We have a continuous improvement based approach towards our information security framework which is aligned to the ISO27001 recognised standard. We maintain a focus that ensures customer statutory privacy rights are upheld, including a commitment to process personal data securely by means of appropriate technical and organisational measures. Our policies and procedures seek to ensure the information we collect is stored and used correctly, to protect personal data and to make sure we don’t keep that data for longer than we should.
We have dedicated Information Security, Cyber Security, Data Protection and Compliance teams which are in place to protect and support our business; manage policies and controls; assess risks and prevent inappropriate access to information. We are active across our industry in the areas of cyber and security threat intelligence and we sit as members of cyber co-ordination groups sponsored by the industry regulators.
We support our colleagues to take the steps required to protect our organisation. We have mandatory training for all colleagues and supplementary training is available as required. We regularly engage with colleagues so they are aware of threats and what to do if something goes wrong.
Our cyber, data and privacy governance:
- Links security and data activities to our goals and strategy
- Engages and empowers colleagues who are responsible for making security and data decisions
- Promotes effective management of cyber and data risks including building an adequate response to cyber security threats
This framework seeks to address process and human vulnerabilities, reduce the complexity of our technology and data estate, and embed security considerations by design in all of our business decision making. Operational measures are also in place to monitor and respond to data breaches and cyber-attacks. These measures are routinely and independently validated and tested, through vulnerability assessments and penetration testing. This includes carrying out phishing campaigns and exercises to check our levels of resilience and that our incident management procedures are robust.