NS8 Inc. Security Policy
NS8 is a company where data is at the core of its services. Whether it is customer data, end-user data or employee data, we work hard to provide for a secure and resilient data environment. Below is a succinct overview of the technical and organisational security measures that we have in place to secure our – and your – data.
1. DOCUMENTATION, TRAINING AND ACCOUNTABILITY
We have implemented accountability principles and documented our operations related to data processing and data security, This is ia. accomplished through:
- Drafting, implementing and monitoring an extensive company-wide Security Policy and ongoing review in order to update any policy terms;
- Information & security training and policies & procedures for staff; and
- Applying Confidentiality and Non-Disclosure Agreements and vendor assessments where appropriate.
2. ACCESS CONTROL OF PROCESSING AREAS
We apply suitable measures in order to prevent unauthorised persons from gaining access to the data processing equipment used to process data. Th0is is ia. accomplished through:
- Keys and card key systems;
- Receptionists and building security; and
3. ACCESS CONTROL TO DATA PROCESSING SYSTEMS
We apply a number of measures to prevent data processing systems from being used by unauthorised persons. This is ia. accomplished through:
- Individual user ID's and strong passwords subject to minimum security requirements for staff members;
- Multifactor Authentication;
- Acceptable use and security policies for IT assets such as PC's, mobile phones and applications;
- Third party access control policies;
- Strict on- and off-boarding policies for staff members;
- Lock out of user accounts after a limited number of failed log-in attempts; and
- Advanced firewalls, PEN testing, anti-virus and spam scanning.
4. ACCESS CONTROL TO USE SPECIFIC AREAS OF DATA PROCESSING SYSTEMS
The individuals entitled to use our data processing systems are only able to access the data within scope and to the extent covered by their respective access permission (authorisation). We have implemented measures that ensure that the data cannot be read, copied or modified or removed without authorisation. This shall be accomplished by ia.:
- Access management on strict need-to-know principles, job duties, project responsibilities and actual business activities; and
- Strict VPN corporate network requirements.
5. TRANSMISSION CONTROL
We apply suitable measures to prevent data from being read, copied, altered or deleted by unauthorised parties during the transmission thereof or during the transport of the data media and to ensure that it is possible to check and establish to which bodies the transfer data is envisaged. This is accomplished by ia.:
- Firewall and encryption technologies to protect gateways through which the data travels; and
- Monitoring of encryption technologies.
6. ACCESS AND INPUT CONTROL
We apply suitable measures that help to check and establish whether, when, by whom and for what reason data have been input into data processing systems or otherwise processed. This is accomplished by ia.:
- Authentication of the authorised users via user ID and passwords;
- Restricted physical access to processing areas; and
- System time-out after non-activity for a pre-determined time period.
7. Availability control
We apply suitable measures to ensure that data are protected from accidental destruction or loss. This is accomplished by ia.:
- Robust and proofed policies for security incidents and data breaches;
- Business continuity, backup and disaster recovery management; and
- Offsite backup storage.
8. SEPARATION OF PROCESSING FOR DIFFERENT PURPOSES
We apply suitable measures to ensure that data that are intended for different purposes can be processed separately. This is accomplished by ia.:
- Access to data being restricted via user authorisation passwords;
- Function separation of data of different customers; and
- Use of data being application specific.