Security Overview. A guide to data security at AIMES Data Centres. www.aimesgridservices.com TEL: 0151 905 9700 enquiries@aimes.



Similar documents
HSCIC Audit of Data Sharing Activities:

ISO Controls and Objectives

Importers must have written and verifiable processes for the selection of business partners including manufacturers, product suppliers and vendors.

C-TPAT Self-Assessment - Manufacturing & Warehousing

Return the attached PPG Supply Chain Security Acknowledgement by , fax, or mail within two weeks from receipt.

Understanding Sage CRM Cloud

ISO27001 Controls and Objectives

welcome to Telect s Minimum Security Criteria for Customs-Trade Partnership Against Terrorism (C-TPAT) Foreign Manufacturers Training Presentation

Customs -Trade Partnership Against Terrorism (C-TPAT) Vendor Participation Overview

CITY UNIVERSITY OF HONG KONG Physical Access Security Standard

Digital Forensics G-Cloud Service Definition

Video surveillance policy (PUBLIC)

Customs-Trade Partnership Against Terrorism (C-TPAT) Security Guidelines for Suppliers/Shippers

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Information Security Incident Management Policy September 2013

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Security Criteria for C-TPAT Foreign Manufacturers in English

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

C-TPAT Importer Security Criteria

CCG: IG06: Records Management Policy and Strategy

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Intermec Security Letter of Agreement

Introduction to the NHS Information Governance Requirements

Information Security Incident Management Policy

Mike Casey Director of IT

Physical Security Policy

ULH-IM&T-ISP06. Information Governance Board

INFORMATION ASSURANCE

Data Protection Breach Reporting Procedure

ABBVIE C-TPAT SUPPLY CHAIN SECURITY QUESTIONNAIRE

ISO/IEC Information Security Management. Securing your information assets Product Guide

Partners in Protection / C-TPAT Supply Chain Security Questionnaire

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

Supply Chain Security Audit Tool - Warehousing/Distribution

Draft Information Technology Policy

Rotherham CCG Network Security Policy V2.0

QUALIFICATION HANDBOOK

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy

A Decision Maker s Guide to Securing an IT Infrastructure

CONFORMED COPY. Method Statement Helpdesk Services. Revision History. Revision Date Reviewer Status. 23 March 2007 Project Co Final Version

SCHOOL SECURITY POLICY & PROCEDURES

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Physical Protection Policy Sample (Required Written Policy)

Customs & Trade Partnership Against Terrorism (C TPAT)

Protecting your business interests through intelligent IT security services, consultancy and training

WAREHOUSE SECURITY BEST PRACTICE GUIDELINES CUSTOMS-TRADE PARTNERSHIP AGAINST TERRORISM

Information Security: Business Assurance Guidelines

DataCentre Access Policies & Procedures

Small businesses: What you need to know about cyber security

How To Protect Decd Information From Harm

Global Supply Chain Security Recommendations

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Information Governance Policy

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

University of Brighton School and Departmental Information Security Policy

TRANSPORT FOR LONDON (TfL) LOW EMISSIONS CERTIFICATE (LEC) GUIDANCE NOTES FOR THE COMPANY AUDIT PROCESS. LEC (Company Audit) Guidance Notes

C-TPAT Customs Trade Partnership Against Terrorism

Remote Monitoring offers a comprehensive range of services, which are continually

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

For inclusion in the shortlist to be invited to tender for the provision of Manned Security Services to S4C. Date of publication: 9 December 2013

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Colocation, Cloud and Managed Services

Information Security Policy. Chapter 10. Information Security Incident Management Policy

SOC 2 Report Seattle, WA (SEF)

INFORMATION TECHNOLOGY SECURITY STANDARDS

TELEFÓNICA UK LTD. Introduction to Security Policy

Abu Dhabi EHSMS Regulatory Framework (AD EHSMS RF)

REMOTE WORKING POLICY

Eskom Registration Authority Charter

Datacentre Studley. Dedicated managed environment for mission critical services. Six Degrees Group

