Introduction
This document sets out a high-level overview of general technical and organisational measures which are utilised by the WebV System in relation to the delivery of its solutions and services. If there are any specific clarifications required, then please approach your usual WebV contact to obtain the necessary information.
WebV will take adequate and appropriate measures to appropriately protect and secure the organisation’s people, customers, data/systems and products by utilising technical and non-technical measures, including:
Data security
Data in transit across the internal and external network is secured with appropriate encryption measures, including the application of appropriate web security standards and certificates. Personal data utilised for research, analytics and business intelligence will, where possible and permissible, be subject to sanitisation and de-personalisation measures to preserve anonymity of data subjects.
iOS/Android WebV application privacy statement
The WebV Application for iOS/Android users only will collect data relevant for identifying the device ID and type of device for functional purposes. No user identifying information is captured or stored that can be linked to personal identifying information. Cookies are not stored or required for the iOS/Android application to work and no cookies are captured for advertising purposes from our service or any linked services.
Network security
IT networks are implemented with appropriate segmentation both internally, client facing and from the Internet. Measures are in place to continuously monitor the network traffic and flows. Where deemed appropriate, externally approved penetration testing providers are employed to undertake independent testing to detect and remediate vulnerabilities.
Application security
Application development and code is managed through the use of appropriate standards, policies and review processes. Internally developed coding standards are implemented. Where deemed appropriate, externally approved penetration testing providers are employed to undertake independent code review and application testing to detect and remediate vulnerabilities.
Vulnerability management
Following receipt from the relevant third-party manufacturer or vendor, WebV will (within a reasonable period, considering the nature and severity of the risk) apply:
a. recommended security updates to relevant systems, devices, or applications; and
b. software patches designated by the relevant third party as being “critical”.
Vulnerability assessment
The production IT infrastructure is subject to a programme of continuous scanning of security risks through planned IT checks and Penetration Tests.
Access management
Identity and access management controls are in place to authenticate and manage access to the network domains, applications and system to the job roles. Permissions and accesses are regularly reviewed, including privileged users.
Governance
WebV corporate governance provisions are aligned to ensure security and data protection priorities and status is continuously reviewed and monitored through:
- WebV Systems Operational Group
- WebV Senior Management Team Meetings
- WebV Governance Meeting
- Information Governance Steering Group
The following dedicated designated roles responsible for information and security exist within WebV Group:
- Caldicott Guardian
- Data Protection Officer (DPO)
- Senior Information Risk Owner (SIRO)
WebV policies
The following policies are in place to ensure all WebV staff and contractors comply to policy requirements and standards. WebV policies include (but are not restricted to) the following:
- Information Security Policy
- Data Protection Policy
- Information Governance Policy
- System Level Security Policy
- System Access Standard Operating Procedure
Audit
WebV undertake regular audits in relation to cyber security and data protection.
Business continuity and IT disaster recovery
Business Plans are in place to ensure continuity of service is in place in the event of unplanned disruptions, events or incidents. Provisions include the continuity of critical systems and infrastructure.
Physical and personnel security
Adequate measures are in place to physically control access to premises, buildings and data centres including deterrents, monitoring, preventative and detective measures. Members of staff are subject to pre-employment checks and screening determined by job roles and responsibilities. Process measures are in place to manage contractors, new staff and leavers across the organisation, including the management of IT assets and access to systems.
Training, education and awareness
The combination of policies, process and procedure communications (combined with mandatory learning and line manager reinforcement) are utilised to ensure personnel comply with published policies, standards and guidelines. In addition, members of staff are required to complete General Data Protection training on an annual basis.