As a leading Cloud service provider, virtualDCS has contracts with organisations across Europe. These customers expect that we demonstrate the up-most professionalism in the security and privacy of our processes, and systems. Specific, subsidiary Standard Operating Procedures are considered part of this information security policy and have equal standing. This policy is authorised by the Board, and it is reviewed and updated when necessary.

Introduction

virtualDCS is a provider of cloud computing services, specifically VMware-based products. We have designed, built, and maintained a ‘Virtual Platform’ that supports business computing in the UK and Europe. Our clients range from international retail chains, through to local micro businesses. To provide our services, we must collect, and process data.

To protect this data, we have implemented an Information Security Management System, that has been certified to ISO 27001:2013, by the British Standards Institute. Our management system is mature, and has been certified since 2015.
This policy describes our approach to information security and privacy, and acts as a reference document for our staff, customers, and the public.

Our Stakeholders
Our staff, customers, and the public expect the very best from our company on technological and procedural matters. They trust us to protect the confidentiality, integrity, and availability of their data and their virtual machines. We have entered into multiple contractual agreements with customers, which specifically require us to maintain strict physical and information security. We also have legislative requirements under UK law.

Our stakeholders include: our staff; contractors; customers (including their customers and staff); our suppliers; our regulatory bodies (including UK and EU law enforcement, and UK administrative bodies); and our appointed auditors.

In addition to our contractual requirements, virtualDCS has a number of legal requirements placed upon it. These include (but are certainly not limited to): Data Protection Act 2018 (including the General Data Protection Regulations); Investigatory Powers Act 2016; Computer; Misuse Act 1990; Anti-terrorism, Crime and Security Act 2001; Police and Criminal Evidence Act 1984; Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations; and the Copyright, Designs and Patents Act 1988.

Our Information Security Management System
We have created an Information Security Management System, to structure our approach to security and governance. The scope of our ISMS, which has been certified to ISO 27001:2013, is: The provision of safe and secure virtual server hosting services.

Our ISMS aims to provide a safe and secure environment for customers to host their virtual servers. Included in our scope are: the Virtual Platform Domain (VP); the physical servers it is operating from; both virtualDCS data centre locations (Derby, Leeds); and the back-office technical and administrative functions necessary for the operation of our services.

All virtualDCS staff, contractors and 3rd parties are in scope of the ISMS and receive training appropriate to their role. Out of the scope of our ISMS are any assets used solely by customers and 3rd parties, such as a customer’s virtual machine. Where high levels of risk are identified, risk reduction or mitigation actions are documented and employed.

Proactive Security, and Commitment to Improvement
virtualDCS operates a ‘proactive’ security defence model. We have committed to continually improving the security and reliability of our platform: we own, control and when necessary, custom-build systems. We operate multi-zone environments to maximise uptime, redundancy, and to provide the fastest response time to customers. Our network architecture is designed to reduce single points of failure, and is constantly reviewed for best practice and compliance. By approaching our platform architecture in this way, we can provide customers with the fastest and safest cloud environment.

Our platform is monitored 24x7x365 from our system centre, and by Pingdom. We monitor it for availability, reliability, and speed. A comprehensive external security testing programme is run every month to ensure that our service is secure from known exploits, new vulnerabilities, and targeted attacks.

Structured Approach to Managing Security
To ensure that we have a consistent approach to security and privacy for our stakeholders, we have created a number of Standard Operating Procedures that provide a formal process for our common tasks. These SOPs cover everything from User Passwords and Staff Vetting, through to Incident Response and Change Management. Our SOPs are reviewed at least annually and are updated in line with industry standards.

Privacy
Our stakeholders quite rightly expect that we keep their personal and commercial information, private. We employ a robust information governance structure, as part of our ISMS. This structure controls how we collect, store, and process information.

Personal Information
To enable the effective operation of our business, we must collect, store, and process personal information. We have explained the legal justification for holding this information below:

Our staff and contractors
Personal information including full legal names, nicknames, date of birth, residential address, telephone numbers, email addresses, medical history, and sick leave details. We use this information to comply with our legal obligations as an employer.

Customers’ staff and contractors
Personal information such as full legal names, nicknames, email addresses, and telephone numbers. We use this information to fulfil our contractual obligations with our customers.

Former customers’ staff and contractors
Personal information such as full legal names, nicknames, email addresses, and telephone numbers. We use this information to comply with our legal and contractual obligations.

Business and product development
Personal information including full legal names, nicknames, email addresses, and telephone numbers. We use this information to conduct our legitimate business interest in offering our services for sale to other businesses.. As part of that sales process, we may approach individual data subjects, via email, telephone, and direct mail. We shall always action any request to stop processing that individual’s personal information, in addition to performing our other obligations as specified by the General Data Protection Regulations, and the Privacy and Electronic Communications Regulations.

Commercial Information
We must also collect, store, and process commercial information. This information includes technical diagrams, project plans, and other confidential commercial information. We hold this commercial data for the period specified in our customer and supplier contracts, and to comply with our legal obligations.

Access Requests and Security Reports
Individuals in the European Union have the right to request access to, the correction of, and deletion of their personal information. If an individual wishes to submit a subject access request, virtualDCS will respond to the request within 20 working days.

Supplier and Third-Party Applicability
virtualDCS requires its suppliers and associated third-parties to comply with this Policy. They must use appropriate policy and technical controls when accessing, transmitting, or storing our information assets. virtualDCS will audit supplier and third-party adherence to this policy from time to time.

Responsibility and Accountability
Overall accountability for information security and privacy rests with Richard May, on behalf of the company’s Board.
Responsibility for many functions relating to security and privacy has been assigned to operational teams, including:

System security
The technical team, led by our Operations Director, is responsible for ensuring that our systems are secure, and that they are designed and maintained according to our SOPs, and industry best practice. Information governance, compliance, and standards

virtualDCS has contracted an independent consultant, who advises the company’s Board on governance, standards, and compliance issue. This consultant also maintains the ISMS documentation.

Information and document management

The administration team is responsible for managing the company’s documentation library, across its computing and physical estate.

All virtualDCS staff are assigned some responsibility for information security and privacy, according to our Standard Operating Procedures. Each member of our team must ensure they are familiar with their responsibilities, and act accordingly.

Independent Audit
To ensure that we’re meeting our obligations, and to provide our stakeholders with independent assurance of our performance, the British Standards Institute performs regular audits our Information Security Management System. These audits provide us with actionable feedback on our system, and enable us to continually improve our security and privacy.