INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Similar documents
The Common Controls Framework BY ADOBE

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

SECURITY & PRIVACY DOCUMENTATION

General Data Protection Regulation

Google Cloud & the General Data Protection Regulation (GDPR)

Information Security Controls Policy

Corporate Information Security Policy

Protecting your data. EY s approach to data privacy and information security

INFORMATION ASSET MANAGEMENT POLICY

Oracle Data Cloud ( ODC ) Inbound Security Policies

WORKSHARE SECURITY OVERVIEW

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Checklist: Credit Union Information Security and Privacy Policies

QuickBooks Online Security White Paper July 2017

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

AUTHORITY FOR ELECTRICITY REGULATION

01.0 Policy Responsibilities and Oversight

Information Security Policy

Version 1/2018. GDPR Processor Security Controls

Trust Services Principles and Criteria

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Canada Life Cyber Security Statement 2018

INFORMATION SECURITY POLICY

Security Note. BlackBerry Corporate Infrastructure

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Juniper Vendor Security Requirements

Information Security Policy

This document provides a general overview of information security at Aegon UK for existing and prospective clients.

Twilio cloud communications SECURITY

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

ADIENT VENDOR SECURITY STANDARD

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

A company built on security

April Appendix 3. IA System Security. Sida 1 (8)

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

WHITE PAPER- Managed Services Security Practices

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Network Security Policy

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

WELCOME ISO/IEC 27001:2017 Information Briefing

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

External Supplier Control Obligations. Cyber Security

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Information Technology Branch Organization of Cyber Security Technical Standard

Information Security Data Classification Procedure

Data Security and Privacy Principles IBM Cloud Services

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

ISO27001 Preparing your business with Snare

Cloud Security Standards

Employee Security Awareness Training Program

Cloud Security Standards and Guidelines

Baseline Information Security and Privacy Requirements for Suppliers

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Apex Information Security Policy

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

INTERNATIONAL SOS. Information Security Policy. Version 2.00

Advent IM Ltd ISO/IEC 27001:2013 vs

SFC strengthens internet trading regulatory controls

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

Certifying your tax status online

Information Technology General Control Review

Certified Information Systems Auditor (CISA)

Information technology Security techniques Information security controls for the energy utility industry

HIPAA Security and Privacy Policies & Procedures

ISC10D026. Report Control Information

Security and Privacy Governance Program Guidelines

WHITE PAPER. Title. Managed Services for SAS Technology

INFORMATION SECURITY AND RISK POLICY

Information Security Incident

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Identity Theft Prevention Policy

Information Security Management

Information Security Management System

Nine Steps to Smart Security for Small Businesses

EXHIBIT A. - HIPAA Security Assessment Template -

University of Sunderland Business Assurance PCI Security Policy

Security Controls in Service Management

University of North Texas System Administration Identity Theft Prevention Program

Information Security Strategy

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

HP Standard for Information Protection and Security for Suppliers/Partners

locuz.com SOC Services

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Cyber Security Program

Red Flags/Identity Theft Prevention Policy: Purpose

Watson Developer Cloud Security Overview

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Transcription:

INFORMATION SECURITY A briefing on the information security controls at Computershare One line heading > One line subheading

INTRODUCTION Information is critical to all of our clients and is therefore a key focus for Computershare. We host over one hundred and twenty five million records worldwide. The security of these records is of the utmost importance and we continually make sizable investments to protect our information, IT systems, applications, infrastructure and processes. Computershare has developed a comprehensive global information security framework aligned to ISO/IEC 27002:2013. This framework and its underlying controls are designed to ensure that: > Computershare information and systems are only available to authorised people with a justified business need; > Computershare information is not disclosed or modified without authorisation; > Computershare information is available when required by relevant business processes; > applicable regulatory, legislative and client requirements are met; > information security training is available to all employees; > breaches of security and suspected weaknesses are reported, investigated, documented and resolved; > employees have access to relevant additional standards and guidelines that support this policy; and > our brand and financial resources are otherwise protected from the damage that information security breaches can cause. This document provides an overview of our information security framework that is in place across all of our businesses. 02 > Computershare Computershare Public

