Security practices are designed to ensure that:
- Information is protected against unauthorised access and unauthorised disclosure.
- Integrity of information shall be maintained.
- Business requirements for the availability of information and systems will be met.
- Regulatory, legal and contractual obligations will be met.
- Business continuity plans will be produced, maintained and tested.
- All breaches of information security, actual or suspected, shall be reported and investigated.
- Information risks will be identified, documented and managed and any controls implemented will be proportionate to the risk.
Security measures are extensive and include:
- Physical access controls to premises and physical resources
- User authentication and role-based access to data and functionality
- Sophisticated network protection
- E-mail encryption and monitoring
- Internet monitoring and access control
- Data is securely encrypted in transit and at rest
- Malicious software control
- Software compliance
- Change control
- Information backups
- Business continuity planning & testing
- Data destruction and retention policies
- Incident reporting
- Information security audits and third party penetration testing