Data Protection and Privacy

Hornbill Technologies is committed to compliance with all national and, where appropriate, international laws relating to the protection of personal data and individual privacy. The Chief Technical Officer is Hornbill Technologies’ Data Security Officer. Personal data is classified as restricted and is available only to those who need to deal with it. The policy applies to all personal data held by Hornbill Technologies, including on wireless notebook computers, mobile telephones, etc. All staff will be provided with training to ensure that they understand Hornbill Technologies’ policy and the procedures it has put into place to implement that policy. The disciplinary process will be invoked in circumstances where this policy may have been transgressed.

Compliance with security policies and standards

Managers continuously review their area of operations for compliance and should any non-compliance be identified the manager determines the cause, evaluates the actions necessary, implements appropriate actions and reviews the outcome to ensure the non-conformance does not recur.

Where the manager notes a recurrence of minor infractions or where there is a potential breach or incident then the Manager records the issue either in a report to the Information Security Manager, an Incident Report, or, if more appropriate, an internal departmental record.

Such reports are shared with auditors as appropriate during an internal audit

Information systems audit controls

Audits of the security arrangements and controls are conducted in line with the ISMS Manual requirements. Audit plans are constructed so as to minimize the interruption to operational systems and business processes especially where penetration testing or similar is conducted.

All policies are reviewed bi-annually and updated as required to reflect changes in business or practices and submitted for confirmation by the management team prior to release to business.

Penetration Testing

As well as frequent tests undertaken by Hornbill we utilize external security companies to validate our results and services at least annually. The testing is against all infrastructure (Both on Premise and in Data Centers) and software used. Results of tests are available on request and certificates via https://www.hornbill.com

Control of Records

Asset owners are responsible for identifying the records that are generated by the processes or assets for which they are responsible, or which should be generated to indicate conformity with the ISMS, and for ensuring that they are controlled in line with this procedure. Records will meet the legal, regulatory, and contractual requirements of Hornbill Technologies. Records must remain legible, readily identifiable, and retrievable.

The retention period for the record is determined by Hornbill Technologies’ overall approach to document and record retention

Records are subject to the levels of protection appropriate to information of their classification level (i.e. at least the same as that of the asset to which they relate or the information they contain) and they are therefore protected, stored, maintained, and disposed of in line with the requirements of the ISMS