Scope and Rationale

Information security protects information from a wide range of threats in order to minimise business damage, ensure business continuity and maximise return on investments and business opportunities. Evercam is committed to safeguarding the confidentiality, integrity and availability of all physical and electronic information assets and ensuring all legal, regulatory and contractual requirements are fulfilled in doing so. Information held by Evercam includes (in paper and electronic form) information on customers, investments, financial transactions and employee information.

Information Security is vital to the long-term survival of Evercam, safeguarding our information assets ensures:

  • Customer confidence in Evercam
  • Compliance with data protection laws, and
  • Capability to deliver service on demand


The information security objectives of Evercam are to;

  • Establish controls for protecting our information and information systems against unauthorised access, theft, abuse and other forms of harm and loss.
  • Ensure compliance with current laws, regulations and supervisory guidelines.
  • Ensure that Evercam is capable of continuing provision of services should an information security incident occur.
  • Ensure the protection (privacy) of personal data.
  • Ensure the availability and reliability of the network infrastructure.
  • Ensure that external service providers comply with Evercam information security needs and requirements.
  • Ensure an acceptable level of security for accessing information systems remotely.
  • Ensure all employees have the knowledge and motivation to minimise the risk of information security incidents.
  • Ensure the Evercam keeps up to date on information security threats and mitigations.

Policy Statement

Evercam is committed to managing information security to the highest possible standards in order to safeguard the confidentiality, integrity and availability of information.

The management of Evercam will at all times support the goals and principles of information security while striving to deliver the business objectives.

Every user of Evercam’s information systems shall comply with this information security policy. Violation of this policy and of relevant security requirements will therefore constitute a breach of trust between the user and Evercam, and may have consequences for employment or contractual relationships.

All contracts with service providers will clearly state Evercam’s information security needs and requirements and this schedule of requirements will be maintained. Responsibility for information security will be clear and reflected in all individual job descriptions.

Evercam will ensure that the necessary resources are made available to those accountable and responsible for information security.

Evercam will also ensure that the necessary competence is acquired by training and education or the hiring or contracting of competent persons.

Evercam will conduct internal audits at planned intervals to verify that it is conforming to its own policy and requirements. Evercam is committed to the continual improvement of its information security practices.

This policy will be reviewed and updated as required on an at least annual basis or in the event of a significant change of circumstances.

Framework for setting control objectives

To ensure that information security is addressed in all key activities of Evercam the following framework will be used in setting control objectives and in assessing compliance with the information security goals of Evercam.

  1. Organisation of Information Security
  2. Human Resources
  3. Asset Management
  4. Access Control
  5. Cryptography
  6. Physical and Environmental
  7. Operations Security
  8. Communications Security
  9. System Acquisition, Development and maintenance
  10. Supplier Relationships
  11. Information Security Incident Management
  12. Information Security Aspects of Business Continuity Management
  13. Compliance
  14. Mobile Device Management
  15. Information Security Performance

Organisation of Information Security

The CEO will act as or appoint the “Information Security Officer” who is accountable for ensuring information security is managed across all activities. The information security officer shall;

  • Be the main contact point for all security related issues
  • Assess information security risks on a continuous basis
  • Provide advice to all employees on information security
  • Determine action to be taken for all information security related issues
  • Liaise with external IT service provider with regard to information security
  • Ensure that information security requirements are agreed and documented with each supplier that may access or hold information for which Evercam is responsible.
  • Determine the level and rights of access granted to each user of all information systems.
  • Report to the Board on all matters related to information security

Human Resources

In order to reduce the risks of human error, theft, fraud or misuse of facilities information security controls will be put in place that include the following;

  • Background checks will be carried out on all employees prior to employment.
  • All employees will be required to sign a confidentiality agreement.
  • All users of systems will be given appropriate training to ensure that they are aware of threats and use information processing facilities correctly.
  • An Acceptable Usage Policy (AUP) will be documented that will guide users as to what behaviour is acceptable when using computers, laptops, and any other information processing facilities belonging to Evercam.
  • Employees who wilfully violate the information security policy will be subject to a formal disciplinary process.
  • At the end of their engagement any obligations and duties on employees and contractors that remain valid after termination will be defined, communicated and enforced.

Asset Management

Evercam maintains information assets to provide services to customers and to operate its business effectively. These information assets are classified, and access to all assets is managed to support the classification level.

Classifying information assets gives the people who deal with information guidance on how to handle, secure and protect it.  Appropriate controls can be applied to information assets, once they have been classified, and access controls can be applied that reflect the classification

Responsibility for assets

Evercam will identify all organisational assets and define appropriate protection responsibilities.

