Croud security measures
Croud will maintain the technical, physical and administrative controls to ensure the confidentiality, integrity and availability of its information systems adheres to a high standard, aligned to industry best practices.
The following measures (this list is not exhaustive and as such is open to further enhancement where deemed appropriate) will be implemented by Croud to ensure compliance with the SCC requirements:
- Croud will take measures to prevent any unauthorised person from accessing the facilities used for data processing using various physical controls such as door entry IDs and visual badge identification as well as monitoring via CCTV
- Croud will take measures to ensure that any in-house developed information system is designed with privacy by design as standard adhering to compliance with data protection laws
- Croud will take measures to ensure that code changes to any in-house developed information system are peer reviewed before being pushed to the production environment
- Croud will take measures to ensure security awareness by conducting online training, providing security updates to staff and conducting phishing tests on a regular basis
- Croud will take measures to ensure data protection awareness by conducting online training, ensuring all staff understand the process for personal data processing at Croud, documenting the full process and providing operational governance to the processing of any personal data
- Croud will take measures to perform an annual risk assessment (penetration testing) on its external webfacing information systems to assess relevant risks to the organisation and undertake necessary action for reducing risk exposure.
- Croud will take measures to ensure those joining the organisation are vetted and checked using identification methods and references, background checks including 4 key areas: global sanctions, criminal history, education and employment.
- Croud will ensure that authorised personnel and Croudies (3rd party freelancers) adhere and attest to the administrative security controls, policies and privacy notices in place at employment/contract commencement
- Croud will ensure that authorised 3rd parties who perform duties on behalf of Croud for example the Croudies, are authorised and validated for work packages on behalf of client briefs and requirements
- Croud will take measures to prevent the unauthorised introduction of any data into the information system, as well as any unauthorised knowledge, amendment or deletion of the recorded data, for example restricting access to IT infrastructure named authorised personnel
- Croud will take measures to prevent systems from being accessed by unauthorised persons by employing intrusion detection, firewalls, multi-factor authentication and sophisticated threat monitoring solutions
- Croud will take measures to ensure that the implementation of Information Security industry best practises and guidelines are adhered to via named dedicated cyber IT personnel with roles and responsibilities clearly defined
- Croud will take measures to ensure it maintains relevant security accreditations to further ensure the security of the network and services, eg (Cyber Essentials Plus)
- Croud will take measures to ensure that authorised persons when using an automated data processing system may access only data that is within their job role remit and requirements by using varied user access control models enhanced with other secured multifactor authentication systems where possible.
- Croud operates a policy of least privilege when assigning access to all managed systems
- Croud will take measures to safeguard data by adopting a cloud first approach, which utilises top tier Saas solutions to provide a high level of system availability and redundancy
- Croud will take measures to implement increased security with access to client CRM systems through the use of Virtual Machines and password management software