The itslearning management team has been actively involved in developing an information security culture within the company via an ongoing awareness program, and has a management structure in place to manage the implementation of information security in its services with clear roles and responsibilities within the organization.
Multiple industry best-practice processes and policies exist to ensure the best possible confidentiality, availability and integrity of the platform. These policies are built around strict requirements in a number of areas, such as;
- Information security
- Hosting environment security
- Third party access
- Capacity control
- Change management
- Backup and recovery
- Access control
- Logging and monitoring
- Incident response
- Release management
itslearning have a team of security experts who are responsible for the overall information security of the organization. Their role include responsibility for;
- Coordinating security related tasks
- Securing corporate environment, network and devices
- Security the application (in-house penetration testing and application audits)
- Monitoring and logging
- Process and policy management (disaster recovery, path management etc)
- Training and education of employees, in the field of information security
- Coordinating third-party security audits, and follow up on any findings,
- Reviewing code for potential security vulnerabilities.
Roles and responsibilities
All employees have clear roles within the company, and are only given access to data required for their specific role. A limited number of employees have administrative access to our production environment and their rights are strongly regulated and reviewed at set intervals. Any major change to the application, environment or hardware of the production environment is always verified by a minimum of two individuals.
All itslearning personnel are required to enter into a strict confidentiality agreement. All staff are required to follow corporate policies regarding confidentiality, business ethics and professional standards. Staff involved in securing, handling and processing customer data are required to complete training appropriate for their role.
Strict requirements are in place for any employee, hired consultants or third party requesting access to itslearning information systems. Access control is controlled by an authentication system. The user is required to:
- Have management approval for the requested access
- Have strong passwords that are in accordance with the corporate password policy
- Change their password at regular intervals
- Document that the access requested is required for their specific role/task
- Ensure that the device (PC, tablet, cellphone) used is adequately secured, and locked when the user is absent.
itslearning employs automatic temporary lock-out of user terminal if left idle.
Internal data access processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. Any changes to data is logged to create an audit trail for accountability.