Inventory of assets

A register of assets associated with information and information processing facilities is maintained.  All assets are listed under the following asset types:

  • Information
  • Hardware
  • Personnel
  • Premises and facilities
  • Service Subscriptions

Each asset is classified according to the classification criteria.  The asset register and classification criteria are reviewed every 6 months and updated appropriately.

Ownership of assets

A business manager, listed against each asset, has approved management responsibility responsible for the asset, including the accuracy and completeness of the item, as listed in the inventory.

The asset owner should:

  • ensure that assets are inventoried
  • ensure that assets are appropriately classified and protected
  • define and periodically review access restrictions and classifications to important assets, taking into account applicable access control policies
  • ensure proper handling when the asset is deleted or destroyed

Acceptable use of assets

Rules for the acceptable use of information and assets associated with information have been defined and documented in the Evercam Acceptable Use Policy (AUP).

Return of assets

All employees and external party users should return all of the organisational assets in their possession upon termination of their employment, contract or agreement.

Information Classification

The owner assigned to each asset is accountable for the information classification of the asset. The classification should reflect the value of the asset, and the sensitivity and importance to Evercam.

Hardware information assets, including desktop systems, laptops, and mobile devices, will also be classified, based on the type of data hosted on the device.

Classification Criteria

To ensure that these information assets receive an appropriate level of protection the following classification shall apply:

  • Public Information is not confidential and can be made public without any implications for Evercam. Loss of availability due to system downtime is an acceptable risk. Integrity is important.
  • Confidential Information collected and used by Evercam in the conduct of its business, to employ people and to carry out customer transactions. Unauthorised access could influence Evercam’s operational effectiveness, cause a financial loss, or cause a major drop in customer confidence. Information confidentiality and integrity are vital.
  • Customer Confidential Information owned by Evercam customers and processed by Evercam as part of its’ commercial service portfolio.  Unauthorised access could have reputational or financial impact. Customer data requires high levels of integrity, confidentiality, and availability.
  • Sensitive Customer application data, hosted by Evercam as part of the delivery of contracted customer services.  Information used to manage access to systems, including user passwords, PKI keys.  Access to this information is very restricted within Evercam, as it can be used to gain access to any data. The highest possible levels of integrity, confidentiality, and restricted availability are vital.

All information, including publicly available information, will be treated as confidential within the Evercam environment.

Labelling of information

Where it is reasonable to do so, information assets will be tagged with the classification level they have been assigned.  Where it is not feasible to tag information assets, they will remain untagged and assumed to have a classification level of confidential.

Handling of assets

Information assets may be paper based or stored electronically.  Hardware assets include desktops, laptops and other mobile devices.

Paper based information assets

Paper based assets are stored in locked filing cabinets, in secured locations, with access controlled by management.  All paper-based assets are classified as confidential.

Information assets stored electronically

Most information assets are stored electronically on various media.  Access to these assets is managed by credential-based access and Public Key Infrastructure (PKI), depending on the asset classification.

Assets classified as Confidential

Access to assets classified as confidential is via authenticated username/password credential pair.  Usernames and passwords are managed with appropriate policies.

Confidential assets, accessible by credential pair, may be stored on the following media:

  • On premises server hardware
  • Cloud based productivity services
  • Cloud based application services

Assets classified as Customer Confidential 

Information assets, owned by customers, and hosted by Evercam for provision of service, are managed in a dedicated security domain, and restricted to operations users.  Access is via PKI, with each user assigned dedicated key pairs.

Assets classified as Customer Confidential, accessible by PKI, may be stored on the following media:

  • On premises server hardware
  • Cloud based Virtual Private Compute (VPC) and database services

Hardware assets

The operations teams are responsible for maintaining the hardware asset register.  When a new hardware item is received by the company, the operations team will update the asset register with details of the item and assign an owner.

The asset owner is responsible for the classification of the device, and will take into account the classification of any data hosted on the device.  For clarity all hardware devices will have a default classification of Confidential.

Media Handling

Management of removable media

Access to removable media is blocked by policy on all user workstations.  Temporary exceptions to the policy can be granted on request to the security manager.

Access Control


Access to information should be controlled on the basis of security requirements. Accordingly the following requirements apply;

  • There will be consistency between the information classification and the access control.
  • Access rights will be based on a “least privileged” basis, where users only have access to the information they require to carry out their role.
  • Allocation of access rights will be controlled by the information security officer.
  • Evercam employees will be issued usernames and passwords and are required to keep these confidential at all times. Passwords must be set and changed in line with access control rules.
  • Authorised 3rd party service providers will be provided access on an issue by issue basis (by the information security officer)
  • Remote access to information systems will be provided using two factor authentication, that is, using something physical and something logical.
  • Remote access will be subject to a formal approval process and authorisation by the information security officer.
  • Access rights will be reviewed on an annual basis to ensure that they continue to be appropriate.

