Security at ¾ÅÉ«ÊÓƵ
At ¾ÅÉ«ÊÓƵ, we recognize the paramount importance of information security to our valued customers. As a global organization, we have wholeheartedly embraced the ISO 27001 framework to establish a robust structure for our Information Security Management System (ISMS).Ìý
Why ISO 27001 MattersÌý
- Widely Accepted and Industry Recognized: The ISO 27001 framework is universally acknowledged and respected. By adopting it, ¾ÅÉ«ÊÓƵ ensures a solid foundation to meet our customers’ stringent security requirements.Ìý
- Certification Achievement: Our commitment to excellence has led us to achieve ISO 27001:2013 certification across many of our products, services, and supporting functions. This certification underscores our dedication to safeguarding information. For specifics about our certification scope, please refer to our current ISO 27001 certificate.Ìý
Our High-Level Information Security PoliciesÌý
On this page, we've added some of our high-level information security policies alongside product-specific security documentation. These policies guide our actions and reinforce our commitment to maintaining a secure environment.Ìý
Contact UsÌý
Whether you have specific needs, concerns, or questions related to security, we’re here to assist you. Below, you’ll find relevant contact information:Ìý
- For account-related requests such as account deletion, please contact global.supply@rws.com.Ìý
- For technical support issues, please follow the guidance at the following link: ¾ÅÉ«ÊÓƵ Technical supportÌý
- If you have discovered a security vulnerability and would like to ethically disclose this, please report it to us via security.reporting@rws.com. Please note that ¾ÅÉ«ÊÓƵ does not currently have a bug bounty program.Ìý
- For personal data subject requests in accordance with the ¾ÅÉ«ÊÓƵ Privacy Notice, please contact us at privacy@rws.com.
If you are an ¾ÅÉ«ÊÓƵ employee and require operational support such as with sign-in issues, please use the IT service desk.
FAQs
Please describe your initial selection and risk assessment process for suppliers/ vendors.
¾ÅÉ«ÊÓƵ's procurement process requires new suppliers to undergo security risk assessment prior to onboarding. Suppliers are assigned a risk category according to a number of criteria including: criticality of the goods/services to be provided and sensitivity of information or facilities they access.
Does ¾ÅÉ«ÊÓƵ have a Supplier management program for security?
Yes, ¾ÅÉ«ÊÓƵ's Group Supplier Security Management policy specifies the security requirements for third party suppliers
Describe how you identify and manage the information security vulnerabilities in your IT systems, including change management processes.
¾ÅÉ«ÊÓƵ carries out monthly vulnerability scanning of its public facing infrastructure. Weaknesses are risk assessed and appropriate mitigation applied in accordance with the Global Security Testing Policy. A member of the information security team sits on the Global IT Change Advisory Board to assess the security impact of proposed changes.
Describe how you secure applications through the system development lifecycle including how you develop and test changes to applications.
¾ÅÉ«ÊÓƵ's Group Secure Software Development Lifecycle Policy specifies how products are to be developed securely. Security is featured as part of each development step from requirements gathering, design, implementation, verification, and release. Changes are tested prior to release.
Do you use a tool to track incidents, changes and problems?
Yes, ¾ÅÉ«ÊÓƵ uses both Service Centre and ServiceNow to track workflows from tickets being raised to assignment and resolution. SLAs are in place depending on the criticality of the incident/change or problem
Does ¾ÅÉ«ÊÓƵ have an Acceptable Use Policy?
Yes. ¾ÅÉ«ÊÓƵ has an IT Security and Acceptable Use Policy
What is the retention policy for customer data?
¾ÅÉ«ÊÓƵ will only retain customer data as long as it is necessary for the performance of the services and in any case as agreed in the Contract.
Is there an Asset Management process?
Yes, ¾ÅÉ«ÊÓƵ has a dedicated Software and Asset Management (SAM) Team as well as utilising an asset tool called Lansweeper and Flexera on the ¾ÅÉ«ÊÓƵ network. Lansweeper automatically detects and records items on the ¾ÅÉ«ÊÓƵ corporate network including details such as owner, asset type, software installed, warranty and configuration, all assets have an assigned owner.
Is there a Patch Management process?
Yes, patches are applied to end points automatically utilizing a centralized patching application. Patching of the servers with updates performed at least annually. Typically this patching will be performed during the routine monthly maintenance window, Patches of other types (such as SQL, Antivirus) performed on ad-hoc when desired but should be tested on a Development or Staging system before Production, where such systems exist.
Is there a Change Management process?
