Information Security Statement
Statement
NES Fircroft is dedicated to protecting data and using industry best standards. NES Fircroft utilise some of the most advanced technology for Internet security available today. We understand the importance of data security and make every effort to ensure that data held on systems is fully protected.
NES Fircroft recognize that the confidentiality, integrity and availability of information and data created, maintained, and hosted by NES Fircroft and its suppliers are vital to the success of the business and privacy of its customers. NES Fircroft views these primary responsibilities as fundamental to best business practice to ensure compliance with all applicable laws, regulations, and obligations.
This Security Statement forms part of the user agreement for NES Fircroft staff and customers.
Security and Compliance
All NES Fircroft information systems globally are physically protected in accordance with associated risk. All data is held in security accredited cloud data centres and within the UK head office data centre. Physical security controls at these locations include 24x7 monitoring, cameras, visitor logs, entry requirements, and secure dedicated rooms for hardware.
NES Fircroft is compliant with the HMRC Cyber Essentials Programme. NES Fircroft re-certifies this compliance annually. NES Fircroft are fully GDPR compliant and aligns towards controls set out in the CIS Framework. NES Fircroft IT Systems are independently audited by Deloitte annually.
Security Operations Centre (SOC)
NES Fircroft have a Managed Detection and Response team that encompasses security tools and security monitoring leveraged through a Security Operations Centre. The SOC is the central command post, taking in telemetry from across NES Fircroft IT infrastructure, including its networks, devices, appliances, and information stores. The SOC provides 24/7 monitoring of the NES Fircroft IT infrastructure via its SOAR platform and security analysts detect signs of an attack, investigate the relevant activity, and begin remediation to shut down the threat.
Network & Device Security
NES Fircroft deploys next generation unified threat management firewalls across all its networks to deliver breach prevention, and threat defence. The intrusion prevention system features sophisticated anti-evasion technology and a network-based malware protection.
Other network technologies used at NES Fircroft include, but not limited to Network Access Control (NAC), Multi Layered ant-virus, Single Sign on (SSO), content filtering, Anti-Ransomware defences, email security, network segmentation, Endpoint Detection and Response (EDR), Data Loss Prevention (DLP), Security information and Event Management (SIEM), advanced threat protection (ATP) and application control.
Endpoint security is installed on every company computer and only company owned, and controlled devices can access NES Fircroft networks.
This combination enables NES Fircroft to block sophisticated new threats that emerge real-time daily.
Access Control & Multi Factor Authentication
Users and employees are granted the least amount of network access required and access is only granted if approved and they accept the usage policies.
NES Fircroft grants role-based access on an as-needed basis, reviews permissions, and revokes access immediately on employee termination. Our password policy requires minimum length, complexity, expiration, lockouts and disallows reuse.
Remote Access to NES Fircroft technology resources is only permitted on company equipment through encrypted connectivity (VPN) which requires two factors of authentication. Additionally, all hosted Internet accessible databases and applications containing personal, sensitive, or confidential information require additional factors of authentication.
Security Policies
NES Fircroft reviews and updates its information security policies on an annual basis. Employees must acknowledge policies and undergo annual mandatory training. Training is designed to adhere to all specifications and regulations applicable to NES Fircroft.
Staff Screening
NES Fircroft conducts background screening at the time of hire (to the extent permitted or facilitated by applicable laws and countries). In addition, communicates its information security policies to all personnel, requiring employees to sign non-disclosure agreements, and provides ongoing privacy and security training.
Dedicated Security Personnel
NES Fircroft have a dedicated Cyber Security Manager and a dedicated Cyber Security Analyst, who focuses on application, network, and system security and is also responsible for security compliance, and education.
Security Awareness Training
Security awareness training is mandatory and teaches employees to understand security risks and threats. This is to ensure that employees understand that criminals may try to deliberately attack, steal, damage or misuse NES Fircroft systems and information, therefore everyone within NES Fircroft are aware of the associated risk and work to adequately protect against these risks.
Patching & Vulnerability Management
NES Fircroft maintain and keep up to date software and firmware patches to ensure all systems, applications and devices owned and managed by NES Fircroft are routinely updated with security fixes. The vulnerability management program includes frequent scans, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, and applications.
All networks, including test and production environments, are regularly scanned using trusted third party, market leading vendors. NES Fircroft also conduct regular external penetration tests and remediate according to severity for any results found.
Encryption
NES Fircroft protect the confidentiality, authenticity, and integrity of information using cryptography. Cryptographic controls are applied according to the sensitivity of the data.
All data in transit uses secure cryptographic protocols. Data at rest is also encrypted with strong types of generally accepted, non-proprietary encryption algorithms.
Data on all NES Fircroft mobile devices and laptops are encrypted.
Application Development
NES Fircroft development team employs secure coding techniques focused around the OWASP Top Ten. Developers are formally trained in Dynamics application development best practices.
Development, testing, and production environments are separated. All changes are peer reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment.
Logging and Auditing
Application and infrastructure systems logs are stored for troubleshooting, security reviews, and analysis by authorized NES Fircroft personnel. Logs are preserved in accordance with regulatory requirements. We will provide customers with reasonable assistance and access to logs in the event of a security incident impacting them.
Removable Media & Disposal
Removable media such as USB drives and DVD’s are a well-known source of malware infection and to the loss of sensitive information. NES Fircroft does not allow the use of any type of removable media within its network which is enforced through device lock software installed on every company computer. Data requiring deletion is securely erased on all storage mediums in accordance with current industry best practices.
Asset Management
NES Fircroft maintains an asset management policy which includes identification, classification, retention, and disposal of information and assets. Company issued laptops are equipped with hard disk encryption and up-to-date antivirus software.
Information Security Incident Management
An information security incident is indicated by a single or series of unwanted or unexpected information security events that have a significant probability of compromising information security.
NES Fircroft operates security incident response policies and procedures surrounding the initial response, investigation, customer notification, public communication, and remediation.
When criminal activity affecting information security is identified, NES Fircroft will liaise with Information Commissioners office and local Police.
Breach Response & Notification
Although NES Fircroft take all necessary actions to protect data, we cannot guarantee absolute security as no method of transmission over the Internet and or electronic storage is perfectly secure. However, if NES Fircroft learns of a security breach, we will notify affected users so that they can take appropriate protective steps.
Breach notification procedures comply with in-country laws and regulations, as well as any standards relevant to NES Fircroft.
NES Fircroft are committed to keeping customers fully informed of any matters relevant to the security of their data.
Business Continuity & Disaster Recovery
NES Fircroft has business continuity plans in place to counteract interruptions to information systems and business activities from the effects of major failures or disasters. This involves NES Fircroft data being securely backed up on a rotating basis of full and incremental backups and verified regularly.
All NES Fircroft backups are encrypted and stored offsite within the production environment to preserve their confidentiality and integrity.
When business critical systems are inoperable and cannot be recovered then action is taken as defined in the disaster recovery plan. A valid contract exists with a disaster recovery centre who acts as an alternate operating facility. IT personnel have been trained in their emergency response and recovery roles. Preventive controls are in place including Security, environmental controls, and fire plans.
Change Control
NES Fircroft manage changes that occur to information technology in a way that minimises risk and impact. Change Management ensures that proposed changes that impact production environments are reviewed, tested, authorised, implemented, communicated, and released in a controlled manner; and that the status of each proposed change is monitored to completion or retraction.
Ian McDowell-Wallace
Cyber Security Manager
27th January 2022