NES’ Security Statement applies to the services offered by NES Group Ltd (NES) incorporating all companies and subsidiaries.
NES utilise some of the most advanced technology for Internet security available today and understand the importance of data security, making every effort to ensure that data held on systems are fully protected.
We recognise that the confidentiality, integrity and availability of information and data created, maintained and hosted by NES and its suppliers are vital to the success of the business and privacy of its customers. NES views these primary responsibilities as fundamental to best business practice to ensure compliance with all applicable laws, regulations and obligations.
This Security Statement forms part of the user agreement for NES customers.
Physical Security and Compliance
NES’ global information systems globally are physically protected in accordance with associated risk. All data is held in SOC accredited data centres or within the UK head office. Physical security controls at these locations include 24x7 monitoring, cameras, visitor logs, entry requirements, and/or secure dedicated rooms for hardware.
Our global business is compliant with the HMRC Cyber Essentials Programme and is working towards ISO27001 certification. Systems are further subject to annual re-certification, and annual audit by our Audit, Assurance & Advisory partners.
NES deploys next generation unified threat management firewalls across all its networks to deliver breach prevention, and threat defence. The intrusion prevention system (IPS) features sophisticated anti-evasion technology and a network-based malware protection. Other network technologies used within the business include Network Access Control (NAC), Multi Layered anti-virus, content filtering, anti-ransomware defences, file sandboxing and application control.
This combination enables NES to block sophisticated new threats that emerge in real-time on a daily basis.
Users [direct employees] are granted access based on their role and responsibilities, and must accept NES’ Usage policies. These permissions and restrictions are reviewed regularly and revoked immediately as part of NES’ Leaver Process.
Password policies are enforced and are subject to complexity, expiration and lockout with any remote access to NES technology resources only permitted through encrypted connectivity (VPN), requiring multi-factor authentication.
Security Policies & Employee Awareness
Our information security policies are regularly reviewed by competent personnel and made available to employees through a central communication point.
Employees are required to acknowledge these policies, accept non-disclosure agreements and undergo training and awareness on privacy and security, expected business conduct, and ransomware awareness. Training is designed to adhere to all specifications and regulations applicable to NES Group Ltd.
Employees may undergo background screening as part of the on-boarding process (where applicable to the role and to the extent permitted or facilitated by applicable laws and countries).
NES engages a dedicated Cyber Security Manager who focuses on application, network, and system security, and who is also responsible for security compliance and associated awareness.
Vulnerability Management and Testing
NES maintain and keep up to date software and firmware patches to ensure systems, applications and devices owned and managed by the Group Ltd are routinely updated with security. This vulnerability management program includes frequent scans, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, and applications. All networks, including test and production environments, are regularly scanned using trusted third party, market leading vendors.
In addition, NES conduct regular external penetration tests and remediate according to severity for any results found.
NES protect the confidentiality, authenticity and integrity of information by the use of cryptography; these controls being applied according to the sensitivity of the data.
Data in transit uses secure TLS cryptographic protocols.
Data at rest is also encrypted with the strong types of generally-accepted, non-proprietary encryption algorithms.
Improvement & Development
NES’ development team employs secure coding techniques focused around the OWASP Top Ten. Developers are formally trained in Dynamics application development best practices. Development, testing, and production environments are separated and change management practices ensure updates are peer reviewed, logged for performance, audit and forensic purposes, prior to deployment into the ‘live’ environment.
Logging and Auditing
Application and infrastructure systems log information for troubleshooting, security reviews, and analysis by authorised NES personnel. Logs are preserved in accordance with regulatory requirements.
NES provide customers with reasonable assistance and access to logs in the event of a security incident impacting their account.
Removable Media & Disposal Management
Removable media such as USB drives and DVD’s are a well-known source of malware infection and to the loss of sensitive information. NES does not allow the use of any type of removable media within its network which is enforced through device lock software installed on every NES computer device. Data requiring deletion is securely erased on all storage mediums in accordance with current industry best practices.
NES maintain an asset management policy which includes identification, classification, retention, and disposal of information and assets. Company issued laptops are equipped with hard disk encryption and up-to-date antivirus software. Only company issued devices have access to NES corporate networks.
An information security incident is indicated by a single or series of unwanted or unexpected information security events that have a significant probability of compromising information security.
NES operates security incident response policies and procedures surrounding the initial response, investigation, customer notification, public communication, and remediation. When criminal activity affecting information security is identified, NES will liaise with Information Commissioners Office, as their appointed Supervisory Lead Authority, and local Police.
Breach Notification procedures are enforced in accordance with local laws and business practices.
Although NES take all necessary actions to protect data, we cannot guarantee absolute security as no method of transmission over the Internet and or electronic storage is perfectly secure. However, if NES learns of a security breach, we will notify affected users so that they can take appropriate protective steps.
NES are committed to keeping our customers fully informed of any matters relevant to the security of their data.
Business Continuity (BCM)
NES’ business continuity plans in place to counteract interruptions to information systems and business activities from the effects of major failures or disasters. This involves NES data being backed on a rotating basis of full and incremental backups and verified regularly.
All NES backups are encrypted and stored within the production environment to preserve their confidentiality and integrity.
Cyber Security Manager
Version May 2018