Business requirements of access control

Access to information and information facilities is controlled and limited appropriately.

Access control policy

Asset owners are responsible for approving access to the information asset under their control.  Access requests are assessed by the asset owner and if approved, access is scheduled using the Evercam change management process.  Once a change request is approved the operations team will configure the asset for the required level of access.

Access to all information assets, including user accounts, assigned privileges and rights are reviewed quarterly and any resulting changes, such as account suspension and withdrawal of privileges, are tracked via the change management process.

Accounts for users accessing data classified as Confidential will not be configured with elevated rights or privileges.  Use of elevated rights will be restricted to accounts for operations users.

Accounts for users accessing data classified as Customer Confidential will not be configured with elevated rights by default.  Users will be able to assume the role of an admin user, and when doing so the event will be recorded in an audit log.

Where possible access to systems should be role based and controlled by managing assignment of appropriate roles and rights to the Evercam domain account for the user.  Legacy applications may not support this and user access to legacy applications and systems may require administration of new system-specific user records.

Access to network and network services

Access to Evercam’s internal business systems and information assets is provided by the core network.  Access to the core services network is restricted to the following:

  • Secured, authenticated WiFi connection for corporate devices, in Evercam’s business premises.
  • Wired connections for corporate devices are provided in secured on-premises locations.
  • Remote access is provided via a VPN connection to corporate devices on the core on-premises network.

Guest WiFi, available on a logically separate network with authentication, provides internet connectivity for non-corporate devices, with no access to the core network services.

Access to Evercam’s customer-facing services and assets is provided by cloud-based network and network services in various cloud providers.  Access is restricted to the operations and infrastructure teams.

Access to all network services is managed via change control.  A change request is raised for any network access requests.  The required access can be configured by the operations team on receipts of a change request approved by CAB.

User access management

Measures are in place to ensure that authorised users have appropriate access, and to prevent unauthorised access to systems and services.

User registration and de-registration

The primary authentication for users is their Evercam Zoho account.

The internal Change Management process is used to track and manage user account creation, modification, and deletion.  Change requests, approved by CAB, are required to add, modify, or remove user records.

All new user accounts are created on Zoho with a generic password and configured to enforce a password change at first logon.

Naming standards are in place to ensure the consistent allocation of unique User ID’s.

User access provisioning

The internal Change Management process is used to track and manage access provisioning for all users.  Requests for access to a system or service are sent to the asset owner, who will raise a change request.  When approved by CAB, the operations team will action the access request and configure the user for access to the system or service.

Management of privileged access rights

Elevated rights should not be granted to general users.  Role based access control should be used where possible, to grant the minimum required rights for the user to carry out any required tasks.

Elevated rights are generally confined to the operations team to provide access consistent with user creation and management.  Where possible operations users should access systems with normal user access and temporarily gain privileged access to complete the required administration task.

Where elevated rights are required by a user the assignment and removal of rights is managed via the change control procedure and implemented following approval of an approved change request.

When elevated rights are invoked by a user the use should be recorded against an identifiable user.  The use of generic login ID’s in general, and their use for operations requiring elevated rights, is to be avoided where possible.

Credentials for generic user and administration accounts are managed to maintain the security of such credentials.

Management of secret authentication information for users

Users are required to sign a standard Non-Disclosure Agreement (NDA) which includes clauses requiring users to keep personal secret authentication information confidential and to keep shared secret authentication information within the members of the group.

Access to data classified as customer confidential is managed using Public Key Infrastructure (PKI).  Each user is assigned 2 private/public key pairs, with 1 pair used for secure shell access to bastion servers, and the other pair used for secure shell access from the bastion server to internal endpoints.  Users are responsible for managing and securing the private keys appropriately.  Access is controlled by system administrators through appropriate installation of the public keys for these 2 key pairs.

Review of user access rights

Users’ access rights, including privileged access, are reviewed by asset owners at least on a quarterly basis and are updated appropriately.  All access rights updates are tracked via the standard change control process.

Removal or adjustment of access rights

Users’ access rights are reviewed by asset owners following any personnel changes.  Access is removed for users leaving the organisation and are updated appropriately as users change job function.  All access rights are tracked via the standard change control process.

User responsibilities

Users are accountable for safeguarding their authentication information

Use of secret authentication information

Users are required to follow Evercam’s practices for the use of secret authentication information.

