Data retention procedures established

Epro has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

Service infrastructure maintained

Epro has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.

Continuity and Disaster Recovery plans established

Epro has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

Production data backups conducted

Epro performs periodic backups for production data. Data is backed up to a different location than the production system.

Application and data criticality analysed

Epro assesses the relative criticality of specific applications and data in support of other contingency plan components.

Infrastructure performance monitored

An infrastructure monitoring tool is utilised to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.

Security awareness training implemented

Epro requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.

Segregation in virtual computing environments

A cloud service customer's virtual environment running on a cloud service are protected from other cloud service customers and unauthorised persons.

Remote access MFA enforced

Epro's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

Production network application access restricted

System access restricted to authorised access only.

Encryption key access restricted

Epro restricts privileged access to encryption keys to authorised users with a business need.

Unique account authentication enforced

Epro requires authentication to systems and applications to use unique username and password or authorised Secure Socket Shell (SSH) keys.

Access control procedures established

Confidentiality Agreement acknowledged by contractors

Epro requires contractors to sign a confidentiality agreement at the time of engagement.

Confidentiality Agreement acknowledged by employees

Epro requires employees to sign a confidentiality agreement during onboarding.

Employee background checks performed

Where a role requires access to client data, comprehensive DBS Enhanced checks are performed on new employees.

Anti-malware technology utilised

The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.

Return of assets

Personnel and other interested parties as appropriate shall return all the organisation’s assets in their possession upon change or termination of their employment, contract or agreement.

Asset disposal procedures utilised

Epro has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

Privacy policy established

Epro has a privacy policy in place that documents and clearly communicates to individuals the extent of personal information collected, the company's obligations, the individual's rights to access, update, or erase their personal information, and an up-to-date point of contact where individuals can direct their questions, requests or concerns.

Privacy policy reviewed

Epro reviews the privacy policy as needed or when changes occur and updates it accordingly to ensure it is consistent with the applicable laws, regulations, and appropriate standards.

Privacy policy available

Epro has a privacy policy available to customers, employees, and/or relevant third parties who need them before and/or at the time information is collected from the individual.

Data retention procedures established

Epro has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

Service infrastructure maintained

Epro has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.

Continuity and Disaster Recovery plans established

Epro has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

Penetration testing performed

Epro's penetration testing is performed annually by a CREST accredited Third Party . A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

Data encryption utilised

Epro uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted.

Data transmission encrypted

Epro uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted.

Vulnerability and system monitoring procedures established

The company's formal policies outline the requirements for the following functions related to IT security

Service description communicated

Epro provides a description of its products and services to internal and external users.

Security policies established and reviewed

Epro's information security policies and procedures are documented and reviewed at least annually.

Support system available

Epro has an external-facing support system in place (Jira) that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

Roles and responsibilities specified

Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.

Remote access processes established

Epro has processes in place for granting, changing, and terminating access to data centers based on an authorisation from control owners.

Third-party agreements established

Epro has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.

Cybersecurity insurance maintained

Epro holds cybersecurity insurance to mitigate the financial impact of business disruptions.

Incident management procedures followed

Epro's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.

System capacity reviewed

Epro evaluates system capacity on an ongoing basis, and system changes are implemented to help ensure that processing capacity can meet demand.

Development lifecycle established

Epro has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.

Incident response policies established

Epro has security and privacy incident response policies and procedures that are documented and communicated to authorised users.

Vendor management program established

Production deployment access restricted

Epro restricts access to migrate changes to production to authorised personnel.

Processes for responsible use of AI

Epro defines and documents the processes for the responsible use of AI systems.

Objectives for responsible use of AI

Epro identifies and documents objectives to guide the responsible use of AI systems.

Support system available

Epro has an external-facing support system in place (Jira) that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

Suppliers

Epro has establish a process to ensure that its usage of services, products or materials provided by suppliers aligns with the organisation’s approach to the responsible development and use of AI systems.

Infrastructure performance monitored

An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.

Production application access restricted

System access restricted to authorised access only

Log management utilised

Epro utilises a logs to identify events that may have a potential impact on the company's ability to achieve its security objectives.

Firewall access restricted

Epro restricts privileged access to the firewall to authorized users with a business need.

AI policy

Epro has a document a policy for the development or use of AI systems.

Intended use of the AI system

Epro ensures that the AI system is used according to the intended uses of the AI system and its accompanying documentation.

Resource documentation

Epro should identify and document relevant resources required for the activities at given AI system life cycle stages and other AI-related activities relevant for the organisation.

Review of the AI policy

The AI policy should be reviewed at planned intervals or additionally as needed to ensure its continuing suitability, adequacy and effectiveness.

Tooling resources

As part of resource identification, the organisation should document information about the tooling resources utilised for the AI system.

System documentation and information

Epro has determined and provided the necessary information to users of the system.