Our commitment to information security.
To identify and manage information security risks at GB3, we have implemented a number of technical and operational control, including establishing an Information Security Management System (“ISMS”), based on and certified to the international best practice for information security (ISO27001:2013). The purpose of the ISMS is to protect the confidentiality, integrity and availability of information and minimise security risks.
Specifically, the ISMS has been designed to address the following objectives:
Take pride in how we protect information and promote GB3 as a secure and trustworthy business to our clients, users, and partners.
Meet or exceed client and partner security requirements for information protection.
Protect user information from unauthorised access by minimising access to individuals with a legitimate business need.
Underpin management’s commitment to embedding security practice into the business, which aligns with our culture and conforms to the ISO27001:2013 standard.
Identifying, managing and monitoring information security controls in our supply chain.
Maintain our competitive advantage by protecting our expertise and intellectual property from unauthorised access.
Work collaboratively to maintain a security aware culture, based upon sharing knowledge and continually improving how we manage information security.
ISO 27001: Information Security.
GB3 maintains a certified ISMS which conforms to the requirements of ISO 27001:2013, certified by the Centre for Assessment.
Our ISMS is subject to external audits in order for us to continually uphold high standards and maintain certification.
Roles and Responsibilities.
Security and compliance work is collaboratively managed and executed by a dedicated group of highly skilled individuals within the business. Such individuals work across different business functions, including IT, security, compliance, operations and facilities.
GB3’s leadership team meet on a monthly basis as part of an Information Security Working Group (“ISWG”) to discuss security and compliance, and are presented with key metrics, current risks and potential blockers to managing security and compliance.
All GB3 employees receive information security and privacy awareness training to ensure that they are aware of their responsibilities and security risks. This happens in different forms, including group training, company-wide presentations and eLearning on an ongoing basis.
Here at GB3, business continuity and disaster recovery procedures contribute to managing information security incidents at GB3, specifically those that impact business continuity. Our team is formed of individuals from parts of the business which includes IT, security, compliance, operations and facilities, communications and human resources. We have the following in place to support our SIM efforts:
A documented business continuity policy;
Documented business continuity processes and procedures with allocated responsibilities;
Internal and external periodic testing;
Training material which includes eLearning and group presentations.
Clear Desk and Screen Policy.
In order to reduce the risk of unauthorised access or loss of information, GB3 enforces a clear desk and screen policy as follows:
Computers and laptops must be locked or protected with a screen locking mechanism controlled by a password when unattended.
Care must be taken to not leave confidential material on printers.
All business-related printed documents must be disposed of using cross-cut shredders.
Pre-Employment Screening Policy.
GB3 is committed to hiring exceptional people into a secure working environment. This is to ensure the safeguarding of information and infrastructure at GB3 and to maintain an effective information security management system. As a result, it is GB3’s policy to conduct background checks on all individuals who are given access to GB3 systems. The following checks are conducted at a minimum:
Document check in support of right to work verification; and
Criminal history check.
GB3 has implemented controls in order to prevent unauthorised physical access, damage and interference to GB3’s information and information and information processing areas. These controls include:
CCTV monitoring in secure areas;
Enforced entry controls into our premises;
Defined secure areas for authorised personnel; and
Physical protection of hardware against natural disasters, malicious attack or accidents.
System, Application and Network Security.
System, application and network security is a critical part of our commitment to information security. We have established the following controls: -
All systems, support and development staff are regularly trained on system, application and network security.
Our IT infrastructure is continuously monitored and audited for change.
Critical systems and information are protected with strong authentication mechanisms.
All networks connections are protected by firewalls and are monitored by information security solutions to detect intrusions and suspicious activity.
All GB3 computers, laptops and servers utilise full disk/volume encryption and are installed with antivirus/malware protection which is automatically updated to the latest version and signatures available.