Data Protection Statement – Organisational and Technical Measures

Organisational roles and responsibilities are defined and documented, with an accountable executive owner, ensuring appropriate resource is allocated to align to the Group’s strategic direction.  The ISMS is centrally managed by a dedicated team of Compliance, Internal Audit, Information Security, and Cyber Security professionals.

Information Security risks are captured as part of a risk management framework based upon the defined scope and criteria of the ISMS.  Internal objectives are set and monitored on a regular basis with senior stakeholders.

An overarching Information Security policy is in place with Executive Statement.  Primary policies are mandatory for all staff and a secondary policy set is categorised based on relevance to certain areas of the business e.g., IT Software Development.  All staff can access these on our internal Intranet site and training is provided on an annual basis within our Learning Management System.

All information is processed through the Group’s Data Classification guidelines, with appropriate controls assigned for Confidential, Private and Public data.  An inventory of assets and systems is in place, with ownership assigned to relevant management. 

An incident reporting policy and procedure is also in place, with an easy reporting mechanism for staff to report events or incidents.  Incidents are logged and handled by internal Information Security and Cyber teams.    A breach reporting procedure is documented and captured as part of the organisation’s Business Continuity Planning.  Plans are reviewed and tested regularly (at least annually).  Lessons learned are documented and cascaded.

Security risk assessments are conducted for suppliers based on their interaction with Radius systems and data.  Contracts, agreements, and NDAs are implemented in line with a formal Supplier Management Policy.

All relevant legislation and regulatory requirements have been identified and reviewed, with ongoing horizon scanning.  A Data Protection Officer has been assigned to ensure compliance with Data Privacy legislation that Radius operates under its jurisdictions.  Impact assessments are conducted for any major changes to processing activities to ensure continued compliance.

All employees are screened in line with risk accepted levels, with additional DBS checks completed for senior staff and those conducting work in Regulated areas.  Responsibilities and terms and conditions for confidentiality are communicated and signed by staff in employee contracts, with ongoing provisions after contract termination.

A formal starters, movers and leavers process is in place to capture on and offboarding criteria, with disciplinary action clearly stated for employees failing to meet Information Security policies.

Information Security training is mandatory and provided to all staff on at least an annual basis through the Group’s Learning Management System.  Additional training will be provided off the back of any events, feedback, or changes in legislation.

Risk assessments are conducted for all Radius sites in line with best practice principles for physical security, with numerous controls implemented such as access control ID cards, CCTV and ANPR cameras and security alarms. Access to secure areas is provided on an as needed basis and approved and reviewed by department leads.  Regular clear desk sweeps are completed at office locations.

3^rd party data centres are hosted with strict physical security requirements, with annual assurance completed. 

Regular maintenance of equipment and utility services is undertaken, and end-of-life equipment is recorded and disposed of in line with WEEE Regulations (or non-UK equivalent) and our Environmental Policy.

Managed by its internal IT Operations, Cyber and Infrastructure teams, Radius uses leading technology to identify, monitor and mitigate potential threats within its secure network and server environments e.g., NDR and EDR, with end-point protection in place across assets.  Cryptography keys are managed centrally and in accordance with best practices.

All users are issued standard user accounts comprising of a unique ID and password and least privilege. Elevated privileges and segregation of duties are applied to administrator access.  Access can only be granted using internal service tickets with the relevant approvals.  Multi-factor authentication (MFA) is in use across the Group and single sign-on (SSO) is being increasingly adopted..  Access is routinely reviewed to ensure need-to-know principles are followed.

Regular capacity management reviews are conducted with automated alerts in place to determine when capacity reaches its limit.  Backups are in place and are regularly tested to ensure they would work within a ‘real life’ situation.  Logs are retained for 12 months.

Network segregation is implemented across the estate with numerous security mechanisms to detect and prevent access to information systems such as firewalls and DMZs.  Network monitoring through NDR and EDR solutions is also in place.

3^rd party assurance is obtained through regular independent penetration testing, and vulnerability assessments of externally exposed applications are carried out on a regular basis.  Annual certification audits are also performed for ISO 27001 and Cyber Essentials.

Information Security is embedded within security by design principles for IT Software Development, with Data Protection Impact Assessments (DPIAs) completed for all mandated changes.  Secure Software Development Lifecycle (SDLC) Policies and processes are in place with code reviews completed.  Testing is carried out by an internal testing team.  A Change Enablement/Management procedure is aligned to ITIL v4 principles and weekly Change Advisory Board meeting takes place to review and approve planned changes.