Information security policy

1. Introduction

The confidentiality, integrity, and availability of information, in all its forms, are critical to the ongoing operation and sound governance of CoreStream GRC. Failure to adequately secure information increases the risk of financial and reputational losses from which it may be difficult for CoreStream GRC to recover.

CoreStream GRC is committed to robust implementation of Information Security Management. It aims to ensure the appropriate confidentiality, integrity, and availability of its data. The principles defined in this policy will be applied to all physical and electronic information assets for which CoreStream GRC is responsible.

2. Purpose

The primary purposes of this policy are to:

  1. Ensure the protection of all CoreStream GRC information systems (including but not limited to all computers, mobile devices, networking equipment, software, and data), and to mitigate the risks associated with the theft, loss, misuse, damage, or abuse of these systems.
  2. Ensure that users are aware of and comply with all items in this policy.
  3. Provide a safe and secure information systems working environment for staff and any other authorized users.
  4. Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data they handle.
  5. Protect CoreStream GRC from liability or damage through misuse of its IT facilities.
  6. Respond to feedback and update as appropriate, initiating a cycle of continuous improvement.

3. Scope

This policy applies to:

  • All CoreStream GRC staff and contractors (including office workers and remote workers).
  • Third parties who interact with information held by CoreStream GRC and the information systems used to store and process it.
  • Any systems or data attached to the CoreStream GRC data, systems managed by CoreStream GRC, mobile devices used to connect to CoreStream GRC networks, data over which CoreStream GRC holds intellectual property rights, and data over which CoreStream GRC is the data owner or data custodian.

4. Policy

4.1 Policy Objectives

The objectives of this policy regarding the protection of information system resources against unauthorized access are as follows:

  1. CoreStream GRC will deliver its services within a secure and reliable environment.
    • This will be measured via system uptime (availability), monitoring of any failures in our backups (integrity), and the number of complaints received or information breaches (confidentiality).
  2. CoreStream GRC will operate as a digital, paperless organization.
    • This will be measured by the volume of electronic versus hard copies of documents held by CoreStream GRC.
  3. CoreStream GRC will conduct quarterly risk assessments to ensure that the risk to information in its care is minimized or eliminated.
    • This will be measured via periodic risk assessments and reviews/updates to the Risk Register and mitigation actions.
  4. CoreStream GRC will minimize the threat of accidental, unauthorized, or inappropriate access to critical or sensitive electronic information owned by CoreStream GRC or temporarily entrusted to it, by applying a proportionate level of encryption control.
    • This will be measured by the cryptographic controls in place and the number of data breaches.

4.2 Policy Overview

CoreStream GRC’s information system resources are important business assets that are vulnerable to access by unauthorized individuals or unauthorized remote electronic processes.

Sufficient precautions are required to prevent unwanted access by applying a level of encryption to critical and sensitive data that is proportionate to business risk.

Users should be made aware of the dangers of unauthorized access, and managers should, where appropriate, introduce encryption controls to prevent such access.

CoreStream GRC recognizes that information security is continually under threat from bad actors, and as such employs a number of vulnerability scanning methods to help prevent attackers from gaining a foothold. These methods include:

  • Internal vulnerability scanning: All server endpoints have Nessus vulnerability scanners installed as part of the standard build. Nessus checks for outdated software, software with known security flaws, and configuration issues that could lead to vulnerabilities.
  • External vulnerability scanning: All internet points of presence are monitored via SecurityScorecard. This checks for insecure settings in ports, certificates, and protocols.
  • Endpoint detection and response: All server endpoints and laptops have Sophos MDR installed. The Sophos agent checks for and prevents unusual activity, such as access to malicious websites and unauthorized encryption activities (to prevent ransomware). It is backed by a 24×7 security operations center and allows remote operators to contain threats once identified.

For a detailed overview of our information security processes, procedures, and controls, please refer to the Acceptable and Fair Use Policy.

Privacy policy