In this section, we explain in more detail the measures we take to keep data secure.
As the information within our IT security policy is sensitive, we are unable to share the policy itself, however we can provide an overview. The policy is based on four key pillars:
1. Policies – documented policies that staff are required to sign
2. User education – via induction training for new joiners and ongoing training for existing employees
3. Hygiene factors – regular patching and security updates, as well as regular penetration testing and security scans
4. Specific security tools – intrusion detection and prevention systems and firewalls to prevent unauthorised access
The information security function is managed by our IT and systems team and overseen by the Risk committee. This function is supported by two major providers to whom we outsource services:
- Wavenet UK Group provide a support function for our IT and Systems to maintain our infrastructure. Wavenet UK are accredited by many leading, global brands – click here to find out more about Wavenet UK
- Intelliflo are our CRM / Back Office system provider. They are an ISO 27001 certified provider. Click here to find out more about Intelliflo
We take various steps to make sure that our information security management systems are in line with current best practice. The last information security audit we undertook was December 2022. Further information security audits will take place periodically thereafter.
Where is personal data stored?
Personal data will be stored in our customer relationship management (CRM) systems and internal infrastructure. Our CRM and internal servers are backed up daily. Data held in the CRM is manged by Intelliflo, hosted in the UK.
Data is stored on specific server drives that are access controlled to ensure only users with the right to access that data have permissions.
Data is not held on company devices and all USB ports are disabled to prevent removal of data via USB for the staff who have access to it.
We operate mainly as a paperless office. We only hold physical customer data on ‘working files’, which are stored securely in lockable cabinets. Once completed, we dispose of these using a specialist confidential waste provider.
If we need to transfer your personal data outside of the UK for any reason, we will ensure a similar degree of protection is afforded to it by ensuring that we apply appropriate safeguards (either by transferring your data to a country that the UK considers has adequate privacy laws, or by using specific contracts to protect your data that are approved by the UK supervisory authority).
Who has access to personal data?
Access to data is granted to staff on a role-specific basis. All systems are password protected and user access rights are reviewed every 12 months and documented. If a user changes role or leaves the company then their permissions are reviewed or removed as appropriate. Permissions can only be granted or changed with the approval of a member of the senior management team.
How do we protect against unauthorised access?
Data held in our CRM system is already encrypted both at rest and in transit, this is managed by Intelliflo.
All incoming and outgoing emails are scanned automatically by our email security software. We also have Transport Layer Security (TLS) and content filters applied to mitigate the inherent risks of email.
We can enable TLS email encryption for a specific company if they want to implement it. Please contact us if you wish to arrange this.
Where we do need to share data with a third-party provider, we will either use a secure portal (where possible); e.g. Microsoft SharePoint or password protect the files.
We use anti-virus software to protect ourselves from threats, as well as an intrusion detection prevention system and various firewalls. This infrastructure is regularly monitored and will trigger alerts in the event of a detected threat. We also have various filters (email and web) to minimise the risk of malicious viruses. In addition, we conduct regular training and awareness sessions with staff to mitigate the risk of these threats.
This infrastructure is kept up to date by Wavenet UK. They ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches as soon as possible, with critical patches installed within one month of release.
We use independent security specialists to conduct vulnerability testing on a regular basis. All priority items identified in the most recent test conducted in December 2022 have been acted upon and we comply with the requirements of the Cyber Essentials Plus Scheme. You can check our certification here and by typing in ‘Brunsdon’ in the search bar.
Brunsdon Financial was assessed as meeting the Cyber Essentials Plus implementation profile released April 2020 and thus, at the time of testing, the organisation’s ICT defences were assessed as satisfactory against commodity based cyber-attack. However, this Certificate does not in any way guarantee that the organisation’s defences will remain satisfactory against cyber-attack.
The main entrance access to our office at Goodridge house can only be made by employees who have allocated key cards or approved and supervised contractors and the building is monitored 24/7 by Ultra Vision Fire & Security Ltd. There are two locked internal doors with a keypad entry system. Windows are fitted with locks.
We have a business continuity plan in place which is reviewed regularly.
Risk management and controls
We have a risk management policy and any business event or incident, regardless of its origin, is recorded and tracked in the risk event log. All risk events are reviewed regularly by the Senior Management team at risk review meetings. In the event of a data breach we will inform any clients affected within 72 hours of becoming aware, with reporting to the appropriate regulatory body.