Outsourcing and third party access

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security and Governance Policy

Security guidance for all existing or prospective Home Office Controlled Drug Licensees and/or Precursor Chemical Licensees or Registrants

Supplier IT Security Guide

Site Security and Access Policy and Procedures. Written By. Kent Walmsley Creation date Summer 2010 Adopted by Governors 7 December 2010 Reviewed By

Safety & Security Intruder Fire Access CCTV VeriSafe Alarms Alarms Systems Systems Keeping people safe & businesses compliant

NHS HDL (2006)41 abcdefghijklm. = eé~äíü=aéé~êíãéåí= = aáêéåíçê~íé=çñ=mêáã~êó=`~êé=~åç=`çããìåáíó=`~êé

INFORMATION & COMMUNICATIONS TECHNOLOGY (ICT) PHYSICAL & ENVIRONMENTAL SECURITY POLICY

Network Password Management Policy & Procedures

Information Security Policy. Chapter 13. Information Systems Acquisition Development and Maintenance Policy

Finance and Resources Committee

UK SBS Physical Security Policy

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

06100 POLICY SECURITY AND INFORMATION ASSURANCE

Security Profile. Business Partner Requirements, Security Procedures (Updated)

Transcription:

Security Overview A guide to data security at AIMES Data Centres www.aimesgridservices.com TEL: 0151 905 9700 enquiries@aimes.net

Page 1 of 10 Contents I. Protecting our clients data...2 II. Information Security...3 ISO 27001 Information Security Management System (ISMS)... 3 NHS IG Toolkit Compliance... 4 G-Cloud Assured Supplier... 4 III. Physical Onsite Security...5 Secure Location... 5 Two form factor authentication & anti tailgating security lobby... 5 Tablet based Photo ID Access Control... 5 CCTV Monitoring... 6 IV. Staff Security...7 V. Onsite Access Control...8 VI. Contact...9

Page 2 of 10 Protecting our clients data AIMES provides specialist ISO 27001 data centre services to a range of industries, including pharmaceutical, health, automotive, professional services and the digital and creative sectors. Our Data Centre information security management system (ISMS) was audited by BUREAU VERITAS and granted ISO 27001 certification in December 2007 (Certificate No. UK 8000045), and has passed further audits each year between 2008-2013. For us maintaining our ISO 27001 certification is just as much about running our data centre securely as it is about providing our clients with evidence of our compliance. At AIMES, we continually seek to improve our processes and systems to protect our business and to offer the best possible service to our customers. The security regime and security standards that we adhere to can be summarised into two main headings: Information Security Physical Security The following document provides specific details on each of these aspects of security at AIMES. If you still have any questions or queries regarding our security, then please do not hesitate to contact me using the details below. Paul Langan Information Security Manager 0151 905 9700 Paul.langan@aimes.net

Page 3 of 10 Information Security ISO 27001 Information Security Management System (ISMS) ISO27001 Certification is one of the most widely recognized independent global standards for security an organization can achieve. Certification to the standard involves a lengthy process whereby every facet of the b usiness is examined from a security and process standpoint. All of AIMES business systems, technologies, processes and data centres have been carefully examined to ensure they are compliant to the highest security and management standards We have implemented and had audited 135 individual security controls at our data centre to ensure security and to protect our client s information assets. These controls are grouped under the following categories: Security Policy: Organisation of Information Security Asset Management. Human Resources Security. Physical and environmental security. Communications and operations management. Access control. Information systems acquisition, development and maintenance. Information security incident management. Business Continuity Management. Compliance. Benefits to AIMES customers It provides basis for sharing information with other organisations in a secure manner A system for due corporate governance and a framework for legal compliance Ensures that we keep our customer's confidential information secure Managing & minimising our customer's risk exposure We publish a Statement of applicability document each year which identifies the security controls chosen for our data centre, and explains how and why they are appropriate. If you would like to receive a copy ISO 27001 certificate or statement of applicability then please contact our Information Security Manager. Paul Langan Information Security Manager 0151 905 9700 Paul.langan@aimes.net

