We implement and maintain the security measures set out below.
Such security measures may be updated or modified provided that such updates and modifications do not result in the degradation of the overall security of the services we provide.
Network Security, Compliance and Incident Management
Network Security Policy
We have a documented network security policy, which is communicated internally to all staff.
This policy is approved by senior management and sets out our commitment to information security.
Compliance
Our Data Compliance Officer monitors staff compliance with our Network Security Policy.
We believe the most effective route to staff compliance is through training and regular reviews of security behaviour. We achieve this by conducting annual training, which begins during our employee’s induction.
Incident Management
Our Incident Reporting Procedure has been designed to allow us to quickly investigate and respond to security incidents. Where we deem it necessary, such as if your data is impacted by a data breach we will provide you with details of the incident.
Risk Management and Asset Management
Risk Management
We conduct several annual risk assessments including a physical risk and confidentiality assessment. Our Data Compliance Officer reports on the status of information security risks to management
Asset Management
We maintain asset registers for physical equipment, systems, software and information assets.
Change Management
Our Change Control Policy puts in place procedures that minimise the risk of damage to our information systems, data and business that may come from changes to our computer systems or software.
We control access to any software development environments and ensure that only staff who need access are authorised to do so.
Testing Changes
Before we commit a change from our test environment to a live environment we conduct extensive testing. By doing so, we help to ensure the continued confidentiality, integrity and availability of our systems and the service provided to you.
Physical Security
Office Building
We apply certain levels of protection to our office building.
Entry is controlled by electronic fob, which is unique to each member of staff. There is a motion detecting burglar alarm system, which is further protected by CCTV. These, along with our fire alarm system, are regularly tested.
Visitor access to our office building is controlled. Visitors are required to be hosted by a staff member and must be signed in.
Equipment Security
All equipment within the office building is located to minimise the ability for members of the public to view any confidential information. Staff are required to obtain permission from asset owners prior to removing equipment from the premises.
We record all physical hardware assets in asset registers. These are kept up-to-date by asset owners, who are responsible for ensuring the accuracy of the information stored therein.
Clear Desk and Screen Policy
Our staff are required to lock their systems when not in use.
We also require staff to operate a clear desk policy and lock any confidential information away when not at their desks.
Access Controls and Password Policy
Access Controls
Our Access Control and System Security Policy are designed to prevent unauthorised persons from gaining access to systems used to process data and ensure that data cannot be read, copied, altered or removed without authorisation. This includes any personal data we may process.
Password Policy
We require the use of unique user IDs, strong passwords and two factor authentication to minimize the potential for unauthorised account use.
For some systems, we require use of shared passwords. These are maintained in a secure password management system which restricts access to only those members of staff who are authorised.
Virus Protection
We protect our hardware with anti-virus software that is configured to automatically update. We enforce our anti-virus policy for all user devices.
Disaster Recovery and Business Continuity Management
We have an Emergency and Business Continuity Plan in place to help overcome any unexpected incidents to our premises, key personnel or to any important systems that we rely on for day to day to operations. The plan is designed to enable us to resume activities whether the situation is one of full or partial loss of key assets.
All staff are made aware of the plan in their induction training. If there are any significant changes to the plan, these will be communicated to our employees.
Associated Standards & Accreditations
We adhere to the NHS standards for all patient identifiable information. In particular:
- Our company is NHS IG Level 2 compliant;
- FootFall has achieved the SCCI 129 standard for clinical safety;
- All patient information is encrypted to NHS encryption standards;
- The data is stored in a data centre which is ISO 27001 compliant;
- We have achieved Cyber Essentials as specified by the NHS.
We are of course registered with the ICO – Registration Number Z9216576
Monitoring & Review of Policies
All policies mentioned above are formally reviewed at least annually.