Yes, change management roles and responsibilities are governed by the CAB process in which management are included as well as the relevant stakeholders including IT and any ¾ÅÉ«ÊÓƵ system testers, any system changes are tested before implementation and/or deployment. Emergency changes are carried out in the same way as the standard change management process, ensuring the changes are logged, recorded, tested, agreed and implemented. Implementing change is the responsibility of release management, however the process at large is the responsibility of CAB.
Has ¾ÅÉ«ÊÓƵ implemented a formalized approval process for logical access requests based on the principles of least privilege?
Yes, ¾ÅÉ«ÊÓƵ has a Logical Access policy which specifies the processes to be used to manage logical access.
Is there a risk assessment program that has been approved by management, communicated to relevant employees and an owner appointed to maintain the program?
Yes, ¾ÅÉ«ÊÓƵ's risk assessment program is owned by the ¾ÅÉ«ÊÓƵ Executive and is communicated to relevant employees
Describe the key elements of the ¾ÅÉ«ÊÓƵ security risk management program
¾ÅÉ«ÊÓƵ's security risk management program is outlined in the Group Security Risk Management policy. This contains the methodology to be used for the identification and management of security risks, including: Asset Identification; Impact Analysis; Risk Assessment; Identification and Application of Controls; and Monitoring of Control Effectiveness. Risks are assessed periodically or when a significant change occurs that could have an impact on the confidentiality, integrity, or availability of ¾ÅÉ«ÊÓƵ information or assets. Oversight and governance of the risk management processes is exercised by the Security Governance, Risk and Compliance Manager and Information Security Steering Committee as appropriate.
Does ¾ÅÉ«ÊÓƵ consider Data Privacy?
Yes, ¾ÅÉ«ÊÓƵ takes data privacy very seriously. Our Privacy Policy is available here: www.rws.com/about/privacy for privacy information
Does ¾ÅÉ«ÊÓƵ have ISO 27001 certification?
Yes, customers may view our ISO 27001 certification at www.rws.com/security
Does ¾ÅÉ«ÊÓƵ have SOC 2 type II attestation
Yes, ¾ÅÉ«ÊÓƵ software hosted by ¾ÅÉ«ÊÓƵ Cloud Operations is within the scope of our SOC 2 type II report. An executive summary of the report is available on request.
Is an established, published, and annually approved security program in place?
Yes. ¾ÅÉ«ÊÓƵ's information security program is owned by the Chief Information Officer and is managed throughout the year by the executive level Information Security Steering Committee to ensure it continues to support business goals.
Does ¾ÅÉ«ÊÓƵ have a dedicated information security owner and/or team responsible for information security?
Yes. ¾ÅÉ«ÊÓƵ's Chief Information Officer is the executive sponsor for information security. Day to day responsibility for the management of ¾ÅÉ«ÊÓƵ's information security management system and continued compliance with security requirements is vested in a small team led by ¾ÅÉ«ÊÓƵ's Security Governance, Risk and Compliance Manager.
Is there an information security policy which has been approved by management, communicated to all personnell?
Yes, ¾ÅÉ«ÊÓƵ's information security policy is approved and signed by the executive sponsor for information security and sets out the high level security requirements which allow ¾ÅÉ«ÊÓƵ to maintain and continually develop its information security management system.
Please list your information security policies. Are such policies reviewed and updated regularly, and accessible to all ¾ÅÉ«ÊÓƵ personnel?
Our policies are reviewed at least annually. Internal documents may be viewed on site or remotely viewed by the client during an audit under NDA / MNDA.Ìý
¾ÅÉ«ÊÓƵ Group ISMS Information Security Policy
¾ÅÉ«ÊÓƵ Group Information Security Policy
¾ÅÉ«ÊÓƵ Group Security Risk Management Policy (Internal)
¾ÅÉ«ÊÓƵ Group Security Testing Policy (Internal)
¾ÅÉ«ÊÓƵ Group Logical Access Policy (Internal)
¾ÅÉ«ÊÓƵ Group Business Continuity Policy (Internal)
¾ÅÉ«ÊÓƵ Group Global Classification & Handling Policy (Internal)
¾ÅÉ«ÊÓƵ Group Information Security Incident Management Policy (Internal)
¾ÅÉ«ÊÓƵ Group Physical Security Policy (Internal)
¾ÅÉ«ÊÓƵ Group Privacy Policy (Internal)
¾ÅÉ«ÊÓƵ Group IT System Policy (Internal)
¾ÅÉ«ÊÓƵ Group Cryptographic Controls Policy (Internal)
¾ÅÉ«ÊÓƵ Group Supplier Security Management Policy (Internal)
¾ÅÉ«ÊÓƵ Group Secure Software Development Policy (Internal)
¾ÅÉ«ÊÓƵ Group ISMS Acceptable Use Policy (Internal)
¾ÅÉ«ÊÓƵ Group ISMS Security Exceptions Policy (Internal)Ìý
Our policies are published on the corporate Intranet and available to all ¾ÅÉ«ÊÓƵ employees, policies are regularly communicated to ¾ÅÉ«ÊÓƵ employees via mandatory security & privacy awareness and training.
