Skip navigation|

• Home
• Policies & Compliance
• Information Assurance Policy

Information Assurance and Security Policy

Introduction

Mentis operate a certificated quality system under ISO 9001, which incorporates our policy and procedures for information security. These are reviewed annually as an organic part of our cycle of Quality Review under ISO 9001.

We recognise that all Public Sector clients must comply with security related legislation (the Data Protection Act and CNI guidance), BS7799 and that many government and CJS organisations must also comply with the Manual of Protective Security (MPS), HMG Infosec policies, CESG manuals/ memoranda and Government Protective Marking (GPMS).

When Mentis consultants are engaged on assignments where GPMS/MPS compliance must be maintained we operate under a contractual “duty of care” to ensure any client information provided to us or prepared by us is secured in accordance with the protective label and associated handling rules.

Mentis does not process high volumes of protectively marked information. Our technical and non-technical security procedures are implemented to meet at least Data Protection Act principle 7 requirements and the security objectives of BS7799. Our risk assessment indicates an exceptionally low level of risk of breach of Confidentiality, Integrity, Availability or Accountability of our own or client related information.

Personal Security

Mentis recognise that public sector clients may wish to security check Mentis consultants. Several of our staff are already “SC” cleared and many have undergone police specific checks (successfully).

Our recruitment and contract placement procedures include basic checks on identity and any security clearance held. This includes inspection of passport, driving licence, recent utility bill to home address as well as telephone or written references to previous employer/s. We are always willing to complete any necessary security questionnaires required by the client and to comply with other reasonable personal security measures.

Disclosure

We recognise that clients often require a Non-Disclosure Agreement (NDA) to be signed either corporately or personally by each consultant deployed. Mentis policy is to assess client NDAs on a case by case basis.

Government Protective Marking Scheme (GPMS)

Mentis has adopted use of the HMG GPMS labels (typically RESTRICTED and CONFIDENTIAL) with appropriate descriptors for client-related documents produced by our consultants. Specific requirements are agreed on a client/assignment basis. Mentis provide appropriate security for information assets received or generated in the execution of contracts.

Asset Compromise

Procedures are in place to determine whether any compromise of assets (e.g. loss or modification of data) has taken place. These include regular monitoring of system access/use and of technical alerts arising from anti-virus scanning and firewall logs. Directors and Managers of individual assignments are responsible for quality assurance and this includes checks on information sensitivity and access control.

Need To know Principle

Directors and Assignment Managers must ensure that information assets generated or received in the execution of client contracts will only be made available to those with a valid ‘need to know’ about them or their contents.

Incident Management

Any security-related incident that has a potential or actual impact on a client is reported to a Director and will be speedily notified to the client manager responsible for the assignment. Disciplinary procedures are activated in the event where any member of staff or associate consultant has breached our security policy and procedures.

Electronic Mail

The use of Mentis MS Outlook/Exchange email and Consultant/Associate private email facilities is considered on a case by case basis for assignments. A general rule is that protectively marked documents are not attached to emails unless expressly authorised by the client and after we have risk assessed the likelihood / impact of misdirection and/or unauthorised access. Where sent, passwords and/or encryption mechanisms are agreed on a case by case basis.

Secure Erasure/Deletion

On completion of assignments all “sensitive” documentation - electronic or manual - is deleted (unless required for legal reasons). The erasure/deletion process considers the compliance requirements of GPMS on a case by case basis. Any original source paper documents are also returned to the client or shredded as necessary.

Physical And Environmental Security

Mentis offices are secured by approved measures required by our Public Liability insurers. This includes door and window locks and a NACOSS approved intruder alarm. The office is provided with fire extinguishers appropriate to the environment and as advised by the local fire prevention officer. A limited number of office keys are distributed to Directors and selected named staff.  A 24/7 keyholder contact arrangement is in place with an agency approved for the purpose by the local constabulary.

IT servers and workstations in our offices are secured physically to walls/desks using industry approved cables/locks and all portable devices (e.g. laptops) are kept in secure cabinet stores when not in use.

The main server is secured in a locked metal  cabinet and connected through a power surge protector and a firewall.

A fireprrof safe is used to secure all sensitive documentation when the office is closed.

All visitors are accompanied and supervised whilst in the office.

A clear screen and clear desk practice is encouraged for any protectively marked material

System Security

The security of the network and systems in Mentis includes:

• Identification and Authentication (ID & A) of system users is controlled using Windows server operating system facilities. Administrator access is limited to two Directors and the system administrator.
• Firewall defence. The rule base is configured to deny access unless expressly authorised. The rule base and alert logs are regularly inspected and suspicious events are investigated.
• Anti-virus defence. Engines and signatures are updated in realtime both at the server and at desktops. Separate defence mechanisms check all incoming email at two levels - spam filtering and comprehensive virus detection.
• Anti-spam defence is applied to all company email accounts.
• Password and access permissions are configured to control system access and enforce separation of access to email accounts, company and client related file stores. This includes all assignment records, personal and financial/accounting information.  The use of strong passwords is enforced.
• Application software is updated in realtime (automatically patched and fixed in accordance with vendor notifications and instructions).
• Internet and email acceptable use guidance is routinely provided and discussed.
• Remote access is controlled through Virtual Private Network (VPN) and encryption to industry standards. All users have unique UserID and password credentials for both VPN and Windows domain logon.
• Full system configuration and data file backups are taken daily and stored onsite in a fireproof datasafe.  A weekly copy is stored at remote offsite location in a secure storage cabinet.  Recovery of data (if necessary) is controlled through a systems administrator and/or our contracted support company. 
• Change control for new device and/or software installation including patching and fixing is operated through our contracted support company, which is a suitably qualified Microsoft Gold Partner.

Security incidents/weaknesses are reported to the system administrator who logs relevant details of the event and investigate cause, effect and rectification actions as appropriate. Serious issues are escalated to a director.

Business continuity is maintained through routine file backup and third party company support contract. In the event of total head office premises destruction, essential company services will be run out of nearby Directors home-offices and from regional satellite offices in the very short run, followed by short-term office rental (estimated to take three days to arrange and install with full replacement server network).

Consultants can and do work out of home-offices when not required to be on client site or in the Mentis office. In the absence of a key consultant, Mentis Directors and associate resources can be called upon to respond to urgent client needs and maintain service continuity. Other business safeguards are provided through comprehensive insurance.

Data Protection

Mentis is committed to protecting the rights and privacy of individuals in accordance with the Data Protection Act 1998. We processes information about our staff and other individuals we have dealings with for a range of administrative purposes (e.g. to recruit and pay staff, administer assignments and comply with legal obligations to clients and suppliers). In order to comply with the law, information about individuals is collected and used fairly, stored safely and securely. It is not disclosed to other third parties unlawfully.

• Mentis maintain a current registration with the Information Commissioner. All staff are made aware of the need to maintain the confidentiality, integrity and availability of company and client provided information. This includes compliance with Official Secrets Act and confidentiality agreements agreed in tenders/contracts.
• Staff are notified to contact a Director in any case of doubt or difficulty on the protection/processing of personal data as well as confidentiality of non-personal sensitive information. 
  
  

Approved:                          April 2006

Updated:                           June 2010

© Mentis Management Consultants Ltd