shall be prepared to handle risks and business interruptions by defining and implementing business continuity plans, protective monitoring and disaster recovery mechanisms that will help to minimise the impact and ensure recovery of critical IT systems and applications.
- Service quality and availability shall be maintained with timely solutions to incidents that minimise their adverse impact on business operations and restore normal service operation as quickly as practicable.
- Sensitive and confidential data exchanged or generated as a result of business transactions or business operations shall be encrypted, both in transit and at rest, in compliance with applicable customer, legal and regulatory requirements.
- Information assets shall be safeguarded using backup procedures and mechanisms to prevent the loss of data and timely restoration of business processes, in the case of an accidental deletion or corruption of data, system failure, or disaster.
- Retention periods of data within systems owned by Secure and for which Secure is responsible, shall be defined to meet the needs of the business, while complying with statutory and legal requirements.
- Information processing facilities, periphery of the organisation / sensitive areas and equipment, shall be secured using entry controls and authentication mechanisms, to prevent unauthorised access and protection against any physical or environmental threat, or civil unrest.
- Employees shall be made aware about email and internet usage norms, anti-malware policies and their responsibilities when sending, transmitting or distributing proprietary information, data or other confidential secure information, so that these are not compromised.
- Secure will maintain overall control and visibility of security aspects of assets accessed, processed or managed by suppliers, through implementation of agreements and regular monitoring of compliance to security requirements, to protect and respect privacy and confidentiality through lawful, fair and transparent practices
To exercise effective information security and compliance, a governance structure has been put in place that reviews the progress and implementation of IT security programs and provides support in:
- making decisions;
- implementing decisions;
- resolving conflicts;
- providing clarity;
- keeping program on schedule.