Comms-care Ltd – Security Statement
Comms-care is committed to securing all aspects of its business, its people and the information and equipment of its customers, partners and suppliers within its control.
To this end the company has an internal Security Policy, supporting security policy documents, processes and controls covering all staff in the Comms-care Group Ltd. Collectively these address the key security issues surrounding use of IT equipment inside and outside of the company’s secure network environment, including equipment such as Personal Computers (PCs), laptop computers (laptops), Tablets, mobile phones and removable/portable storage e.g. USB memory sticks. This scope of coverage, when taken with the security requirements of our customers and any suppliers, has been reviewed and is consistent with the list of interested parties, internal/external influences on the company and process dependencies and interfaces.
All the security procedures pertaining to the internally connected network environment apply equally to the use of Comms-care equipment on customer’s sites, at home, in hotels or in public places.
Our security policies dictate that:
- Equipment and documentation should be secured when not in use
- The equivalent of a ‘clear desk policy’ is in operation when not working
- Access to computers and their information is restricted to authorised persons only
- Passwords are protected
- Health and safety aspects must be followed
The scope of our security policies cover hardware, software or services issued or approved for use within Comms-care and include:
- Staff with PCs at approved locations
- Staff with laptops at approved locations
- Staff permitted to work at home
- Laptop users on any outside business
- Staff issued with loan laptops
- Mobile phone users
- Cloud Services
Comprising of logical and physical controls, covering confidentiality, integrity and availability, other areas covered by our security policies include:
- Use of public transport
- Use of devices
- Off-site usage including remote access
- Information and equipment loss
- Data Protection
- Data Destruction
- Email policy
- Information sensitivity
- Network device security
- Malware protection
- Third party access
- Wireless communication
- Security incident response
- Cloud Services Policy
Where customer data is held within cloud services, Comms-care requires controls which match or exceed our internal controls (e.g. ISO27001) and where personally identifiable information is held outside the European Union it shall be covered under the EU-US Privacy shield or country equivalent controls.
All of the Comms-care Security policies and supporting documents and controls collectively form the Information Security Management System, (ISMS), which includes Risk Assessment and Statement of Applicability tools in support of our ISO27001:2013 certification. Wherever possible, the company seamlessly integrates security requirements into its operational processes.
The objectives/intended outcomes of our ISMS are to:
- Protect the organisation’s business information and any client or customer information within its custody or safekeeping by safeguarding its confidentiality, integrity and availability.
- Establish safeguards to protect the organisation’s information resources from theft, abuse, misuse and any form of damage.
- Establish responsibility and accountability for Information Security in the organisation.
- Encourage management and staff to maintain an appropriate level of awareness, knowledge and skill to allow them to minimise the occurrence and severity of Information Security incidents.
- Ensure that the organisation is able to continue its commercial activities in the event of significant Information Security incidents.
- Provide suitable coverage of International Standard 27001:2013 and overall address the security needs of the company’s interested parties, as relevant (see Appendix)
- Enable the continual improvement of the Information Security Management System (ISMS) > Provide a maintainable baseline of security measures and controls which are consistent with the operational context of the company, updated as the perspective of the company changes
The performance of the objectives and extent to which we are achieving our intended outcomes are measured are reviewed at the six-monthly Objective and Metrics Review Board.
Managing Director on behalf of the Board of Directors, June 2018