Users are required to:

  • Keep authentication information confidential
  • Only store passwords in Evercam approved password vaults
  • Change authentication information if a compromise is suspected
  • Ensure password complexity aligns as far as possible with Evercam’s password policy
  • Properly secure and protect PKI information

System and application access control

Measures are in place to prevent unauthorised access to systems and applications.

Information access restriction

Access to information and application system functions are restricted in accordance with the access control policy.

Access to assets classified as Confidential

The Confidential classification is the default classification level for internal Evercam information.  To access information at this level authentication against the Evercam Zoho account is required.

Access to individual information assets at the same classification is managed independently.  Users may therefore need to authenticate again against individual applications and assets at the same classification level.

Access to assets classified as Customer Confidential

Strong authentication and identity verification is required for access to Customer Confidential data.  Access to information assets classified as Customer Confidential is managed using PKI key pairs.  Assets with this classification are maintained in a separate security domain and access is restricted to operations personnel.

Access to external services

Many cloud service providers require the use of an admin level account, which is used to administer the service.  It is acceptable to use generic login name (i.e. not a named individual) for this purpose, provided:

  • The service must be owned and managed by a single Evercam user.
  • The credentials a stored in a vault approved by Evercam security team
  • The account is not used as a general user account

Access to physical network devices

Many network devices have root level credentials used for device setup and management.  It is acceptable to use generic login name (i.e. not a named individual) for this purpose, provided:

  • The device must be owned and managed by a single Evercam user.
  • The credentials a stored in a vault approved by Evercam security team
  • The account is not used as a general user account

Secure log-on procedures

Where required by the access control policy, access to systems and applications should be controlled by a secure log-on procedure.

Multiple user accounts may be required to provide the required access across multiple applications for a user.  Where a user is required to interactively authenticate against an application or system the logon process should follow these guidelines as far as possible:

  • Do not display identity information until the logon process is complete
  • Display a banner page advising access is restricted to authorised users
  • Disable any help messages that would help an unauthorised user
  • Validate logon information only on completion of all input data
  • Restrict number of unsuccessful login attempts
  • Log unsuccessful and successful logon attempts
  • Raise a security event for suspected breach of logon controls
  • Obscure any entered passwords
  • Prohibit transfer of passwords in clear text
  • Terminate inactive sessions after inactivity period

Password management system

The primary authentication platform, Evercam’s Zoho account, is configured to enforce Evercam’s password complexity requirements.

Secondary authentication platforms should comply as far as possible with these complexity requirements.  Secondary authentication platforms include:

  • Administration consoles for switches and routers
  • Cloud provider consoles
  • Any application with its own authentication system

Password complexity requirements

Passwords will have a minimum length of 10 characters, and a maximum length of 256 characters.

Each password shall have 3 out of the following character types:

  • Lowercase characters
  • Uppercase characters
  • Numbers 0 – 9
  • Symbols @ # $ % ^ & * –  ! + = [ ] { } | \ : ‘ , . ? / ` ~ ” ( )

Where possible the same complexity requirements should be applied to user and admin account passwords being managed on other platforms, including:

  • Admin accounts of consoles, switches, and routers.
  • User accounts on secondary authentication platforms.

Password history

Password history is maintained, and users are prohibited from re-using previous passwords.

Password age

Passwords are not currently set to expire as complexity rules should be sufficient.

Guessable passwords

New passwords are checked against a global banned password list, and prohibited if matched.

Guidelines for users when selecting a password

Users should not base their password on obvious or easily guessable information, such as the following:

  • Date of birth
  • Family, children or pet names
  • Model of car or personal transport
  • Season or month

Use of privileged utility programs

The use of utility programs that may be capable of changing or overriding system and application security control is restricted and subject to change control.

Access to program source code

Access to program source code is restricted and managed appropriately.  The following measures are in place to manage access to program source code:

  • All code is stored in a central repository
  • Procedures are in place to manage the updating of the repository
  • A history of all updates is maintained in the repository


In order to ensure adequate protection of data, data in flight and at rest will be appropriately encrypted.  Any applied cryptography will be appropriate to the classification of the data, and the source and destination of any data in-flight.

Physical and Environmental

Information security must also be extended to physical protection, to prevent unauthorised access, damage or interference to systems and information. Accordingly the following controls apply;

  • All information systems will be located in a secure / locked room or at a minimum in a secure / locked rack.
  • Access to these systems will be strictly controlled by the information security officer.
  • All access to information systems will be logged.
  • Equipment will be sited such that it is protected from environmental threats and hazards such as fire, flood, dust, etc.
  • All physical backup media will be stored in secure / locked fireproof cabinets.
  • Where systems are located in data centres that are not under the direct control of Evercam the same protection will be required.

