Information security and data privacy
Governance
Our central security and compliance
teams are responsible for our Group-
wide policies and procedures, and
operate under our Chief Technology
Officer, Chief Information Security
Officer, Group Head of Risk and
Compliance, and Group Data
Protection Officer. We also support
our individual businesses to ensure
they have the resources and
knowledge they need to manage the
data in their custody. Our Information
Security Governance Committee
meets quarterly and provides
oversight and feedback on our
security strategy and performance.
We distribute security reports
bi-weekly to our senior leadership
teams, with monthly updates to the
Executive Council. Our multiple
reporting committees also receive
security and privacy updates,
including the Audit Committee and
the Risk and Controls Committee,
which meet on a quarterly basis.
We have redesigned our Group
security policies to align them with
the National Institute of Standards
The nature of our business means we process personal information. Such
information may be provided by our clients, can include patient information, or
may be information pertaining to our employees and their families. This means
data security must be at the heart of everything we do, and we work closely with
our stakeholders to protect all of the personal information we process or control.
and Technology (NIST) Cybersecurity
Framework. To keep pace with the
evolving security threat, we’ve grown
our internal security team and we’re
working with key security partners to
mitigate threats. We’re also extending
Cyber Essentials certification across
the Group, to meet client expectations.
We maintain the information security
risk register and provide input to
theEnterprise Risk Management
Program. We have a vulnerability
management program involving
both internal and third-party risk
assessments of our security posture.
Certifications
Our security teams have
certifications from organizations
such as ISACA and Integrated
Security Consultants Ltd (ISC). Our
security and privacy team have
memberships of the Information
Security Forum, the European
CyberSecurity Organisation, and the
International Association of Privacy
Professionals. During 2023, Inizio
certified to the new EU-US Data
Protection Framework (DPF), the
UKExtension to the EU-US DPF,
andthe Swiss-US DPF, allowing us
tomake transatlantic data transfers.
We manage our privacy and data
governance program using a class-
leading third-party cloud-based
solution. This supports a wide range
ofassessments, including data
protection impact assessments,
records of processing, cookie
compliance, and country assessments.
We perform information security and
data privacy due diligence on vendors
that process sensitive data for us and
those that integrate with our systems.
The depth of these assessments
depends on the sensitivity and
natureof the engagement.
To ensure people understand
theirrights under data protection
legislation, we provide them with
privacy notices. These include their
rights under the General Data
Protection Regulation (GDPR).
During 2023, we did not receive any
substantiated complaints about
breaches of customer privacy and
there were no losses of customer
data during the year under review.
Training
We expect every employee to be
responsible for the information they
process. We have mandatory privacy
and security training, support, and
updates, to ensure our people have
the knowledge to perform their roles,
in line with our clients’ expectations.
Our security awareness platform
provides targeted training to our
people around the globe and is
translated into multiple languages.
Weperform annual phishing tests,
tailored by region and language,
andprovide regular reminders to
ourpeople, based on the current
threat landscape.
Certied
to the new EU-US DPF, the UK
Extension to the EU-US DPF, and
the Swiss-US DPF, facilitating
transatlantic data transfers.
Inizio Sustainability Report 202337