1. Overview
1.1 To ensure the security of personal data, we have implemented a risk-based approach to our technical and organisational measures in accordance with the principles of integrity, availability, and confidentiality.
1.2 Lead Forensics runs an ISO 27001-accredited information security management system.
2. The Lead Forensics Product
2.1 Lead Forensics offers a SaaS solution that identifies website visitors and provides actionable leads within a business-to-business environment.
3. Information Security Management System (ISMS) Framework
3.1 Lead Forensics runs an ISMS that implements a risk-based approach to information security. It selects appropriate security controls and processes based on a risk assessment that is regularly reviewed and updated.
3.2 ISO 27001 is the international standard that provides the specification for a best-practice ISMS and covers compliance requirements. The Lead Forensics ISMS is certified to ISO27001 by independent UKAS-accredited auditors.
4. Access to ISMS Documentation
4.1 We can freely share our ISO27001 Statement of Applicability and Information Security Policy with customers, prospective customers, and other relevant parties. Once the requesting party has agreed to an NDA, detailed policies, external audit reports, and technical procedures can be shared as part of a due diligence procedure.
4.2 The details of our risk assessment and some technical design details and procedures are confidential and unable to be shared. In these cases, we will share the policies that define the security standards that Lead Forensics will adhere to, even if we cannot reveal the technical details.
4.3 Security documentation requests should be emailed to [email protected]
5. Physical Security
5.1 Locked doors on all entrances/exits (e.g., electronic locks, physical locks).
5.2 Access control systems (biometric security, access card security).
5.3 24/7 reception/Security personnel.
5.4 CCTV systems.
5.5 Additional physical security measures to protect IT equipment (partitioned server room, fireproof safe, etc.).
5.6 Secure disposal bins for confidential paper waste (shredded on-site).
5.7 Certified waste disposal for electronic waste.
5.8 Control of access to IT Systems and physical environments.
5.9 Access permission to physical IT areas restricted to staff with authority.
5.10 Multi-factor authentication is required for all remote access to systems.
5.11 IT security systems have individual user logins and unique usernames.
5.12 We require the use of strong/complex passwords.
5.13 We encrypt all data in transit on public networks.
5.14 We use encryption at rest for our application data wherever we process data using cloud-hosted services. Our on-premise databases are not encrypted at rest, but they have other mitigating controls to ensure the physical security of our data.
5.15 Multi-authentical layers on internal applications.
5.16 Automatic locking of IT terminals and devices after periods of inactivity, with passwords required to re-access.
5.17 Password databases are subject to strong encryption/hashing.
5.18 Audits of security procedures are conducted annually, as a minimum.
5.19 Specialised training for employees.
6. Protect Personal Data Against Cyber-Attack
6.1 Multi-factor authentication for all remote access to systems.
6.2 Firewalls maintained with the least access rulebase.
6.3 Hardware Asset Register maintained.
6.4 Software\Firmware records maintained.
6.5 Regular Software Security Update Processes and Procedures.
6.6 All Cloud Management Platforms require MFA Authentication.
6.7 Anti-Virus\Anti-Malware Installed on systems.
6.8 Data backups encrypted with Private keys.
6.9 Regular Backup restore testing.
6.10 All offsite backups are stored encrypted in offline archives.
6.11 Annual 3rd Party Penetration Testing.
6.12 Monthly internal Penetration Testing.
6.13 All laptops encrypted.
7. Processors and the Supply Chain
7.1 We conduct due diligence on any prospective processor or supplier processing data. We require them to commit to commercial and Data Processing Agreements (where personal data is processed) that meet the necessary regulatory conditions. We conduct an annual audit to review our supply chain.
8. Storage Limitation
8.1 We have backup retention implemented with automatic lifecycle policies (archive and expiry).
8.2 We review the retention periods for personal data at least annually and apply the storage limitation principles to our data deletion/retention policy.
9. Detecting Security Events
9.1 Advanced Threat Analytics actively deployed.
9.2 Automated security event alarms.
9.3 User risky sign-in detection and alerting.
10. Detecting Security Events
10.1 Centralised un-editable Logging Systems.
11. Minimising Impact
11.1 Availability Management Policy.
11.2 Resilient IT Services with Minimised Single Points of Failure.
11.3 Role-based access control with the least privilege basis.
12. Encryption
12.1 Data at rest. We use encryption at rest for our application data whenever we process data using cloud-hosted services. Our on-premise databases are not encrypted at rest, but they have other mitigating controls to ensure the physical security of data.
12.2 Data in transit. All data is encrypted in transit over public networks. We regularly review and update the encryption standards to stay aligned with current best practices.
13. Response and Recovery Planning
13.1 We have implemented Incident Management processes and procedures, including pre-approved incident response plans for:
-
-
- Ransomware
- A security incident triggering a personal data breach
- Denial of service
-
13.2 Business Continuity Processes (BCP) and Procedures are in place and are reviewed annually.
14. Data by Design and Default
14.1 We consider appropriate data protection principles and the integration of the necessary safeguards into conceptual product and process innovation to meet the requirements of the Regulation and the rights of data subjects.
15. Data Controller and Data Processor Workflows and Agreements
15.1 We consider our technical and procedural workflows to align with the responsibility of personal data and document ROPA (Records of Processing Activities).
15.2 Binding agreements appropriate to the personal data being shared or processed are required between data controllers and data processor.
15.3 We regularly review the technical and organisational workflows and controls in place and have a formal annual audit.
16. Training and Awareness
16.1 All new employees complete IT security training.
16.2 All new employees are required to complete Data Compliance training.
16.3 Existing employees receive periodic IT security training.
16.4 Hybrid/home workers must comply with IT/HR policies.
16.5 Data Compliance is tasked with developing a culture of data protection awareness.
17. Committed to Improvement
17.1 We are committed to reviewing our processes, policies, and documentation as follows:
-
-
- ISMS system with regular process reviews and audits
- Incident Review Processes to identify improvement opportunities
- Companywide annual audit conducted by Data Compliance
- External auditors conduct quarterly audits
-
18. Certification
18.1 ISO 27001 Certification.
18.2 PCI DSS Certification.
18.3 Registered with the ICO.
V1.3 | Last modified December 2022 |