Operations Security

To ensure the correct and secure operation of information processing facilities certain processes and procedures need to be in place, these include;

  • Continuous monitoring of systems to ensure correct operation
  • Timely installation of updates and security patches issued by vendors to maintain security and correct operation.
  • Installation and timely update of anti-malware software and intrusion detection / prevention systems.
  • Daily and weekly backup regimes with remote storing of backups.
  • Periodic testing of restore procedures to ensure capability to recover from a disruption.
  • Robust change management procedures.
  • Periodic risk assessment / analysis of controls to ensure they remain effective.

Communications Security


Networks must be structured and managed to ensure the security of information assets and applications. Any transfer of data to 3rd parties must be monitored, logged, and take place under a formal agreement. The following controls will be implemented for internal and outsourced networks:

  • Networks will be segregated between production, test and operations environments
  • 2 layers for firewall protection will secure all information assets
  • Networks will be geographically segmented
  • All data transfers to 3rd parties will be logged
  • All data transfers will be subject to a non-disclosure agreement or other formal agreement.

Measures are in place to ensure the protection of information in Evercam’s networks and supporting information processing facilities.

Network security management

Measures are in place to ensure the protection of information in networks, and its supporting information processing facilities.

Network controls 

Networks are managed and controlled to protect information within systems and applications, and controls are in place to ensure appropriate levels of protection.

Management of network equipment

The operations team are responsible for the operation of all on-premises network equipment, and networks hosted by 3rd party suppliers.

All changes to on-premises network equipment and 3rd party hosted networks, are subject to change control and can only be implemented following approval from CAB.

Confidentiality and integrity

All data transferred between Evercam’s internal networks and cloud service providers and other 3rd parties is encrypted during transfer.

Certificate based authentication is used to verify the identity of all service-providing endpoints.

Logging and monitoring

Network devices, servers and user endpoints are configured to log critical network activity for forensic analysis purposes.

Management activities

Alerting systems, dashboards and event reporting provide information on network performance to the management team, who work to optimise the service to customers and end-users.

The management team, through the change control process, reviews and approves all proposed changes to the physical and logical network systems.  This ensures a consistent approach to the implementation of controls across the information processing infrastructure.


Laptop systems, tablets and phones connecting remotely require multi-factor authentication (MFA) to connect to services.

PKI certificates are used on all servers to verify the identity of the server to any connecting endpoint.

Network devices are authenticated using credential-based access.

Connectivity restrictions

Physical access to the corporate network is restricted to devices physically located in Evercam’s offices, connecting over an ethernet connection.

Connectivity is also supported over corporate WiFi and restricted to known endpoints, whose MAC addresses are whitelisted.

Access to the corporate network is also provided to users outside the physical premises using a Virtual Private Network (VPC) connection.

Security of network services 

Network service agreements have been compiled, detailing management, technical and service requirements for all network services.  These agreements are in force for internal teams and external 3rd party suppliers.

Network segregation

The corporate network is segregated into an internal network zone, accessible by physical or WiFI connection, and a visitor zone, accessible via WiFi only.  The corporate zone provides access to all corporate services, and the visitor zone provides internet connectivity only.

Networks hosting customer-facing services are segregated into test, operations, and production zones.  Whitelisting of traffic on selected ports allows servers in the operations zone to collect log and monitoring information, and to provide other operations services. There is no connectivity between test and production zones.

Information transfer

Measures are in place to maintain the security of information transferred within Evercam, and between Evercam and any external 3rd party.

Information transfer policies and procedures

The Evercam Acceptable Usage Policy (UAP) provides for the transfer of data using cryptographic and authentication controls to ensure the confidentiality and integrity of the transferred data.

Information asset owners will identify any requirements additional to those in the Acceptable Usage Policy.  Additional policies will be maintained to support these requirements.

Electronic messaging

Security measures have been implemented to protect the availability, confidentiality, and integrity of electronic messaging services.  These include but are not limited to:

  • Using commercially, highly available messaging services
  • Accessing messaging services from secured endpoints to ensure strong levels of authentication
  • Augmenting security of commercial email service with connection time checks based on commercial and public threat intelligence sources

Agreements on information transfer

Prior to the transfer of information with external organisations, a formal and appropriate SLA with an adequate level of security controls shall be defined. This agreement shall cover, but not be limited to:

  • Management responsibilities.
  • Manual and electronic exchanges.
  • Sensitivity of the critical information being exchanged.
  • Protection requirements.
  • Notification requirements.
  • Packaging and transmission standards.
  • Courier identification.
  • Responsibilities and liabilities.
  • Data and software ownership.
  • Protection responsibilities and measures.
  • Encryption requirements.

