Privacy Policy

 

1 -  Purpose & Scope

This policy relates to GCI Network Solutions Limited and the GCI Group of Companies, hereafter referred to as “GCI”.

It provides a guide to GCI’s commitment to Information security & privacy and what its customers can expect from GCI in this regard.

It also outlines key recommendations for our customers in relation to information security and privacy.

This policy applies to GCI’s information assets and security considerations to support the contracted services as defined in the Service / Product Descriptions.

GCI’s information assets include but are not limited to:

  • Intellectual Property owned by GCI or provided by a third party
  • Financial information relating to our employees, clients or other third parties
  • Other public and non-public information or information assets deemed the property of GCI

2 -  Introduction

GCI Network Solutions Ltd understands the importance of information security and privacy and makes every effort to ensure that customer information held on systems and within the information centres are fully protected.

The company recognises that the confidentiality, integrity and availability of information created, maintained and hosted by GCI and its customers is vital to the success of the business.

The management of GCI views these as primary responsibilities and fundamental to business best practice and as such has adopted the Information Security Management System Standard ISO27001:2013 as its means to manage and meet the following objectives:

  • Comply with all applicable laws, regulations and contractual obligations including the General Data Protection Regulations (GDPR) 
  • Implement continual improvement initiatives, including risk assessment and treatment strategies, while making the best use of its management resources to meet and improve information security system requirements
  • Communicate its information security and privacy objectives and its performance in achieving these objectives, throughout the Company and to interested parties
  • Maintain a security manual and procedures that provide direction and guidance on information security and privacy matters relating to employees, customers, suppliers and interested parties who come into contact with the Company’s work
  • Work closely with customers, business partners and suppliers in seeking to establish information security and privacy standards
  • Adopt a forward-looking view on business decisions, including the continual review of risk evaluation criteria, which may have an impact on information security and privacy
  • Constantly strive to meet, and when possible exceed, customer and employee expectations
  • Information Security shall be considered in role guides and when setting employee objectives where applicable
  • Appropriate Information Security training and awareness shall be provided to all staff to ensure responsibilities principles and practices are embedded in company culture.

3 -  GCI Security Governance Framework

GCI Network Solutions Ltd understands the importance of information security and privacy and makes every effort to ensure that customer information held on systems and within the information centres are fully protected.

The company recognises that the confidentiality, integrity and availability of information created, maintained and hosted by GCI and its customers is vital to the success of the business.

The management of GCI views these as primary responsibilities and fundamental to business best practice and as such has adopted the Information Security Management System Standard ISO27001:2013 as its means to manage and meet the following objectives:

  • GCI is ISO 27001:2013 certified by United Registrar of Systems (URS). The Information Security & Privacy Policy is available upon request. The Chief Operating Officer has overall responsibility for information security and privacy within GCI, delegated from the Board who retain accountability;
  • All departments are subject to internal audits
  • A robust set of information security policies and standard operating procedures are in place, including a risk-based methodology and treatment plan running across all operational aspects of the business.
  • GCI is also certified to ISO 9001, ISO20000 and ISO 14001 and adopts the principles of ITIL v3.

4 -  GCI 4 GCI Information Security & Privacy

4.1 Physical

All GCI sites incorporate industry standard security controls, covering physical perimeter, CCTV and monitoring along with logged card access systems.

These controls are underpinned and supported by the groups ISO27001:2013 certification.

Unaccompanied access to information centre facilities is not permitted and is detailed in Physical Security Standard Operating Procedure and the Access Control Standard Operating Procedure.

4.2 Operational

  • GCI adopt a robust Configuration and Change Management process, in line with ITIL v3, ISO27001 and PCI DSS v3.2. A dedicated Change Manager oversees all potential security-impacting changes to service. These are tracked and recorded to completion of the change.
  • GCI has adopted an ISO27001 and PCI DSS compliant vulnerability management strategy. As well as formal penetration testing, our team of engineers stay up-to-date with the latest threats and exploitation techniques being used. Any threats that warrant action will be tracked through Change Management until completion.
  • GCI provides a heavily controlled/firewalled environment, with proactive monitoring and additional capability such as DDOS mitigation via our peering providers. All customers consume services (IaaS and SaaS) and so do not have access to the hypervisor or storage tiers of the platform, outside of the application itself.
  • Incident Management is an integral part of GCI's security procedures based upon ISO 27001:2013 and ITIL v3. Security Incident Response Teams are used to manage incidents effectively.

4.3 Supply Chain

  •  GCI utilise Data Centres and communication infrastructure managed by 3rd parties, details can be provided on application. None of these 3rd parties have logical access to information or management systems.
  • GCI operates a robust Supplier Management Policy ensuring:
     
    Supplier selection and approval criteria and performance monitoring are utilised proportionate to the risk assessment relating to the procurement providing protection of assets that are accessible by suppliers where relevant.
  • Appropriate levels of compliance including Information Security and Service Delivery are agreed and maintained in line with supplier agreements and, where identified, that any 3rd parties are appropriately governed by GCI’s Policies directly.

