Overview
Global Rate Set Systems (GRSS) is dedicated to protecting data and using industry best standards. GRSS utilise some of the most advanced technology for Internet security available today. We understand the importance of data security and make every effort to ensure that data held on systems is fully protected.
We recognise that the confidentiality, integrity and availability of information and data created, maintained, and hosted by GRSS and its subsidiaries are vital to the success of the business and privacy of its partners. GRSS views these primary responsibilities as fundamental to best business practice to ensure compliance with all applicable laws, regulations, and obligations.
This Security Statement forms part of the user agreement for GRSS staff and its partners.
Security and Compliance
All GRSS information systems globally are based on a Public Cloud infrastructure, physically protected in accordance with associated risk. All data is held in ISO/IEC 27001 accredited data centres. Physical security controls at these locations include 24×7 monitoring, cameras, visitor logs, entry requirements, and secure dedicated rooms for hardware.
The GRSS Calculating Agent Functions, group wide, are compliant with ISO/IEC 27001 Standards for Information Security Management.
GRSS are fully compliant with local regulations in the geographies in which it operates.
Network & Device Security
GRSS Operates multi-layered firewalls across its environment to deliver breach prevention, and threat defence. Our intrusion prevention system features sophisticated anti-evasion technology and a network-based malware protection.
Other network technologies used at GRSS include, Vulnerability detection and prevention, Network Access Control, content filtering, Multi Layered anti-virus, Anti-Malware, email security, network segmentation, advanced threat protection and application control.
Endpoint security is installed on every company computer and only company managed devices can access GRSS networks.
This combination enables GRSS to provide real time blocking of sophisticated new threats as they emerge.
Access Conbtrol & 2FA
Users and employees are granted the least amount of network access required and access is only granted if approved and they accept the usage policies.
GRSS grants role-based access on an as-needed basis, reviews permissions, and revokes access immediately on employee termination.
Our password policy requires complexity, expiration, lockouts and disallows reuse.
Remote Access to GRSS technology resources is TLS encrypted and requires two-factor authentication. Additionally, all hosted Internet accessible applications containing personal, sensitive, or confidential information require two factors of authentication.
Security Policies
GRSS reviews and updates its information security policies on an annual basis. Employees must acknowledge policies and undergo annual mandatory training.
Staff Screening
GRSS conducts background screening at the time of hire (to the extent permitted or facilitated by applicable laws and countries). In addition, GRSS communicates its information security policies to all personnel during the onboarding phase and requires employees to sign non-disclosure agreements. Ongoing GRSS provides privacy and security training in line with regional legislation.
Dedicated Security Personnel
GRSS have assigned an Information Security Manager who focuses on application, network, and system security and is also responsible for security compliance.
Security Awareness Training
Security awareness training is mandatory and teaches employees to understand security risks and threats.
This is to ensure that employees understand that criminals may try to deliberately attack, steal, damage, or misuse GRSS systems and information. This training ensures that everyone within GRSS is aware of the risks and work to adequately protect against these risks.
Patching & Vulnerability Management
GRSS maintain and keep up to date software and firmware patches to ensure all systems, applications and devices owned and managed by GRSS are routinely updated with security fixes via our management platform.
The vulnerability management program includes frequent scans, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, and applications.
GRSS also conduct external penetration tests and remediate according to severity for any results found.
Encryption
GRSS protect the confidentiality, authenticity and integrity of information using cryptography. Cryptographic controls are applied according to the sensitivity of the data.
All data in transit uses secure cryptographic protocols. Data at rest is also encrypted with AES 256 Bit Encryption. Corporate Data on all GRSS mobile devices and laptops is encrypted.
Logging and Auditing
Application and infrastructure systems logs are stored for troubleshooting, security reviews, and analysis by authorized GRSS personnel. Logs are preserved in accordance with regulatory requirements.
Change Control
GRSS manage changes that occur to information technology in a way that minimises risk and impact.
Structured Change Management ensures that proposed changes that impact production environments are reviewed, tested, authorised, implemented, communicated, and released in a controlled manner; and that the status of each proposed change is monitored to completion or retraction.
GRSS Aligns with ITIL Change management Principals.
Removable Media & Disposal
Removable media devices are a well-known source of malware infection and to the loss of sensitive information. GRSS enforces encryption on removable media to limit this threat which is enforced by policy and audited regularly.
Data requiring deletion is securely erased on all storage mediums in accordance with current industry best practices.
Asset Management
GRSS maintains an asset management policy which includes identification, classification, retention, and disposal of information and assets.
Company issued laptops are equipped with hard disk encryption and up-to-date antivirus software.
Information Security Incident Management
An information security incident is indicated by a single or series of unwanted or unexpected information security events that have a significant probability of compromising information security.
GRSS operates security incident response policies and procedures surrounding the initial response, investigation, customer notification, public communication, and remediation. When criminal activity affecting information security is identified, GRSS will liaise with local authorities in the region.
Breach Response & Notification
Although GRSS take all necessary actions to protect data, we cannot guarantee absolute security as no method of transmission over the Internet and or electronic storage is perfectly secure.
However, if GRSS learns of a security breach, affected users will be notified so that they can take appropriate protective & preventative actions.
Breach notification procedures comply with in-country laws and regulations, as well as any standards relevant to GRSS.
GRSS are committed to keeping customers fully informed of any matters relevant to the security of their data.
Business Continuity & Disaster Recovery
GRSS operates geographically dispersed systems in multi availability zones in each region it operates in. This provides a high level of resiliency in our platforms and ensures unhindered continuation of service in the event of any individual equipment failure.
If business critical systems are deemed inoperable and cannot be recovered, then action is taken as defined in the disaster recovery plan whereby GRSS will recover from relevant backups taken of the systems in use by transferral to alternate platforms.
All GRSS backups are encrypted to preserve their confidentiality and integrity.