Page 4 of 10 NHS IG Toolkit Compliance The Information Governance Toolkit is a performance tool produced by the Department of Health (DH) and hosted by the Health and Social Care Information Centre (HSCIC). It draws together the legal rules and central guidance relating to Information Governance and presents them in one place as a set of information governance requirements. The online system allows NHS partners to assess themselves against Department of Health Information Governance policies and standards. AIMES (Organisation Code 8J121) complete the Toolkit on an annual basis and our version 10 submission for 2013 has been reviewed and classed as meeting the NHS criteria for information security and governance (Level 2). Our status can be viewed on the IG Toolkit website via the IGT Reports section: http://tinyurl.com/aimesigtoolkit This means that, in addition to our pre-existing ISO-27001 certification for information security, our Data Centres now also meets the NHS criteria for information security and governance (Level 2). G-Cloud Assured Supplier AIMES is a G-Cloud Assured supplier and has been selected by the Government Procurement Service to deliver key elements of the G- Cloud program through the G-Cloud Framework Agreement. The G-Cloud Framework delivers fundamental changes in the way the public sector procures and operates ICT and allows all UK public sector organisations flexibility and freedom of choice in procuring cost effective, industry-leading cloud based services and solutions. Congratulating AIMES on its achievement Marie-Helene Durif, Head of Sourcing & Category Management ICT at the Government Procurement Service stated, At the Government Procurement Service our priority is to provide procurement savings for organisations across the UK public sector. The inclusion of AIMES in the G-Cloud Framework will strengthen our offering and provide public sector buyers with a tried and tested route to achieve value for money. AIMES is pleased to be able to offer secure Cloud based services through this new framework agreement

Page 5 of 10 Physical Onsite Security AIMES have implemented a range of strong physical security precautions onsite to protect the data centres and our customers systems from unauthorised access. Secure Location AIMES is located in a designated technology park, which is surrounded by secure metal fencing. There is a single point of entry, each with a security lodge that is manned on a 24-hour basis. Within the security lodge guards control the external CCTV and perimeter protection cameras. The guards carry out random hourly foot patrols during quiet hours. Security will register and issue a personalised access pass to all employees, which allows them access only to those areas required for them to carry out their duties. The AIMES Information Security Management System Manager (ISMS) advises Security of any changes to access required if duties change. Two form factor authentication & anti tailgating security lobby Access to our Kilby House Data Centre is achieved using secure 2 factor authentication access controls. Pin Code and personalised access control passes are used to secure entry. Tailgating is the act of an unauthorized individual following an authorized person through a door without their knowledge. AIMES has eliminated tailgating by locating an anti tailgating security lobby in between each of the two access controls. The enclosed area has one door in the public area and another door into the secure area. AIMES trained security personal ensure that they have not been followed into the security lobby and that the first door is fully closed before opening the 2 nd door and entering the secure data centre area. Tablet based Photo ID Access Control Bespoke Photographic ID Records Application for Visitor Sign in to ensure security compliance requirements in accordance with our ISO27001 terms and conditions All individuals are required to check-in at the reception upon arriving at the AIMES Data Centre. If it is their first visit, clients must produce identification. They will then be photographed and required to sign the Data Centres Terms & Conditions in order to gain access to their designated cabinet or cage. On following visits they will be photographed again, and this will be checked against the photograph provided during their first visit to ensure it is the same authorized individual requesting access.

Page 6 of 10 Rack Security AIMES racks are subject to physical and login access controls on a need-to-use basis. Cabinets are individually secured with key locks front and back or alternatively, can be secured by a proximity card system, if required. Rack Access PX-HID protects cabinets from unauthorised access. This IP-based system uses electronic locks to secure enclosures and access is granted through HID-based proximity cards or the secure Web interface. Alarm notification options, such as email, indicate a compromised security state. Administrators can easily configure access for individual employees, schedule access to equipment for maintenance purposes, and view audit trails. CCTV Monitoring Data Centre CCTV monitoring from secure admin area. Monitoring our data centre buildings 24 hours a day, 365 days a year is vital and we have put in place some of the very latest security technology to protect the data centre from any unauthorised access.