1. Information Security Policy Computershare has an Information Security Policy Framework (ISPF) that is aligned to ISO/IEC 27002:2013 and applies to all Computershare business units in all geographic locations. It is owned by the Chief Information Security & Risk Officer, reviewed by key stakeholders across the organisation and approved by the Chief Executive Officer. The ISPF is the collective term for our Information Security Policy, Information Security Standard, Technical Security Standards and Information Security Guidelines. It is reviewed on an annual basis to reflect any significant changes in Computershare s structure, business functions and the regulatory environment; or in response to new and emerging information security threats. The ISPF is communicated to all employees through an information security awareness and training programme and is published via the Information Security Portal on the Computershare intranet. 2. Organisation of Information Security Computershare has established an effective, forward-looking information security operating model that is supported by a strong professional capability across the organisation. The Chief Information Security & Risk Officer leads the Global Information Security and Risk Group, providing oversight and guidance on the overall development and implementation of information security across the business. This team works in conjunction with Computershare s business units and other support functions including Compliance, Audit, and Technology. (including consultants, contractors, business partners and suppliers) have their information security responsibilities clearly defined in the Information Security Policy. Specific responsibilities are also included for Line Managers, Information Owners, Information Custodians and Business Unit Heads. Computershare operates global vendor management programmes to identify, assess and manage the information security requirements that are contractually agreed with our third party suppliers that may access, store, process or transmit information on our behalf. 3. Asset Management Computershare has implemented an information classification scheme for all information that supports its day to day business activities. Computershare maintains inventories of its information assets, including applications and IT systems. Information Owners and Information Custodians are assigned to all business applications and are required to complete an information security risk assessment. This classifies the application based upon business criticality and identifies the required controls to protect the confidentiality, integrity and availability of the application throughout its lifecycle in accordance with the classification. At the end of the information lifecycle, all information is securely destroyed prior to reuse or disposal of the information asset. 4. Human Resource Security are subject to screening prior to employment. The screening processes are conducted in accordance with relevant national laws and industry regulations and provide verification of identity and credentials, as well as evaluating applicant integrity. are subject to confidentiality/ non-disclosure agreements as part of the standard employment contracts and are required to comply with the controls outlined in the Information Security Policy, including Acceptable Use of Computershare Information. The Global Information Security and Risk Group manage multi-lingual information security awareness and training programmes to ensure that all employees are aware of their responsibilities and possess the necessary resources to maintain our position on information security. These programmes include mandatory annual on-line training for all employees; targeted security campaigns that are commensurate with specific job roles and more detailed technical security training for the Computershare technology teams. When an employee leaves, Computershare applies robust procedures to ensure the timely removal of access rights to Computershare s IT systems as well as the retrieval of physical information assets which are recorded in the asset inventories. 5. Physical and Environmental Security All Computershare office locations operate risk-based controls to afford protection against unauthorised physical access. These can include physical and electronic access control systems, manned reception desks, CCTV and security lighting. Access to our data centre facilities and other critical information processing locations is strictly controlled 03 > Computershare Computershare Public

and restricted to pre-authorised individuals only. This access is logged and the access rights are reviewed on a regular basis. All Computershare data centre facilities are designed to be protected against fire, flood, environmental and other natural hazards. Our environmental controls can include fire detection and prevention, dual power supplies, monitored Uninterruptable Power Supply (UPS), back-up generators, temperature, smoke, water and humidity controls. 6. Communications and Operations Security Computershare has implemented a defence-in-depth approach to protect its information and IT systems from existing and emerging threats. The management and operation of our IT systems is delivered by our highly experienced Technology teams using a service management model based upon the Information Technology Infrastructure Library (ITIL) standard. This includes the formalisation of processes and procedures to support core activities such as back-up and recovery, change management, release management and capacity planning. Computershare has a common resilient split-site and disaster tolerant network and computing architecture design across all of its global data centres. Our multi-tier internet- facing infrastructure uses two physical layers of firewalls supporting three-tier application deployment and secure segregation of different networks, connections and systems where appropriate. Server virtualisation provides rapid resource provisioning and enhanced failover and disaster recovery capabilities. All Computershare IT systems are configured following documented technical security standards which include applicable controls such as system hardening, encryption, antivirus and malware protection and a regular patching schedule that is defined by the system s criticality and threat level. The Global Information Security and Risk Group actively monitors the internal and external threat environment and works with the Technology teams to ensure that the current security controls deployed are both appropriate and effective, to mitigate risk. The Computershare IT network is monitored by a global 24x7 Security Operations Centre which collects and correlates the event logs from network devices, firewalls, IDS and web application firewalls. This data is analysed and any unusual or suspicious events generate the necessary alerts which are handled by our information security incident management processes. 7. Access Control Computershare operates on the principle of least privilege for access control. This is to ensure that only authorised individuals are permitted access to our business applications, systems, networks and computing devices; that individual accountability is established and to provide authorised users with the access permissions that are sufficient to enable them to perform their duties but do not permit them to exceed their authority. Our authentication and authorisation mechanisms and processes are commensurate with the criticality of the Computershare IT system. Access is co-ordinated through the regional IT Service Desks and all access requests must be authorised by an employee s line manager and/ or the assigned resource owner. The Global Information Security and Risk Group regularly performs recertification reviews of user access rights to detect and remove any inactive accounts and inappropriate access permissions. are assigned unique user IDs and are required to select and manage their passwords in line with the Acceptable Use section of the Information Security Standard. In the event of a change of employment status or role, user access rights are immediately revoked or reassigned by the regional IT Service Desks upon notification from the line manager. The use of privileged accounts is strictly controlled and restricted to system administration and maintenance activities only. Additional measures are employed to securely manage these accounts. This includes enhanced password management controls and more frequent recertification reviews. Remote access to the Computershare network is only permitted for preauthorised employees using a Computershare managed asset. This is achieved using an encrypted VPN solution that performs security validation checks against the asset and is supported by multi-factor authentication. 8. Information System Development, Acquisition & Maintenance Computershare has a wealth of in-house experience in delivering best-in-class business applications and IT systems. We follow a defined System Development Life Cycle (SDLC) that incorporates information security throughout each stage including risk assessments, the identification and implementation of control requirements, static and dynamic code analysis and technical security penetration testing. Computershare maintains separate development, test and production environments and has strict policies to enforce segregation of duties for employees responsible for development, testing and support activities. Our source code, including 04 > Computershare Computershare Public

