1. Who is Noventiq?
Noventiq (Noventiq Holdings plc) is a leading global solutions and services provider in digital transformation and cybersecurity, headquartered in London. The company enables, facilitates, and accelerates digital transformation for its customers’ businesses, connecting 80,000+ organizations across all sectors with a vast selection of best-in-class IT vendors, alongside its own services and solutions.
With a turnover of US$ 1.6 billion in FY23 (12 months ending March 31, 2023), Noventiq is currently one of the fastest growing companies in the sector. The company’s growth is underpinned by its three-dimensional strategy to expand its markets, portfolio, and sales channels. The strategy is supported by an active approach to M&As which enables Noventiq to take advantage of the ongoing consolidation in the industry. Noventiq's 6,400 employees work in ~60 countries throughout Asia, Latin America, Europe, Middle East, and Africa—markets with significant growth potential.
Noventiq’s growth is underpinned by its three-dimensional strategy to expand its geography, portfolio and sales channels. The strategy is supported by Noventiq's active approach to M&As, enabling the company to take advantage of the ongoing consolidation in the industry: see companies acquired by Noventiq.
2. What is our approach towards information security?
Noventiq (its subsidiaries, including each Noventiq operating company - together, “Noventiq”) is committed to ensure the confidentiality, integrity and availability of the information entrusted to Noventiq. Our commitment to information security is at the core of everything we do.
3. What are the main components of our information security program?
Noventiq maintains a comprehensive information security program based on the International Standardization Organization (ISO) Information Security Framework and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. These are robust sets of best practices from which an organization can build its security policies and protocols based on identified risks, compliance requirements, and business needs. These frameworks cover critical practice areas, including access control, configuration management, incident response, security training, and other information security domains.
Noventiq’s Chief Information Security Officer function has primary responsibility for the development, maintenance, and implementation of the Noventiq information security program. The Audit and Risk Committee is responsible for all risk management activities within the company and is composed of non-executive board members, business, and legal leaders from the organization.
Adherence to the internal information security policies package is an obligation of every Noventiq employee. Noventiq conducts a series of internal monitoring procedures to verify compliance with internal information security policies, and all Noventiq employees undergo annual mandatory trainings. In addition, any third- party contractors who come into contact with systems that may contain Noventiq data are contractually bound to maintain security and privacy of the data.
Noventiq 's primary method of assigning and maintaining consistent access controls and access rights shall be through the implementation of Role-Based Access Control (RBAC). Wherever feasible, rights and restrictions shall be allocated to groups. Individual user accounts may be granted additional permissions as needed with approval from the system owner or authorized party.
1.4. Asset Management
In Noventiq assets associated with information and information processing facilities that store, process, or transmit classified information are identified and an inventory of these assets is created and maintained. Assets maintained in the inventory are owned by a specific individual or group within Noventiq. Rules for the acceptable use of information, assets, and information processing facilities are identified and documented.
Data encryption is an important element of our protection of sensitive data at rest and in transit, and is reviewed and updated as appropriate annually, based on the latest standards and guidelines published by OWASP and NIST.
- In transit: Noventiq encrypts data in transit over public connections, using Transport Layer Security (TLS), commonly known as SSL, using industry-standard protocols, ciphers, algorithms, and key sizes.
- At rest: Noventiq encrypts data at rest using the industry-standard AES-256 encryption algorithm.
1.6. Third Parties
Information security requirements for mitigating the risks associated with supplier's access to the organization's assets shall be agreed with the supplier and documented.
For all service providers who may access Noventiq confidential data, systems, or networks, proper due diligence is performed prior to provisioning access or engaging in processing activities. Information is maintained regarding which regulatory or certification requirements are managed by or impacted by each service provider, and which are managed by Noventiq as required. Applicable regulatory or certification requirements may include ISO 27001, SOC 2, PCI DSS, CCPA, GDPR or other frameworks, compliance standards, or regulations.
1.7. Operations Security
Changes to the organization, business processes, information processing facilities, production software and infrastructure, and systems that affect information security in the production environment and financial systems are tested, reviewed, and approved prior to production deployment. All significant changes to in-scope systems and networks are documented.
The use of processing resources and system storage are monitored and adjusted to ensure that system availability and performance meets Noventiq requirements.
Development and staging environments are segregated from production environments to reduce the risks of unauthorized access or changes to the operational environment. Confidential production customer data is not used in development or test environments without the express approval of the Global Data Protection Officer.
Systems and networks are provisioned and maintained in accordance with Noventiq’s configuration and hardening standards. Firewalls and/or appropriate network access controls and configurations are used to control network traffic to and from the production environment. Production network access configuration rules are reviewed at least annually.
In order to protect the company's infrastructure against the introduction of malicious software, detection, prevention, and recovery controls to protect against malware are implemented, combined with appropriate user awareness.
Anti-malware protections are utilized on all company-issued endpoints except for those running operating systems not normally prone to malicious software. Additionally, threat detection and response software is utilized for company email. The anti-malware protections utilized are capable of detecting all common forms of malicious threats and performing the appropriate mitigation activity (such as removing, blocking or quarantining).
Noventiq scans all files upon their introduction to systems, and continually scan files upon access, modification, or download. Anti-malware definition and engine updates are configured to be downloaded and installed automatically whenever new updates are available.
The need for backups of systems, databases, information, and data is consistently considered and appropriate backup processes is designed, planned, and implemented. Backup procedures include procedures for maintaining and recovering customer data in accordance with documented SLAs. Security measures to protect backups are designed and applied in accordance with the confidentiality or sensitivity of the data. Backup copies of information, software and system images are taken regularly to protect against loss of data. Backups and restore capabilities shall are periodically tested.
1.8. Data management
Noventiq classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality to ensure that information is given the appropriate level of protection. Data owners are responsible for identifying any additional requirements for specific data or exceptions to standard handling requirements. Information systems and applications are classified according to the highest classification of data that they store or process.
Data classified as restricted or confidential is securely deleted when no longer needed. Noventiq ensures that all restricted and confidential data is securely deleted from company devices prior to, or at the time of, disposal. Confidential and Restricted hardcopy materials are shredded or otherwise disposed of securely.
1.9. Security training
At Noventiq, we believe that protecting information is the responsibility of all employees. We implemented a comprehensive information security awareness training program that all employees undergo upon initial hire, with an annual refresher training.
Noventiq has certified its main delivery centre as follows:
ISO 27001: 2013 Information Security Management System
ISO 22301: 2019 Business Continuity Management System
August 31th, 2023