Does your organization carry cybersecurity insurance?
Yes
Does ¾ÅÉ«ÊÓƵ have a security policy exceptions process and policy?
Yes. ¾ÅÉ«ÊÓƵ has a security exceptions policy and process.
Is there a formal disciplinary procedure for staff who violate information security policies and procedures?
Yes, any non-compliance to our Information Security policies will be reviewed and investigated by the global Information Security team and subsequently passed on to management and the relevant HR team for further investigation and action as necessary. Sanctions depend on the severity of the incident and could result in disciplinary action up to and including dismissal.
Does ¾ÅÉ«ÊÓƵ have a process to monitor changes in the regulatory requirements of relevant jurisdictions and adjust your security program to ensure compliance?
¾ÅÉ«ÊÓƵ's legal department monitors relevant legal and regulatory requirements which apply to ¾ÅÉ«ÊÓƵ. Regulatory requirements pertaining to information security will be discussed between the head of the legal department and the global head of information security and changes to the security program made as appropriate.
Does ¾ÅÉ«ÊÓƵ have a documented procedure for responding to requests for tenant data from governments or third parties?
Any such lawful requests would be handled by our legal team and would consider any contractual obligations and legal requirements.
Does ¾ÅÉ«ÊÓƵ have an Information Security Incident Response policy and procedure which is published and communicated?
Yes, ¾ÅÉ«ÊÓƵ's Group Information Security Incident Management Policy is published and accessible to all employees on the ¾ÅÉ«ÊÓƵ intranet and includes but is not limited to: Monitoring and Preparation; Identification; Containment; Mitigation; Recovery; and Follow-up.
Does ¾ÅÉ«ÊÓƵ have a process for incident response / data breach?
Yes, ¾ÅÉ«ÊÓƵ's Group Information Security Incident Management Policy is published and accessible to all employees on the ¾ÅÉ«ÊÓƵ intranet and includes but is not limited to: Monitoring and Preparation; Identification; Containment; Mitigation; Recovery; and Follow-up.
Does ¾ÅÉ«ÊÓƵ have a process for identifying incidents and their common attack vectors along with detection mechanisms to detect incidents as they occur?
Yes, ¾ÅÉ«ÊÓƵ's network supplier monitors traffic and provides alerts in the event of anomalous activity and ¾ÅÉ«ÊÓƵ employs IDS/IPS in key areas of the network to detect and prevent intrusions. End points have appropriate prevention/detection software.
Is Information Security Awareness training conducted on a periodic basis for all employees and consultants
Yes. Information security awareness training is a fundamental part of the onboarding process for ¾ÅÉ«ÊÓƵ personnel, contractors, and freelancers. Thereafter, computer-based information security training is delivered annually to all employees in a dedicated learning module. Additionally, information security awareness training is delivered as part of the yearly Code of Conduct training and through our frequent 'Think Security' campaigns.
Does ¾ÅÉ«ÊÓƵ background check employees?
Yes. All new starters undergo identity and 'right to work' checks. Where required by their role in the organsiation or national obligations, further background checks can be carried out in accordance with the relevant laws.
Does ¾ÅÉ«ÊÓƵ Background check Freelancers?
¾ÅÉ«ÊÓƵ's freelancers are not subject to background checks as standard. However, we do have a vendor agreement in place with our freelancers which includes minimum security measures and confidentiality and background screening of freelancers can be requested by customers as contractually agreed, subject to local laws.
Does ¾ÅÉ«ÊÓƵ consider information security in the employee onboarding and termination process?
Yes, all new starters are required to complete mandatory information security awareness training and Code of Conduct training which also includes security elements. On termination employees are reminded of their post employment security responsibilities. All assets are recovered and accounts suspended pending review and deletion.
Does ¾ÅÉ«ÊÓƵ have a process for data destruction and media sanitisation?
Yes, ¾ÅÉ«ÊÓƵ's Group Classification and Handling policy covers the areas of data destruction and media sanitisation. Specific processes to implement the policy are owned and maintained by the respective technology owners.