all applications under development, are stored and protected in an approved source code system with audit logging enabled to track activity such as code modification and deletion. Our business applications and IT systems classified as critical by the information security risk assessment process have enhanced information security controls and are registered under a permanent supervision programme for regular security assurance tests in the production environment. 9. Business Continuity Management Computershare has an established global Business Continuity Management programme that supports our regulatory and contractual requirements. Our programme is managed by dedicated regional business continuity resources and is underpinned by relevant business continuity policies, procedures and supporting technologies. All Computershare business units are included within the Business Continuity Management programme and are required to complete a risk assessment and business impact analysis. This provides a consistent methodology to define the recovery time objectives which are incorporated into specific business continuity plans. Our business continuity plans and disaster recovery plans are developed and maintained by assigned owners from the Business Units and Technology teams and are regularly updated to reflect any change of circumstances. Computershare performs business continuity and disaster recovery tests on a periodic basis to ensure that the plans can be employed should the need arise. The test results are communicated to our senior executive management and relevant stakeholders upon completion. 10. Information Security Incident Management Computershare has global riskbased processes to respond to information security incidents, unusual or suspicious events and breaches of policies. These processes are owned and co-ordinated by the Global Information Security and Risk Group with formal involvement from relevant stakeholders (e.g. legal, compliance, technology, human resources, business relations and anti-fraud and public relations). The information security incident management processes are designed to contain and control the incident, reduce any potential impact to the business, identify and investigate the root cause and implement corrective actions to reduce the risk of recurrence. These processes are supported by procedures for identification, reporting, assessment, response, recovery and followup. Our post-incident procedures include root cause analysis, forensic investigation and, where required, notification to the relevant authorities and affected clients. are provided with training and guidance to identify and report information security incidents. The individuals responsible for managing information security incidents are supported by more specific training and access to relevant tools to complete each stage of the information security incident management process. 11. Compliance Computershare has an established governance, risk and compliance model that is endorsed by our Risk and Audit Committee. Global Information Security and Risk Group measures compliance with the Information Security Policy through periodic technical and non-technical control assessments. Our technical control assessments include system patch verification, application and infrastructure vulnerability scans and penetration tests. Computershare has an independent Internal Audit function that delivers global and regional IT and integrated audit reviews which includes the assessment of our processes and technologies against the Information Security Policy. The results of these reviews are documented, managed through to remediation and reported to the Risk and Audit Committee on a regular basis. Computershare also commissions a number of external audits to provide an independent assurance and attestation of our business and technology controls. These external audits include AT101, ISAE3402 and SSAE16 and are applicable to specific Business Units and geographic locations. SUMMARY We trust this demonstrates the commitment and considerable investment Computershare has made to information security and that our clients, business partners, employees and shareholders can have full confidence in the confidentiality, integrity and availability of our information and IT systems. If you have any specific questions or would like additional information on the measures that we take to protect your information, then please contact your nominated Computershare Relationship Manager. 05 > Computershare Computershare Public

Computershare (ASX:CPU) is a global market leader in transfer agency and share registration, employee equity plans, proxy solicitation and stakeholder communications. We also specialise in corporate trust, mortgage, bankruptcy, class action, utility and tax voucher administration, and a range of other diversified financial and governance services. Founded in 1978, Computershare is renowned for its expertise in high integrity data management, high volume transaction processing and reconciliations, payments and stakeholder engagement. Many of the world s leading organisations use us to streamline and maximise the value of relationships with their investors, employees, creditors and customers. Computershare is represented in all major financial markets and has over 16,000 employees worldwide. For more information, visit www.computershare.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback