Information Security Statement

Scope

This statement applies to all information processed by NetSecGroup on its own behalf or on behalf of clients, in any format, across all systems, services, and personnel engaged by the business.

Governance

Information security accountability sits with the Director. Policies, risk registers, and control effectiveness are reviewed annually, at any material change to the business or services, and at each IASME annual review. The information security framework is independently assessed by an IASME-authorised auditor on a continuous-assessment basis.

Risk management

A risk register is maintained covering threats to confidentiality, integrity, and availability of client and business information. Risks are assessed, owned, and reviewed at least annually. Residual risk is accepted only with documented rationale.

Access control

• Multi-factor authentication is required for all business-critical systems
• Least-privilege access is the default; privileged access is time-bound and reviewed quarterly
• Credentials are managed via an audited password vault; shared accounts are prohibited
• Client credentials and access tokens are held only for the duration of an engagement and securely destroyed on completion

Data protection

• Client data at rest is encrypted using AES-256 or equivalent
• Data in transit uses TLS 1.2 or higher, with TLS 1.3 preferred
• Data retention follows a documented schedule aligned to UK GDPR and contractual requirements
• Secure deletion procedures apply to both digital and physical media at end of life

Endpoint and network security

• All business endpoints run current, supported operating systems with automated patching
• Endpoint detection and response is deployed on all devices used for client work
• Network access requires authenticated VPN; split-tunnelling is disabled for sensitive engagements
• A documented build standard applies to all new assets before they are used for client work

Personnel and subcontractor assurance

All personnel engaged in client work complete identity verification, professional credential checks, and sign contractual confidentiality and security obligations before any access is granted. Subcontractors are bound by the same requirements via the NetSecGroup Supply Chain and Subcontractor Policy.

Incident response

A documented incident response procedure is in place covering detection, containment, investigation, notification, and post-incident review. Clients are notified of any confirmed security incident affecting their data within 24 hours of confirmation, with a written report provided within five working days.

Secure development and configuration

Tooling and infrastructure built in support of client services are developed against a secure baseline, with dependency scanning, secret scanning, and automated vulnerability detection in continuous integration. Security findings above a defined severity block deployment until resolved.

Training

All personnel complete annual information security awareness training and targeted role-specific training where relevant. Phishing resilience is tested at least annually.

Supplier assurance

Suppliers with access to client data or supporting systems are subject to security due diligence at onboarding, data processing agreements, and annual review. Supplier changes are notified to affected clients where contractually required.

Contact

Security concerns, vulnerability reports, and incident notifications should be directed to [email protected]. Responsible disclosure is welcomed.