Evergreen Life logo
Get The App

Information Security

Information Security protects the confidentiality, integrity and availability of information through the application of physical, administrative and technical controls to manage and mitigate risks.
To protect the confidentiality, integrity and availability of information and data. Evergreen Life ensures that security is given sufficient profile and influence in our organisation and operations in order to meet both obligations under data protection laws.
Our Information Security controls are in line with the ISO27001:2017 Framework and Cyber Essentials.

Effective Information Security Management

As part of Evergreen Life’s ongoing efforts to securely manage information. We conduct the following:

  • Complete regular threat assessments and ongoing risk management.

  • Allocate accountability to a nominated board member to oversee risks.

  • Enforce a strict password policy and access controls.

  • Ensure workers and staff use a secure password vault.

  • Monitor intelligence to review and refine threats and mitigating actions regularly to implement continuous improvement.

  • Vet all staff and suppliers thoroughly.

  • Ensure strong IT systems controls covering infrastructure and applications through software development lifecycle.

  • Ensure clear information security requirements are stated in contracts with third party suppliers.

  • Regularly undertake assurance (due care) of third party providers.

  • Maintain and test incident response plans and business continuity plans

Evergreen Life has developed a strong security awareness culture and is committed to maintaining this culture as a priority going forward.

 

Protecting against data breaches

As part of Evergreen Life’s ongoing efforts to protect against data breaches. We conduct the following:

  • Implement strong password and access controls. Ensuring secret credentials remain secret at all times.

  • Classify data and assets.

  • Manage and monitor access to data.

  • Regularly retrain staff on principles of information security.

  • Eliminate the use of portable storage, install Mobile Device Management Software on mobile devices and restrict the ability to download and store data via removable media.

  • Assess new applications, processes or services from a security perspective before introducing them.

  • Production data used in non-production environment must have production level controls implemented.

  • Have a clear data retention and destruction policy that is in line with regulations.

 

Data incident management procedure

Evergreen Life have developed an Incident Management Procedure that includes Data Incidents. This is adhered to in all such cases, ensuring that a Data event/Incident is promptly identified and adequately reviewed, assessed, escalated when appropriate, remediated and recovered.

The key stages in an Incident Management procedure, which may run concurrently, are:

  • Identification/logging of the data incident (initial alert, triggering a potential incident).

  • Security team made aware and convene.

  • Escalation to management team if appropriate

  • Management team (inc. Legal, HR, Privacy Specialist) conduct impact assessment and commence mitigating actions for resolution.

  • Incident resolution.

  • Closure and return to business as usual.

  • Post incident review.

The Incident Management procedure must be followed by all workers, in any capacity, including employees, contractors, directors, external consultants, third party representatives and business partners.

 

Technical security

Evergreen Life has implemented many technical controls to protect information, including:

  • Maintain firewalls, vulnerability and malware scanning, patching, Denial of Service (DoS) and Distributed Denial of Service (DDoS) protection.

  • Implement regular vulnerability scanning. Scan networks and endpoints for vulnerabilities and weaknesses.

  • Secured the provision of experienced external penetration testing services

  • Where authentication is handed off or redirected to other sites, ensure credentials cannot be intercepted and avoid the need for disclosure. 

 

Cyber Security

Evergreen Life has implemented a number of managerial controls to support their overarching cyber security policy, these include:

  • Embedded an appropriate risk management regime across the organisation.

  • Ensured connections from networks to the internet and other partner networks, do not expose systems and technologies to attack.

  • Ensured that users are not provided with unnecessary system privileges or data access rights.

  • User Education & Awareness Training.

  • Malware Prevention and detection tools

  • Implemented system monitoring to provide a capability that aims to detect actual or attempted attacks on systems and business services.