Requirements relating to confidentiality and non-disclosure commitments for Evercam personnel and contractors shall be identified and regularly reviewed. As such Evercam shall:

  • Define the information to be protected and required levels of sensitivity.
  • Indicate the expected length of the commitment.
  • Specify the terms for the return or destruction of information upon termination of the commitment.
  • Specify the responsibilities and requirements concerning signatories in order to prevent unauthorised disclosure of information.
  • Publish the penalties applicable in the event a user fails to respect the commitment.

Confidentiality and non-disclosure commitments shall consider legally enforceable terms to address the requirement to protect Evercam’s assets.

System Acquisition, Development and Maintenance


To ensure the required level of information security during the development and procurement cycle the following controls will be put in place:

  • Rules for development of software and systems will be established and implemented
  • All changes to systems within the development lifecycle will take place under change control
  • Principles for engineering secured systems will be established and applied.
  • All outsourced system development will be monitored and supervised
  • Testing of security functionality will be carried out during development
  • Acceptance testing procedures will be established and applied to all information systems and upgrades

Security requirements of information systems

Controls are implemented to ensure that information security is an integral part of information systems across the entire lifecycle.  This includes systems developed internally and systems and services procured from 3rd party suppliers.

Information security requirements and specification

Information security requirements will be identified for all information systems early in the procurement or development process as appropriate.  Requirements will be identified through a risk analysis on the information involved.  Other inputs used to identify requirements include:

  • Threat modelling
  • Incident reviews
  • Compliance requirements from policies and regulations

The information security requirements will be formally documented and approved by all stakeholders.

Product and service procurement processes will include a formal assessment against the documented information security requirements.  Where the product or service does not meet a requirement, the risk will be assessed prior to procurement.

Securing application services on public networks

Information in application services traversing public networks should be protected from fraudulent activity, contract dispute and unauthorised disclosure and modification.

To provide this level of security all applications with interfaces for collecting storing and processing information will comply with the following:

  • Public Key Infrastructure (PKI) will be implemented on all servers to authenticate server identity and agree cryptographic methods for encryption of data in transit.
  • Formal service agreements will be agreed by Evercam and partners.  A standard service agreement will apply where no individual agreement has been negotiated.
  • Services should be deployed in multiple availability zones and be resilient against failures and outages in any one zone.

Any non-compliance will require a risk analysis of the relevant information system, and identification of mitigating controls and procedures.  Applications or services may apply additional security measures, depending on the risk assessment of the information assets.

Protecting application services transactions

Information involved in application service transactions should be protected to prevent incomplete transmission, misrouting, unauthorised message alteration, unauthorised disclosure, unauthorised message duplication or replay.

To provide this level of security the following controls are considered for all applications with interfaces for collecting storing and processing information:

Network security

Dual diverse firewall layers control network traffic based on predetermined security rules.  Access to endpoints or network protocols can be managed based on content of the network packet.


The ability to uniquely identify users and processes that are attempting to access the system or its data.  Supported authentication methods include credentials, PKI keys, access tokens and secret keys.

Access control

Features to allow only appropriate access to data, based on its sensitivity and who should have access to it.

Auditing and logging

The ability to record attempts to access system information, and other events relevant to securing the asset or service.  Logging is provided as an infrastructure service, independent of the application or service.  Consolidation of log data to a central repository is available, aligned with data retention standards and processes.


Data communications between different system components, such as web servers, API and databases, is encrypted.  This is provided independently of the application or service, using PKI keys and cryptography.

Network segregation

A structured network environment allowing segregation, with API, databases, and other storage components hosted in isolated network layers and not exposed to the public internet.

Integrated PKI management

Repeatable, secured procedures are used to manage all Public Key Infrastructure (PKI) keys, certificates and components independent of the application or service.


Options to deploy applications or components in tier 1, tier 2 or tier 3 data centres with corresponding levels of resilience against outages due to single points of failure.

Security in development and support processes

Information security is designed and implemented within the development lifecycle of information systems.

Secure development policy

Rules for the development of software and systems have been established and applied to projects developing applications with interfaces for collecting, storing and processing information.  Projects are managed by Evercam and resourced using local development teams or 3rd party companies or contractors.

Development environment

The development environment is isolated from production and pre-production test environments.  Development servers and environments are permitted to run a less restrictive security configuration than production, they should be aligned with production when practical to do so.

When releasing software components from the development environments, only the updated component, along with any libraries and other dependencies, will be transferred to code repository development branches.

