Information Security Notice

Red Dragon I.T. Ltd. certify that:

• We are registered with the Information Commissioners Office.

Risk Management

• As part of our risk management procedure our Data Protection Impact Assessment is updated on an annual basis.
• Our Information Security Policy is updated as and when required, or as a minimum on an annual basis.
• Our responsible persons for information security are:
  • Gareth Hurford-Jones – Managing Director
  • Andrew Sillwood – Technical Director
• Our Third-Party Service Contracts contain specific terms about information security standards and we ensure we receive sufficient guarantees about the security measures they have in place.

Information Security Awareness

• Our staff undergo three levels of training on an annual basis;
  • GDPR Staff Awareness: introducing the key compliance obligations, providing a foundation on the principles, roles, responsibilities & processes of the Regulation.
  • Information Security Staff Awareness; reducing the likelihood of human error by familiarizing non-technical staff with security awareness policies and procedures.
  • Phishing Staff Awareness Course: educating our staff to be alert, vigilant and secure, by learning how to identify phishing scams, and what to do when the worst happens as well as how they can mitigate the threat of an attack.

Physical Security

• Our premises are physically secure with the following precautions in place:
  • Premier Security Alarm that is serviced annually,
  • BS Standard lock on all external doors,
  • BS Security locks on all external windows,
  • CCTV covering; external doors, main hallway and the main computer suite,
  • The servers are held behind an internally locked door,
  • All staff check in and out of the building using a clocking-in-system,
  • All non-members of staff are required to sign the Visitors Book.
• All staff have been informed of the requirement to physically lock away any mobile devices when not in use and any paperwork containing personal data.
• We have the following data disposal procedures in place;
  • All data sensitive documents are shred onsite,
  • All computer and laptop hard drives are destroyed onsite,
  • All electronic data is deleted from our computers, servers and back-ups.

Computer & Network Security

• Our Asset Inventory of all hardware and software is updated on a quarterly basis,
• Our home/mobile working procedures ensure staff use Remote Desktop Protocol.
• Our computers and laptops have all been securely configured with Microsoft Windows 10 Professional which comes with BitLocker and contain no unnecessary guest or administrative accounts.
• Our staff only use encrypted removable media and understand the dangers of taking large volumes of personal data off-site.
• Our staff have individual user access accounts and where appropriate personal data is restricted to select users only.
• Our staff all use strong passwords containing a minimum of three of the following; an uppercase and lowercase letter, a number and a symbol and they do not write their passwords down.
• Our staff never save passwords on their computers when prompted to do so.
• Our staff who use mobile devices (phones & tablets) have a minimum of 6-digit password protocol in place.
• Our staff always lock their devices/PC’s when not in use.
• Our computers are left switched on and locked overnight so that essential software updates can take place and therefore reduce the likelihood of attack.
• Our computers and devices are limited to a set number of failed login attempts.
• Our exit procedure for members of staff leaving is to immediately disable access.
• Our electronic data is back-up daily (to support the restoration of personal data in the event of a disaster or hardware failure) and this is stored off site in a secure location.
• Our I.T. systems are secured with a hardware firewall and this is periodically tested on an annual basis.

Breach Management

• Our staff are aware of our Data Breach Policy & Procedures which are in place should there be an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
• Our staff understand the requirement to report a data breach to the Information Commissioners Office within 72hrs and we have a process to investigate and implement recovery plans.

CCTV

• Our premises are externally and internally monitored by high quality (non-audio) CCTV.
• We have signage to inform individuals that they are under CCTV surveillance.
• Our responsible person for CCTV is the Office Manager.
• We have a procedure for dealing with a data subject’s ‘right of access’ to the footage.