Client Data Security

Mobile Devices

All Security Management Consultants LTD’s laptop computers and PCs contain disks that are encrypted using the BitLocker facility that forms part of the Windows Operating System.  Strong passwords are enforced for operating system logins.

All smartphones used by employees are protected by access control mechanisms and storage, including any SD cards, is encrypted.  This means that SD cards cannot be read in other devices.  By default, no client data is stored in SD cards.

Servers

All disk storage used in and attached to our physical servers are encrypted using the BitLocker facility that forms part of the Windows Server Operating System. Strong passwords are enforced for operating system logins.

Other than email (see below) and encrypted backups, no client data is stored in the virtual servers that we operate in-house or in ‘cloud’ services that we rent from trusted suppliers.  All of our virtual servers and the ‘cloud’ services that we use run on physical equipment that is located within the European Economic Area (EEA).

Backups

All backups of corporate information, including client communication are encrypted at source.  Encryption keys are held only by Security Management Consultants LTD and not shared with other parties unless a valid, lawful request is made by a relevant law enforcement agency or regulatory body.

In-house image backups of laptop, desktop and tablet computers are created once each day when they are connected to our internal network.  These are stored on the main Windows Server whose disks are all encrypted as described above.

Online, encrypted, incremental backups of new and changed files are created eight times per day for laptop and tablet computers.  This happens when they are connected to the internal network or, when out of the office, to the Internet using company-supplied mobile telephony equipment.

A subset of encrypted disks used for in-house server backups is held in our high-security data safe that has a 120 minute fire rating. The safe and servers are not co-located.

Backup tapes are no longer used and historical backup tapes have been disposed of securely.  We no longer have the ability to read or write magnetic tapes.

Email

Outgoing and incoming emails between clients and Security Management Consultants LTD pass through or temporarily reside within Microsoft-operated services located within the European Economic Area.  If sending sensitive information in an email we place it in an encrypted attachment and advise the recipient(s) of the key or passphrase separately.

Faxes

We no longer operate a physical fax machine and no longer advertise an incoming fax number.  If a client wishes to send a fax to us, they should contact us to obtain instructions for doing so securely.

Paper Records

For environmental and other reasons we are actively reducing the amount of paper that we create, transmit and store.  Incoming paper documents and records will normally be scanned into the relevant project folder structure and the masters shredded securely prior to recycling.  A small number of paper documents and records is held in a single, metal filing cupboard that is locked when not in use.

Retention Periods

By default, we retain documents and records associated with client assignments for three years following the completion of the most recent assignment for the client.  Exceptions are:

  • Financial records relating to the work are retained for 7 years.
  • Insurance certificates relating to the work are retained for 40 years.
  • Training records, where the training has resulted in the issuance of a formal certificate of ‘attendance and successful completion’, are retained for 10 years.  This is to allow trainees to request duplicate certificates if the originals have been lost.