Security in software development lifecycle

Prior to release into the pre-production test environment all code is subject to a code review to ensure the code conforms to standard coding techniques and security standards.

Security requirements at design phase

The specification for development of the application component will contain any relevant security requirements derived from the information security specification approved by stakeholders during project initiation.

Security checkpoints within project milestones

Security checkpoints are integrated into all project plans as a milestone, to ensure that all requirements are satisfied.  Additional project milestones may be required to formally establish test criteria to ensure all security requirements are tested and verified.

Secure repositories

All software is stored in a secured code repository, which acts as a single source of truth for all software developed internally.  Processes are in place to manage software releases to the repository, and to deploy software to test and production environments.

Version control

New and updated modules are uploaded to a separate repository branch on release from development. This branch acts as the repository source for the modules as they are installed in the pre-production test environment

System change control procedures

Operational and application changes occurring within the development lifecycle are controlled using Evercam’s formal change control procedures.  Key features of the change process include:

  • The change planning process includes a risk assessment and a regression plan.
  • Change requests can be raised by any user but are typically raised by information asset owners.
  • All changes require approval by CAB before implementation.  CAB consists of nominated representatives for services, security, technical and operations teams.
  • All change requests are recorded in the change calendar to maintain an audit trail of change activities.

Technical review of applications after operating platform changes

When operating platforms are changed, business critical applications are reviewed and tested to ensure there is no adverse impact on organisational operations or security.

Proposed changes are first deployed to a pre-production test environment for integration testing against operational platforms.  The environment is subject to a standard battery of test scripts, along with any functional tests required to exercise new functionality.

Following successful testing in the pre-production environment a change request is raised.  When approved the deployment to production is scheduled, implemented, and tested.

Restrictions on changes to vendor supplied software packages

Modifications to vendor supplied software packages are discouraged, limited to necessary changes and all changes should be strictly controlled.

Secure systems engineering principles

Principles for engineering secure systems are established, documented, maintained

and applied to any information system implementation efforts.

Establish a sound security policy as a foundation for design

The security policy encapsulates Evercam’s basic commitment to information security formulated as a general policy statement. The policy identifies objectives for confidentiality, integrity, availability of information assets.  These objectives guide the procedures, standards and controls used in the design of security architecture for application and infrastructure.

Treat security as an integral part of the overall system design.

It is difficult and costly to implement security measures successfully after a system has been developed and should be integrated fully into the system life-cycle process.

Assume that external systems are insecure.

An external domain is one that is not under Evercam’s direct control. It should be assumed that security measures of an external system are different from those of a trusted internal system and security measures designed accordingly.

Protect information while being processed, in transit, and in storage.

Security measures should be implemented to protect the integrity, confidentiality, and availability of information assets while the information is being processed, in transit, and in storage.

Protect against all likely threat types

Any threat type that results in unacceptable risk needs to be mitigated. Examples of threat types are: Passive monitoring, active network attacks, exploitation by insiders, attacks requiring physical access or proximity, and the insertion of backdoors and malicious code during software development and deployment.

Where possible, base security on open standards 

Modern systems are highly distributed.  For security measures to be effective in environments where information is distributed across multiple providers, they need to be portable and interoperate with different vendor platforms.

Implement layered security

Security designs should consider a layered approach to protect against a specific threat, to mitigate against single points of vulnerability.

Use unique identities to ensure accountability.

Unique identities should be assigned to all users and processes, to support access control decisions, user accountability, and provide for non-repudiation.

Implement least privilege

Limit system access to provide no more authorisations than necessary to perform required functions.

Secure software development

Evercam has established and appropriately protected secure development environments for system development and integration efforts that cover the entire system development lifecycle.

Development environments

The development environments are maintained in approved Virtual Private Compute (VPC) cloud services providers.

Only approved development staff have access to the development environments.

Production data is not available in development environments.

Formal code reviews are conducted as part of the release process from development to integration testing environments.

Development code repositories are maintained independently of the current production code base.

Code release consists of developed modules and any dependent system libraries only.

Integration test environments

Pre-production test environments are maintained as a full replica of, and subject to the same security measures as the production environments.

Following the release from development the codebase is updated on the deployment systems from the updated development repository.  The release is deployed to the pre-production test environment via a formal deployment process.

Outsourced development

Evercam supervise and monitors the activity of outsourced system development.

A small amount of development work is outsourced on an ad-hoc basis to service requirements for skill sets not available in house. External developments are subject to the same release process as internal developments.

System security testing

Testing of security functionality is carried out during development.

Initial testing of security features takes place in the development environment where custom tests are performed to exercise the required functionality and verify results.

