Our work at Customs Connect Group Ltd (CCG Ltd) involves the handling, control, management, knowledge integration and reuse of large amounts of sensitive client, financial and contractual data. Skilled understanding, inspection, manipulation and analysis of our client’s electronic data via email, spreadsheet or documentation is required to identify and submit claims for the recovery of overpayment, missed payments and/or under deductions from our client’s historic financial transactions.
We make our research data findable, accessible, interoperable, reusable and of value. We ensure it is managed soundly and we believe well researched data management is a key conduit that leads to the discovery of the unnecessary outlay of costs.
We work within legal, multinational and ethical frameworks to protect all stakeholders, including our clients, from reputational damage.
We therefore commit to ensure all of our Information Security is appropriately managed and secured and our applicability is controlled.
Our data is stored and hosted on dedicated cloud-based hybrid servers with Cisco Adaptive Security Appliance (ASA) Software installed on Cisco ASA firewalls with our partner of choice, UK based award-winning Hosting Provider, UKFast, a Tier 3 standard data centre.
Our certifications are listed below:-
- ISO 27001:2013 Information Security Management System
- ISO 14001:2015 Environment Management System
- ISO 9001:2008 Quality Management System
- PCI Data Security Standards (PCI DSS)
- NIC EIC approved contractor
- In the process of being CESG and PGA accredited
We may update our certifications from time to time.
Secured to UK government IL4 standards, we ensure our solution is protected through the use of exceptional levels of security, at all times, plus, our solutions are protected by a Cisco ASA Firewall as standard.
UKFast’s data centres are all UK-based and they have provided 18 years’ service to the Public Sector and MoD along with providing infrastructure for the Police, Fire and Rescue services.
Data Classification and Handling
Data is classified in accordance with ISO/IEC 27002:2013 – Code of practice for information security controls. This is an extension of our ISO27001 certification allowing for every internal team member to understand and assess the value, sensitivity and criticality to the business of each data asset (and apply the relevant internal classification, if necessary).
We take zero compromise when securing your data.
On site we secure our systems with Avast AVG Enterprise Anti-virus and Internet Security software, Malwarebytes Anti-Exploit for Business and Anti-Ransomware.
Our systems are also monitored by our IT Support company, Endeavour Business IT Solutions Ltd, with a proactive monitoring agent on each device.
Within the dedicated cloud-based hybrid server hosted at UKFast they use PROsecureTM, DDoSX, WAF, Threat Monitoring and Threat Response hardware and software.
An on-site backup is carried out every day and is stored for 60 working days to a separate backup within the dedicated cloud-based hybrid server at UKFast using a dedicated 14TB Commvault Backup Server.
CCG Ltd holds ISO9001 accreditation, an internationally recognised standard which demonstrates our high level of quality management in our day-to-day operations. As part of ISO9001 we have a written policy on data security. A copy of our latest policy on data security is available on request.
Further, CCG Ltd holds ISO27001 accreditation, which recognises our information security management systems are operating at the highest possible standard.
Confidentiality or Non-Disclosure Agreements
Confidentiality clauses are included in the standard staff contract, which all members of staff sign. This is reviewed and updated regularly. The latest review and update was October 2014.
Non-Disclosure Agreements are used between CCG Ltd and our clients in exchange of sensitive information.
Identification of applicable legislation and contractual requirements
Legislation has been identified which is applicable to the organisation;
|Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679||Protects individuals against the use of personal information by another individual or organisation.|
|Freedom of Information Act 2000||Provides individuals with the right of access to information held by public authorities and those providing services for them.|
|Computer Misuse Act 1990||Protects the right of individuals and organisations to preserve the confidentiality and integrity of their computer data.|
|Copyright Designs and Patents Act 1988||Protects intellectual property, i.e. protects the interests of an individual, or an organisation that employs such individuals, whose ownership of novel, creative or inventive work is recognised in law.|
|Electronic Communications Act 2000||Protects the interests of society by restricting the use of cryptographic techniques so that the Government and its authorised agents are able to decrypt any message that is legitimately intercepted.|
|Digital Economy Act 2017||Provisions relating to electronic communications infrastructure and services.|
|Regulation of Investigatory Powers Act 2000||Protects the originators of electronic communication from its interception without lawful authority and protects employees from unreasonable monitoring.|
|Public Interest Disclosure Act 1998||Protects employees who, in the public interest, disclose criminal or civil wrongdoing by their employer.|
Intellectual Property Rights
The use of material which may be subject to IPR is protected e.g. only licenced software is installed on machines, licences and master disks are retained etc. Maximum user numbers are adhered to. Asset registers are in place and no document or data is copied or transferred without permission.
Protection of Records
This is carried out as detailed in the Document Control procedure of ISO9001. Various policies and procedures are in place including a record retention policy. A copy of our latest record retention policy is available on request.
Privacy and Protection of Personally Identifiable Information
The requirements of the Data Protection Act 2018 and the General Data Protection Regulation (EU) 2016/679 are complied with throughout the company. We have Data Protection and Data Privacy policies in place and a copy of these latest policies are available on request.
Compliance with Security Policies and Procedures
Audits and spot checks are carried out by both the Manager and by other auditors e.g. QSAs for PCI compliance.
Layout of Environment
A copy of our Network Topology Diagram can be provided on request.
A copy of our Business Continuity Plan can be provided on request.
Annual Penetration Test
Annual Penetration Tests are carried out on-site at CCG Ltd and within UKFast annually.
Statement of Applicability and certificates
Statement of Applicability and copies of certificates can be provided on request.
This commitment seeks to provide information regarding our data management protocols and has been prepared for information purposes only. Our standard terms and conditions include binding obligations regarding our handling of data and this commitment is not intended to create a legally binding commitment. We shall not be liable for any damage caused as a result of our failure to comply with this commitment, except to the extent that this commitment is expressly incorporated into any contract between us and our clients.