Security Policy

2. Governance and responsibilities

Cyber Defence maintains a documented Information Security Management System (ISMS) that aligns with recognised standards. Overall responsibility for information security rests with senior leadership and is overseen by our security leadership function.

Policies and procedures are reviewed on a regular basis and updated in line with changes to our services, technology, threat landscape, and regulatory environment.

3. Access control and identity

• Access to systems and data is granted on the basis of least privilege and role-based access control (RBAC).

• Strong authentication is required for administrative and sensitive access, including the use of multi-factor authentication where appropriate.

• Access rights are reviewed periodically and removed promptly when no longer required.

• Administrative access to production environments is restricted to authorised staff and performed through controlled, logged mechanisms.

4. Network and infrastructure security

• Network boundaries and segmentation are used to separate environments and reduce the impact of compromise.

• Firewalls, secure VPN, and other security technologies are used to control and monitor access to internal systems.

• Systems are monitored for suspicious activity, with alerts feeding into our SOC365 operations.

• Changes to infrastructure follow change management procedures and are tested where appropriate before deployment.

5. Endpoint and server security

• Servers and endpoints are hardened according to internal standards and industry good practice.

• Security updates and patches are applied on a regular basis, prioritised according to risk.

• Endpoint protection and logging are deployed to provide visibility of activity and support incident response.

• Only authorised software is permitted on production systems.

6. Data protection and encryption

• Data is classified and handled in line with its sensitivity and contractual obligations.

• Encryption is used for data in transit and at rest where appropriate, particularly for client-related information.

• Backups are taken regularly and tested periodically to support recovery objectives.

• Access to client data is restricted to staff who need it for service delivery.

7. Monitoring, logging, and incident response

• Systems and services are monitored for security-relevant events, with logs retained for investigation and compliance purposes.

• Alerts from key systems feed into our SOC365 operations for triage and investigation.

• We maintain incident response procedures to handle suspected or confirmed security incidents affecting our environment or client services.

• Incidents are investigated, documented, and reviewed to identify lessons learned and areas for improvement.

8. Third-party providers and supply chain

• We assess key suppliers and service providers for security and reliability, particularly those handling or storing client data.

• Contracts with third parties include appropriate confidentiality and security obligations.

• Access by third parties is restricted and monitored according to the principle of least privilege.

9. People and training

• Staff are subject to appropriate vetting checks in line with their roles and access levels.

• All staff receive security awareness training, including guidance on handling information, phishing recognition, and incident reporting.

• Specialist teams (such as SOC analysts and engineers) receive additional technical training and are encouraged to maintain relevant certifications.

10. Review and improvement

We review and update our security controls regularly to reflect changes in technology, threats, and client requirements. We also conduct periodic internal reviews and, where appropriate, engage independent third parties to assess our security posture.

This Security Policy may be updated from time to time. The most recent version will always be available on this page.

Last updated: 01/12/2025.