top of page

Security and Data Governance Framework: 01/07/2023

1. Governance Structure
 

1.1 Information Security Officer: The ISO is responsible for developing, implementing, and maintaining the security and data governance framework. They oversee day-to-day security operations and ensure compliance with policies and regulations.
 

1.2 Executive Management Support: Executive management provides support and resources for implementing security and data governance initiatives, ensuring alignment with organisational objectives.
 

2. Policies and Procedures
 

2.1 Information Security Policy:  The overarching policy outlines the organisation's commitment to protecting information assets and establishes the framework for implementing security controls.
 

2.2 Data Governance Policy: This policy defines roles, responsibilities, and processes for managing data throughout its lifecycle, ensuring data quality, integrity, and confidentiality.
 

2.3 Access Control Policy: Defines procedures for granting, revoking, and monitoring access to information systems and data, based on the principle of least privilege.
 

2.4 Incident Response Plan: Outlines procedures for detecting, responding to, and recovering from security incidents, including incident reporting, escalation, and post-incident analysis.
 

3. Risk Management

3.1 Risk Assessment: Regular risk assessments are conducted to identify, analyse, and prioritise information security risks. Risk treatment plans are developed to mitigate identified risks to an acceptable level.
 

3.2 Vulnerability Management: Continuous monitoring of systems and networks for vulnerabilities, with timely patching and mitigation measures to address identified vulnerabilities.
 

3.3 Third-Party Risk Management: We Evaluate and monitor our third-party vendors and partners to ensure they adhere to security and data governance requirements.
 

4. Data Classification and Handling
 

4.1 Data Classification Scheme: Our data classification scheme is based on sensitivity, criticality, and regulatory requirements to guide appropriate handling and protection measures.
 

4.2 Data Handling Procedures: We have procedures for handling, storing, transmitting, and disposing of data in accordance with its classification level and regulatory requirements.
 

5. Access Control and Identity Management

5.1 User Authentication and Authorisation: We have Implemented strong authentication mechanisms, such as multi-factor authentication, to verify the identity of users accessing systems and data. Authorisation controls are enforced based on user roles and data classification.
 

5.2 Privileged Access Management: Strict control and monitoring of privileged accounts to prevent unauthorised access and privilege abuse.
 

6. Security Awareness and Training
 

6.1 Training Programs: Regular security awareness training programs for employees are carried out to educate them about security risks, policies, and best practices for safeguarding information.
 

6.2 Phishing Awareness: We carry out specific training on recognising and avoiding phishing attacks to mitigate the risk of social engineering threats.
 

7. Security Controls Implementation
 

7.1 Technical Controls: We have deployed firewalls, intrusion detection/prevention systems, antivirus software, encryption mechanisms, and other technical controls to protect against unauthorized access, malware, and data breaches.
 

7.2 Physical Security Measures: Implementation of physical security measures, such as access control systems, surveillance cameras, and secure storage facilities, to protect physical assets and prevent unauthorized access.
 

8. Monitoring and Incident Response

8.1 Security Monitoring:  We continuously monitor our networks, systems, and applications for suspicious activities, unauthorized access attempts, and security incidents.

8.2 Incident Detection and Response: We promptly detect, analyse, and respond to security incidents, with clear procedures for incident escalation, investigation, containment, eradication, and recovery.
 

9. Compliance and Auditing
 

9.1 Compliance Monitoring: We complete regular audits and assessments to ensure compliance with internal policies, regulatory requirements, and industry standards.
 

9.2 Regulatory Compliance: We adhere to relevant data protection laws, industry regulations, and contractual obligations governing the handling and protection of sensitive information.
 

10. Continuous Improvement
 

10.1 Security Metrics and Reporting: We have established key performance indicators (KPIs) and security metrics to measure the effectiveness of security controls and report on security posture to executive management.
 

10.2 Security Reviews and Updates: Regular reviews and updates to security policies, procedures, and controls based on emerging threats, technological advancements, regulatory changes, and lessons learned from security incidents.

Next Review: 31/06/25

bottom of page