The group of affiliated SeQuenX companies ("SeQuenX Companies") have controls to protect the confidentiality, integrity, and availability of information that is owned by or entrusted to them. The intent of this document is to provide assurances to customers, potential customers, and any other interested parties that information in our companies custody is properly protected - and that the protections in place are consistent with appropriate compliance requirements.
SeQuenX Companies provide software, consulting, and online services. The Boards of Directors and management of SeQuenX Companies are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout their organisation to maintain legal, regulatory and contractual compliance and to safeguard business integrity and commercial reputation.
To achieve this, SeQuenX Companies have implemented a Group-wide Information Security Management System (ISMS) in accordance with the international standard ISO/IEC 27001:2013 requirements. The ISMS is subject to continuous systematic review and improvement.
In accordance with the ISMS, SeQuenX Companies demonstrate their commitment to information security by:
SeQuenX Companies use security policies and standards to support business objectives within their information systems and processes. These policies and standards are implemented, communicated, and reviewed on a regular basis and reflect the executive management teams commitment to information security. Policies and standards are in place to govern the protection of each companys information assets and any information assets of our customers (and others) that have been entrusted to a SeQuenX company.
SeQuenX Companies employ staff whose responsibility is the protection of information. In addition, it is the responsibility of all of employees to be aware of information security issues within their daily work. To promote awareness, employees of SeQuenX Companies are provided with training on topics such as the companys security policies, their responsibilities to protect the confidentiality of information entrusted to them, the appropriate use of resources, the extra care required for the protection of mobile devices, and other related topics.
SeQuenX Companies enter into confidentiality or non-disclosure agreements with their vendors, contractors, employees and clients to contractually safeguard personal and other confidential information belonging to a SeQuenX company or in the custody of a SeQuenX company.
Regular risk assessments are performed to help SeQuenX Companies identify any potential risks to their information assets and to help prioritize efforts to mitigate those risks.
Periodically, companies also engage external firms to perform more in-depth evaluations of their security controls by conducting penetration testing and other similar exercises.
In addition to external reviews, internal tests are conducted on a regular basis to ensure compliance and verify control effectiveness. Vulnerability scans are conducted, and the results of these scans are used to identify vulnerabilities to be addressed and to prioritize the efforts of those staff that are responsible for keeping the IT systems of SeQuenX Companies up to date and protected.
All sites hosting information belonging to a SeQuenX company (or information that is managed by a SeQuenX company on the behalf of others) are secured. Such facilities are protected by physical security barriers and entry controls designed to prevent unauthorized access, damage, and interference. Fire suppression, environmental controls, and uninterrupted power supplies are all in place, as are security cameras to monitor the facilities and all entrances to them.
Responsibilities and procedures for the management and operation of information processing facilities are established and separation of duties by function have been implemented across the companies that comprise the SeQuenX. Operational change to systems is controlled through various defined change management processes.
Access to information, information processing facilities, and business processes are controlled on the basis of business and security requirements. Access control rules take into account the basic principle of "need-to-know" and the sensitivity of corporate and personal information.
Layers of security controls limit access to information. These include controls at the network, application, operating system, and database levels. Passwords are used in conjunction with each of these layers; they are subject to defined password construction rules and must be changed at regular intervals. Password administration and management are controlled processes that generate automated audit records.
Technologies such as SSL (TLS), and IPsec are used to encrypt data when in transit over public networks. The use of such technologies is dependent upon the level of sensitivity of the information, both corporate and personal.
Various security technologies are deployed within the infrastructures and include firewalls, anti-virus, antispyware, encryption, and intrusion detection systems and processes.
Security data is logged and regularly reviewed to identify policy violations and security incidents. Incidents are documented and investigated to determine severity, root cause, and follow-up actions required. Measures to be taken to prevent re-occurrence are also identified, documented, and implemented as needed.
Adequate back-up capabilities exist to ensure that all essential information and software can be recovered following a disaster or media failure. Backup information is stored at a remote secure location, at a sufficient distance to escape any damage from a disaster at the primary site. Backup media is protected against unauthorized access, misuse or corruption during transportation beyond the data center boundaries.
Combinations of preventive and recovery controls are implemented to help protect from harm due to loss of data or processing capabilities. These controls are designed based on an assessment of risk and are meant to keep the harmful effects of any outages to a minimum. The processes making up these control measures are tested on a regular basis.