4.4 Secure Deployment

  • GCI design all dedicated implementations in-line with current industry practice and employ a Secure Development Policy in-line with ISO 27001:2013. Throughout development, testing and deployment GCI are responsible for all software security updates on our platforms. For customers with dedicated solutions, engineers manage the availability and control of security updates released to customers via approved deployment tools.
  • IT Health checks are conducted on platforms and sampled solutions at least annually to capture new and evolving threats. Resulting actions are risk assessed, prioritised and treated in line with GCI’s Risk Management Standard Operating Procedure and overseen by the Business Effectiveness Team.

4.5 Access Control

  • Access to GCI’s internal systems, hosting platform and customer servers is permitted for authorised personnel only. All users must be positively identified by providing a secure User ID and password before being given access to system resources. Incoming callers are identified using details taken from their accounts. Additional password protection can be applied for sensitive environments.
  • All servers, routers, firewalls and network equipment are protected by password access controls. All passwords are randomly generated for optimum security to prevent intruders gaining unauthorised access to systems and information.
  • Only GCI’s 3rd Line Engineers have full access to the hosted platforms, each engineer having their own individual login for optimum security. Authorised support staff have Admin access to hosted services in order to provide technical support to customers.
  • Where 3rd Line Engineers require access to GCI’s network and systems remotely via VPN, advanced RSA security is implemented providing two factor authentication.
  • Solutions are accessed either via VPN or via client-side licensed software (such as Skype for Business), both requiring authentication
  • Accessing the internet-facing Support Portal also requires authentication and complex passwords with lockout and reset rules. The support portal gives access to customer contact information and our SLAs, but not access to the Cloud environment itself

4.6 Employee Screening

GCI performs the necessary background employment checks commensurate with the sensitivity, criticality, and potential liability for the job function and service which the company is offering. All GCI staff involved in technical service provision are vetted to the Baseline Personnel Security Standard Plus.

All employees are given Information Security training as part of their induction and a minimum of every 12 months thereafter, in support of GCI’s ISO 27001:2013 certification. Aspects of the information security training include company policies covering raising security and other incidents, internal IT Code of Conduct, information classification and associated printing, storage and destruction of information, physical and logical access control, and an overview of the individual and corporate responsibilities regarding phishing, scams, bribery and other key subject areas.

5 -  Recommendations for Customers

The purpose of these recommendations is to help prevent unauthorised access to GCI Services including to help ensure the security of GCI’s own network and infrastructure where this could be impacted by a breach of security in the Customer’s own network or infrastructure, or unauthorised access to the Services or administrative controls granted to the Customer in respect of these, including Customer portals.

5.1 Passwords

Network devices (including but not limited to firewalls) should be securely configured on installation, and the default administrative password for any network devices should be changed to an alternative, strong password, as default passwords are often publicly known.

A strong password is typically one that:

  • comprises a minimum number of characters in length (e.g. [8] characters);
  • differs from the associated username;
  • contains no more than two identical characters in a row;
  • is not a dictionary word;
  • includes a mixture of numeric and alpha characters;
  • has not been reused within a predetermined period of time (e.g. 6 months); and
  • has not been used for another account.

Similarly, any default password for a user account should be changed to an alternative, strong password, and administrative user accounts should be configured to require a password change on a regular basis (e.g. at least every 90 days).

5.2 User Access Control

User accounts, particularly those with special access privileges (e.g. administrative accounts) should be assigned only to authorised individuals, managed effectively and provide the minimum level of access to applications, computers and networks.

Special access privileges should be restricted to a limited number of authorised individuals.
 
The use of shared accounts should be avoided due to the impact these can have on auditing and post incident investigations.

User accounts and special access privileges should be removed or disabled when no longer required (e.g. when an individual changes role or leaves the organisation) or after a pre-defined period of inactivity (e.g. 3 months).

5.3 Physical Security

Ensure all communications equipment is kept secure from unauthorised access to avoid the risk of tampering. If equipment must be located in areas without access restrictions, consider the use of a lockable ‘comms cabinet’ to house it.

5.4 Malware

Ensure up to date Antivirus is installed on all endpoints. This will provide a basic level of protection against malicious software being installed on systems which may can steal sensitive information such as account credentials or banking details.

5.5 Further Guidance

The foregoing recommendations are only a small number of security measures which a Customer should consider adopting to help defend itself against cyber threats and represents guidance only. They do not represent all of the security controls an organisation needs to have in place to protect against such threats.

Useful further information is contained in the Government’s Cyber Essentials Scheme which sets out requirements for basic technical protection from cyber-attacks.