All data captured by Zest4 is processed to enable us to provide you with our telecommunications services
Zest4 have invested heavily both the physical and virtual security of our servers. All data servers are held securely in an onsite secure environment .
Technical controls that are in place include, but are not limited, to the following:
Access to client data is strictly controlled through our Role Based Access Controls, which are maintained in line with our Information Security Policy, IT Policy and Administrator Accounts Policy. Only when a client specifically requests that change is made, or a request for support relating to specific client data is made, will a qualified member of the Service Team access the client data set.
All Zest4 employees with access to either personal or client data are given appropriate data protection and information security training. This is supported with awareness campaigns and group workshops to promote best practice and promote information governance as a business enabler.
Q: Is a corporate approach to risk management in place which enables the escalation of project risks to programme and/or organisational level risk registers?? A: The running of risk management activities is conducted by the IT Management Team. The Board has full oversight of risks and sufficient levels of escalation routes exist to effectively manage any risks which are above/outside of the organisation’s risk appetite.
Q: Do you have a BCP (Business Continuity Pan) and DRP (Disaster Recovery Plan) in place? A: Yes – Zest4 continually reviews these plans when updating services, processes to ensure that all aspects of our services are included within its scope. Our data is backed on premises and will imminently also be backed up at data centres based in the UK.
Q: Is data backup encrypted and to what standard?? A: Backup data is encrypted using 256bit AES
Q: How long are backups maintained for?? A: 7 years
Q: How is client data separated from other clients’ data?? A: Zest4 has adopted multi-tenancy principles, client data is segregated using appropriate logical controls.
Q: Is there a process to ensure that media is erased securely at disposal?? A: All physical hardware containing personal data is securely disposed of using approved WEEE vendors
Q: Has an owner been assigned to all information assets which require protection?? A: Yes
Q: Are there regular vulnerability scans performed?? A: Vulnerability scans are conducted regularly against all key systems, to ensure that Zest4 continues to protect the data it holds. This includes, but is not limited to, the following:
Any risks or vulnerabilities identified are immediately rectified by appropriate remedial actions.
Q: Are security assessments undertaken at regular intervals?? A: Both Internal and external assessments are regularly conducted as part of our information security and data protection programmes to monitor the effectiveness of our controls. Areas covered include, but are not limited to, the following:
Q: Is there a security incident procedure?? A: Our incident management policy and process contain additional provisions for data breaches and security incidents. This includes the identification of a breach/incident, established scope, notification to third parties/data subjects and all investigative efforts and remedial actions.
Q: Are user passwords hashed / how are they stored?? A: Passwords are hashed and encrypted.
Q: Is any part of the service outsourced to a 3rd party? If yes, do the terms of the contract between the Provider and its subcontractors reflect the same level of security and data protection as the one that the Provider commits?? A: Aspects of the systems we use are outsourced to third parties, this includes our data centre providers and off-site data backup solutions. All contractual agreements with our third-party providers reflect those we have entered with our clients.
Q: Are access controls in place to ensure information is only available to system users who require access?? A: Yes, Zest4 follows the principle of Role Based Access Control to ensure that data is only accessible to those who require access as part of their core activities.
Q: In relation to the ICT systems used to deliver your service, which of the following is true?
A: We promote remote working as many activities we conduct are conducted on client sites. Security controls and strict processes are in place to ensure that the risks of remote working are minimised, this includes device encryption, secure VPN traffic and the use of mobile device management software to set organisations controls on remote devices. Only approved devices, which have been supplied by Zest4, are permitted to be used on our ICT infrastructure.
Q: Are network security boundaries defined and enforced to group users, services and information that require different levels of protection? A: Yes, permissions and access are assigned based on roles and responsibilities.
Q; Are processes and controls in place to ensure that equipment and cabling is protected and maintained to preserve the confidentiality, integrity and availability of our assets? A: Yes, these assets are protected to meet industry best practice.
Q: Are background verification checks carried out on employees and contractors who have access to our assets?? A: All staff have routine verification checks conducted prior to employment, including checks of identification, right to work and verification of previous employment.
Q: Are non-disclosure agreements in place with all staff who have access to our assets?? A: Yes, these are built into the terms of employment and Citation’s company policies.
Q: Is a disciplinary process in place for employees and contractors who have committed a security breach?? A: Yes, any breach of company policies and procedures may be subject to disciplinary action.
Q: Upon termination of employment is there a process in place to ensure assets are returned and rights to assets revoked?? A: Yes, this is part of the standard staff management process.