Page 7 of 10 Staff Security To ensure the security of client data, AIMES has introduced controls that deal with staff security prior to, during and after employment. The procedures have been successfully audited and are detailed below: Prior to Employment: AIMES has introduced a number policies and procedures that ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities. o Roles and responsibilities: AIMES ensures that the security roles and responsibilities of its employees, contractors and third party users are defined and documented in accordance with the organization s information security policy. o Screening: AIMES ensures that background verification checks on all candidates for employment, contractors, and third party users are carried out prior to employment o Terms and conditions of employment: As part of their contractual obligation, all AIMES employees, contractors and third party users have to agree and sign the terms and conditions of their employment contract, which state their and the organization s responsibilities for information security. During employment: AIMES has introduced a number policies and procedures that ensure that all employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error. o Information security awareness, education and training: All employees of AIMES and, where relevant, contractors and third party users receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. o Disciplinary process: AIMES has a formal disciplinary process for employees who have committed a security breach. After Employment: AIMES has introduced a number policies and procedures that ensure that employees, contractors and third party users exit our organization or change employment in an orderly manner. o Termination responsibilities: AIMES ensure that all responsibilities for performing employment termination or change of employment are clearly defined and assigned. o Return of assets: AIMES ensures that all employees, contractors and third party users return all of the organization s assets in their possession upon termination of their employment, contract or agreement. o Removal of access rights: AIMES ensures that the access rights of all employees, contractors and third party users to information and information processing facilities are removed upon termination of their employment, contract or agreement.

Page 8 of 10 Onsite Access Control AIMES operate an ISO27001 certified facility. As part of our ISO terms and conditions as well as general company policy, we ask the following of our customers when visiting AIMES for the first time. Please give up to 7 working days notice prior to a kit install. This is compulsory for out of hours installs. Complete a RAMS (Risk Assessment and Method Statement) document. The RAMS allows us to identify risks, undertake remedial action to mitigate risk, and be prepared for any assistance which is required of AIMES. Provide the full names of those attending on site A full list of kit to be installed Upon arrival All individuals are required to check-in at the reception upon arriving at the AIMES Data Centre. If it is their first visit, clients must produce identification. They will then be photographed and required to sign the following entry terms & Conditions in order to gain access to their designated cabinet or cage. Access Procedure Standard Access Customers, who wish to access the AIMES facilities for standard installation, maintenance, upgrades, etc., are required to provide notice a minimum of 24 hours in advance of the desired access time. Standard access is available from 9am 5pm Monday through Friday. Access outside these hours must be arranged with at least 5 working days notice (emergency access excluded) Login to the Issue management portal (IMP) http://imp.aimes.net and raise a change request for your project. Please set the Request Severity dropdown to either minor or medium as appropriate. Emergency Access In the case of failure or malfunction of any of the Customer s Equipment or any other reason requiring urgent repairs necessitating unscheduled access to the Co-Location Space, the Customer must notify the AIMES as soon as practicable to make appropriate arrangements for access to the Co-Location Space. Login to the Issue management portal (IMP) http://imp.aimes.net and raise a change request for your project. Please set the Request Severity dropdown to either Major and please state the reason why this is an emergency.

Page 9 of 10 Contact If you want to discuss any aspect of our Information security policies and procedures then please contact us. We will be happy to provide more detail on any of the elements and provide you with a more complete outline of our security policies, procedures and on-going strategy ARRANGE A VISIT If you would like to inspect our Data Centre facilities and security arrangements in person, please contact us to arrange a tour. We will be happy to show you around the data centre and discuss any aspects of our policy in more detail with you. Head Office: 0151 905 9700 London Office: 020 3598 8083 enquiries@aimes.net www.aimesgridservices.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information