Consult

External Statement

Introduction

ACERTA’s corporate activities entail the use of sensitive and personal data of its customers and partners. These data must be safeguarded against all kind of threats and in accordance with internationally accepted standards.

In addition to technical security aspects, customers and partners expect us in general to handle their data with care. ACERTA acknowledges that its corporate activities include responsible processing of data.

At ACERTA, we consider “continuity” of our core services as top priority and this is reflected in a full-scale business continuity management process.

Contact

Questions, comments and requests regarding this statement are welcomed and should be addressed to the ACERTA security officer (ict.security@acerta.be)

Data Protection

Privacy law

At ACERTA we guarantee an adequate level of data protection, in compliance with the EU Data Protection Directive 95/46/EC and with Belgian laws(*).

ACERTA is preparing itself to meet the requirements of the new General Data Protection Regulation (GDPR), the successor of the EU Data Protection Directive, which is to become effective soon.

(*) Two important Belgian laws we comply with are:

  • Wet houdende oprichting en organisatie van de Kruispuntbank van de sociale zekerheid” (Law of 15-01-1990)
  • Wet tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens” (Law of 8-12-1992)

Information Security

As personal and business confidential information is used throughout the different business processes (payroll, child benefit, etc.), we need to guarantee at all times the confidentiality, integrity and availability of that information.

At ACERTA we maintain a high security level for our processing and for the data that is processed and stored.

Our security is based on internationally accepted standards such as ISO/IEC 27001. Main principles applied within ACERTA:

  1. Information security roles and responsibilities are defined to guarantee that all security activities are fulfilled.
  2. All required documentation such as policies, standards, procedures or guidelines are in place to support security. This documentation is susceptible to regular revision.
  3. To identify the necessary security controls, technical or non-technical, ACERTA uses a risk-based approach. This ensures setting the right priorities only selecting and implementing efficient and effective security controls.
  4. A data classification system is put in place to distinct different levels of sensitive data and to protect these accordingly. In addition, a data life cycle is effective to handle the creation, use, storage and disposal of data.
  5. ACERTA commits itself to ensure awareness on information security and data protection within the entire organization and embeds this through regular training and exercising.
  6. Identity and access controls are in place to protect information against unauthorised access, changes, or deletion by intentional or accidental causes.
  7. Physical controls are in place to guarantee fire and theft prevention and access control to our facilities.
  8. Cyber protection controls are in place. Applications as well as technology platforms are designed, configured, maintained and evaluated based on recognized security baselines, such as OWASP, NIST SP 800 and the CIS Benchmark suite. Vulnerabilities and threats are monitored on a permanent basis.
  9. A business continuity programme is in place in order to recover from service breakdown or disaster and restore business processes. During the activation of this program, information security principles remain valid..
  10. The information security policy and its implementation is subject to regular assessments  (i.a. ISAE3402 type II audits)

Business Continuity

Continuity Philosophy

Business Continuity Management (BCM) at ACERTA is a part of “corporate governance”, as it is defined and applied company wide. It ensures compliance with regulations, standards and good practices on business continuity published by national and international organizations such as the BSI and ISO. ACERTA has realized a full-scale business continuity management system, which includes a resilience organization to ensure the continuance of our client services in the event of a service disruption due to a serious incident or disaster including, but not limited to: power outages, fire, inaccessibility of the building and ICT Infrastructure failures. All critical activities within our organization are documented to cope with a calamity and are regularly tested and improved according to the continuity strategy.

BCM Implementation

Our BCM process is based on the British Standard 25999 for business continuity management and the ISO 22301 for Societal Security. Our business continuity strategy addresses the unavailability of facilities, ICT and personnel by means of action driven plans and implementation of contingency measures. These include amongst others:

  • Arranging for recovery location and infrastructure to relocate our personnel from the impacted site while ensuring the protection of our client’s confidentiality;
  • Designing our information and technology systems to support the recovery of our critical services by means of an ICT Disaster Recovery Plan (ICT DRP);
  • Ensuring primary and alternate persons for each critical function within the resilience organization.

Resilience Organization

ACERTA has implemented a resilience organization structure to appropriately respond to any type of incident that could threaten the continuity of the organization. The resilience organization relies on several dedicated teams to ensure the continuity: Incident, Crisis, facility and IT DRP teams. There are up-to-date plans for each of these teams that include incident assessment procedures, escalation guidelines, call trees and other businesses recovery requirements as well as instructions for crisis management and crisis communication to insure proper coordination and communication to all stakeholders in the event of a serious incident or disaster.

Maintenance and Testing

In addition to a yearly review of the plans, which is part of our maintenance process, we commit ourselves to ensuring continuity awareness in the entire organization and embedding a business continuity culture by regular training and exercising. Business continuity exercising is considered a vital element of our BCM process and an opportunity to identify room for improvement rather than criticism. Therefore periodic exercising of the plans is performed and testing of DRP is executed.