NES is dedicated to protecting data and using industry best standards. NES utilise some of the most advanced technology for Internet security available today. We understand the importance of data security and make every effort to ensure that data held on systems is fully protected.
NES recognize that the confidentiality, integrity and availability of information and data created, maintained and hosted by NES and its suppliers are vital to the success of the business and privacy of its customers. NES views these primary responsibilities as fundamental to best business practice to ensure compliance with all applicable laws, regulations and obligations.
This Security Statement forms part of the user agreement for NES staff and customers.
Security and Compliance
All NES information systems globally are physically protected in accordance with associated risk. All data is held in SOC accredited data centres or within the UK head office data centre. Physical security controls at these locations include 24x7 monitoring, cameras, visitor logs, entry requirements, and secure dedicated rooms for hardware.
NES, group wide is compliant with the HMRC Cyber Essentials Programme. NES re-certifies this compliance annually. NES are fully GDPR compliant and also aligns towards controls set out in ISO 27001. NES are independently audited by Deloitte annually.
Network & Device Security
NES deploys next generation unified threat management firewalls across all its networks to deliver breach prevention, and threat defence. The intrusion prevention system features sophisticated anti-evasion technology and a network-based malware protection.
Other network technologies used at NES include Network Access Control, Multi Layered ant-virus, content filtering, Anti-Ransomware defences, email security, network segmentation, advanced threat protection and application control.
Endpoint security is installed on every company computer and only company owned and controlled devices can access NES networks.
This combination enables NES to block sophisticated new threats that emerge real-time on a daily basis.
Access Control & 2FA
Users and employees are granted the least amount of network access required and access is only granted if approved and they accept the usage policies.
NES grants role based access on an as-needed basis, reviews permissions, and revokes access immediately on employee termination. Our password policy requires complexity, expiration, lockouts and disallows reuse.
Remote Access to NES technology resources is only permitted on company equipment through encrypted connectivity (VPN) which requires two-factor authentication. Additionally, all hosted Internet accessible databases and applications containing personal, sensitive or confidential information require two factors of authentication.
NES reviews and updates its information security policies on an annual basis. Employees must acknowledge policies and undergo annual mandatory training. Training is designed to adhere to all specifications and regulations applicable to NES.
NES conducts background screening at the time of hire (to the extent permitted or facilitated by applicable laws and countries). In addition, communicates its information security policies to all personnel, requiring employees to sign non-disclosure agreements, and provides ongoing privacy and security training.
Dedicated Security Personnel
NES have a dedicated Cyber Security Manager, who focuses on application, network, and system security and is also responsible for security compliance, and education.
Security Awareness Training
Security awareness training is mandatory and teaches employees to understand security risks and threats. This is to ensure that employees understand that criminals may try to deliberately attack, steal, damage or misuse NES systems and information, therefore everyone within NES are aware of the associated risk and work to adequately protect against these risks.
Patching & Vulnerability Management
NES maintain and keep up to date software and firmware patches to ensure all systems, applications and devices owned and managed by NES are routinely updated with security fixes. The vulnerability management program includes frequent scans, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, and applications.
All networks, including test and production environments, are regularly scanned using trusted third party, market leading vendors. NES also conduct regular external penetration tests and remediate according to severity for any results found.
NES protect the confidentiality, authenticity and integrity of information by the use of cryptography. Cryptographic controls are applied according to the sensitivity of the data.
All data in transit uses secure cryptographic protocols. Data at rest is also encrypted with strong types of generally-accepted, non-proprietary encryption algorithms.
Data on all NES mobile devices and laptops are encrypted.
NES’s development team employs secure coding techniques focused around the OWASP Top Ten. Developers are formally trained in Dynamics application development best practices.
Development, testing, and production environments are separated. All changes are peer reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment.
Logging and Auditing
Application and infrastructure systems logs are stored for troubleshooting, security reviews, and analysis by authorized NES personnel. Logs are preserved in accordance with regulatory requirements. We will provide customers with reasonable assistance and access to logs in the event of a security incident impacting them.
NES manage changes that occur to information technology in a way that minimises risk and impact. Change Management ensures that proposed changes that impact production environments are reviewed, tested, authorised, implemented, communicated and released in a controlled manner; and that the status of each proposed change is monitored to completion or retraction.
Removable Media & Disposal
Removable media such as USB drives and DVD’s are a well-known source of malware infection and to the loss of sensitive information. NES does not allow the use of any type of removable media within its network which is enforced through device lock software installed on every company computer. Data requiring deletion is securely erased on all storage mediums in accordance with current industry best practices.
NES maintains an asset management policy which includes identification, classification, retention, and disposal of information and assets. Company issued laptops are equipped with hard disk encryption and up-to-date antivirus software.
Information Security Incident Management
An information security incident is indicated by a single or series of unwanted or unexpected information security events that have a significant probability of compromising information security.
NES operates security incident response policies and procedures surrounding the initial response, investigation, customer notification, public communication, and remediation.
When criminal activity affecting information security is identified, NES will liaise with Information Commissioners office and local Police.
Breach Response & Notification
Although NES take all necessary actions to protect data, we cannot guarantee absolute security as no method of transmission over the Internet and or electronic storage is perfectly secure. However, if NES learns of a security breach, we will notify affected users so that they can take appropriate protective steps.
Breach notification procedures comply with in-country laws and regulations, as well as any standards relevant to NES.
NES are committed to keeping customers fully informed of any matters relevant to the security of their data.
Business Continuity & Disaster Recovery
NES has business continuity plans in place to counteract interruptions to information systems and business activities from the effects of major failures or disasters. This involves NES data being securely backed on a rotating basis of full and incremental backups and verified regularly.
All NES backups are encrypted and stored offsite within the production environment to preserve their confidentiality and integrity.
When business critical systems are inoperable and cannot be recovered then action is taken as defined in the disaster recovery plan. A valid contract exists with a disaster recovery centre who acts as an alternate operating facility. IT personnel have been trained in their emergency response and recovery roles. Preventive controls are in place including Security, environmental controls and fire plans.
Cyber Security Manager