The Committee aims to challenge and support improvements to the Group’s information security and data protection policies, defences, and controls. This ensures compliance with global data protection regulations around the world as well as pledges the Group to maintain the security of its own information and the information that its customers entrust to it with the proper care and attention.
Read the Cyber Security Committee’s FY23 report in our Annual Report and Accounts 2023 on pages 113 and 114
Penetration testing and vulnerability scanning
We conduct monthly external and quarterly internal vulnerability assessment scans, which, as well as looking for vulnerabilities, also test the capabilities of our software-patching regime. We also conduct quarterly penetration tests against our systems.
Managed detection and response
Intruder Detection Systems/Intruder Prevention Systems (IDS/IPS) are deployed on the network perimeter analysing all inbound and outbound traffic, with rules reviewed regularly.
Our firewalls employ IPS where traffic is logged and monitored; the firewalls are configured for static analysis, which drop packets where relevant and alert the Information Security team. Additional layers include an array sensor positioned within the firewall to analyse all decrypted traffic generating signature-based alerts. This is all monitored 24/7 by our own Security Operations Centre (SOC). The alerts generated are governed by strict service-level agreements, ensuring a rapid response and triage of the incident by our IT Security team.
IPS is deployed on all endpoints in the form of anti-virus and an application control system, which is managed centrally to enable fine-grained control across all endpoints.
There are dedicated procedures for identifying and reporting data breaches, responding to data subject rights, and conducting Data Protection Impact Assessments. We also have a series of incident and breach management processes in place that cover the identification, containment, and remediation of any potential security incident or potential data breach. These also ensure that any notification requirements are identified and integrated into our processes.
An inter-Group transfer agreement is in place to support our global operations. Depending on the specific client engagements we are undertaking, a statement of work may include a requirement to collaborate with other parts of the Group.
Where such collaborations involve international data transfers, we work with clients to ensure our contractual agreements meet the transfer requirements of all applicable data protection legislation.