Security features are again tested in the integration test environment following deployment of the release from development.  A standard set of tests is performed, along with custom tests to verify the required security functionality.

System acceptance testing

Acceptance testing programs and related criteria are established for new information systems, upgrades and new versions.

Acceptance testing takes place in the integration test environment following deployment of the release from development.  A standard set of tests is performed, along with custom tests to verify the required application functionality.

Test data

Test data is selected carefully, protected and controlled.A permanent set of test data is maintained in the pre-production test environment.  This data is a full set of pseudo-customer data, available in a replica of the production environment.

Supplier Relationships

Some IT services are provided by third party service providers. Information security employed must be of a standard that equals or is higher than that provided internally. The following controls will be put in place for all IT services that are provided by third parties;

  • Confidentiality agreement between Evercam and the service provider.
  • Security governance issues will be specifically covered in contracts.
  • The service provider’s information security will be audited on an annual basis.

Information Security Incident Management

To minimise exposure as a result of a security incident, an Incident Management plan exists to guide the initial response. The plan includes the following;

  • Requirement that all incidents or suspected incidents be reported to the IT Helpdesk using email, Evercam Escalation discussion Group, or telephone.
  • Immediate action to stop or limit the extent of the exposure.
  • Clear outline of roles and responsibilities in handling the incident and communicating with stakeholders.
  • Criteria for consideration before a decision to invoke the Business Continuity Plan.
  • Communication guidelines to inform actions with respect to advising the Board, advising the customers and advising other stakeholders on the nature of the incident.

Business Continuity

Business Continuity management plans are to be put in place to counteract disruptions to business activities and to protect critical processes and systems from the effects of major failures and disasters. The plans should address the following items;

  • Roles and responsibilities for business continuity management
  • Emergency procedures to be followed
  • Fallback / continuity procedures to be followed that ensure essential activities can continue during the disruption.
  • Resumption procedures which describe the actions to be taken to return to normal operations.
  • Regular testing / exercising of the plans to ensure familiarity and that they remain up-to-date.


A key objective of information security management is to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligation. Accordingly the following controls will be implemented and monitored;

  • All relevant statutory, regulatory and contractual requirements relating to information security will be identified and documented.
  • Intellectual property rights of 3rd parties will be respected and all software in use will be correctly licenced.
  • Records will be categorised and stored securely and in a manner that facilitates retrieval.
  • Records will be securely destroyed when they are no longer required to be retained.
  • Media containing sensitive information will be disposed of securely and safely when no longer required.

Mobile Device Management

Mobile devices such as laptops, tablets and smartphones are a potential means of intrusion into the network and also data leakage from Evercam. Accordingly robust controls will be put in place to protect Evercam from both these threats including the following;

  • All devices that connect to the network must be pre-approved by the information security officer.
  • Appropriate controls, specified by the information security officer, must be active on all mobile devices.
  • Evercam must retain the capability to remotely delete all data on mobile devices should they become lost or stolen.
  • All confidential data stored on mobile devices must be encrypted.
  • The theft or loss of a mobile device must be reported to the IT Helpdesk using email, Evercam Escalation Discussion group or telephone, as soon as the theft/loss is discovered.

Information Security Performance

Information Security performance will be measured by a combination of;

  • quarterly reporting to the board of directors on the performance in relation to the information security objectives;
  • regular reports on incidents;
  • preventive and corrective actions taken to address identified gaps in controls;
  • uptime of systems during business hours;
  • reporting on initiatives planned / completed that address exposures;
  • review of trends of key information risk indicators.

Roles and Responsibilities

Managers, at all levels, are required to create an environment where the management of information security is accepted as the personal responsibility of all employees, and contractors.  The Managers are accountable for the implementation and maintenance of sound processes within their area of responsibility in conformity with this information security policy.

The Information Security Officer is responsible for the provision of advice and service assistance to all areas on information security matters.

The Information Security Officer is also responsible for reporting to the Board on a quarterly basis regarding information security performance relative to objectives, the status of any planned activities and on any incidents that may have occurred.

The quarterly report will be reviewed by the General Manager in terms of endorsing the actions undertaken or proposed, and by the Board in terms of the appropriateness of actions and compliance with the Information Security Policy.

Education and Training

The training manager is responsible for the development and provision of sufficient information security awareness training as well as specific training and education on information security threats, both existing and emerging. Training and education is to address the needs of all directors and employees including senior management.

Policy Review & Update

This policy will be reviewed by the Board of Directors on an (at least) annual basis taking any information security incidents into account and feedback from personnel. Any revisions to the policy will be communicated to all personnel and third party service providers.