Cybersecurity Assurance Pack
At ICE, safeguarding our customers’ data and digital trust is a top priority. In an era of evolving cyber threats and increasing regulatory demands, we are committed to implementing robust, transparent, and proactive cybersecurity practices across all areas of our operations.
This Cybersecurity Assurance Pack is designed to provide our customers, partners, and stakeholders with a clear overview of the security measures we employ to protect your data, ensure business continuity, and maintain compliance with global standards. Our security strategy is built on industry best practices, modern technologies, and a culture of continuous improvement.
Key highlights of our security posture include:
- Strong Governance and Compliance: We align with globally recognized standards as GDPR, PCI and European Security Resilience Act.
- Data Protection by Design: Your data is encrypted, access-controlled, and handled in accordance with privacy-first principles.
- Secure Development Practices: Our products are built with security embedded into every stage of the development lifecycle.
- Ongoing Risk Management: We conduct regular risk assessments, third-party evaluations, and penetration testing to stay ahead of emerging threats.
- Preparedness and Resilience: Our incident response, disaster recovery, and business continuity plans ensure we are ready to respond rapidly and effectively in any scenario.
We believe that trust is earned through transparency. Learn how we protect your information through secure systems, trained staff, and strong policies.
Company Security Mission
Integrating security seamlessly into all functions of the company, providing trust and assurance to all customers of the protection of systems and data held within.
Governance and Compliance
Strong governance and clear policies form the foundation of our security programme. We follow leading security standards to ensure compliance, accountability, and transparency across all operations. Our comprehensive security policies guide how we protect data, manage risks, and maintain compliance across all key areas of information security.
Overview of security policies and frameworks:
- IT Security – Encryption Policy: Ensures sensitive data is protected both in storage and during transmission.
- IT Security – Logging Policy: Defines how system and security logs are collected and monitored.
- IT Security – Third Party Security Policy: Establishes requirements for vendor and partner security practices.
- IT Security – Security Testing Policy: Governs regular testing of our systems to identify and address vulnerabilities.
- IT Security – Data Classification Policy: Outlines how data is categorized and protected based on sensitivity.
- IT Security – Vulnerability Management Policy: Ensures timely detection, prioritization, and remediation of security risks.
- IT Security – Access Control Policy: Manages how users and systems access data and resources securely.
- IT Security – Acceptable Use Policy: Defines responsible and secure use of company systems and technology.
- IT Security – Remote Access Policy: Sets standards for secure connections to our network and systems from remote locations.
- IT Security – Password Policy: Enforces strong password creation and management practices.
- IT Security Policy: Serves as the foundation of our information security framework, aligning all other policies.
Protecting Your Data
Your information is handled with care using strong technology, strict policies, and constant oversight.
- Encryption: Data is encrypted both at rest and in transit, keeping it safe from unauthorised access.
- Data Retention and Deletion: We keep data only as long as necessary and delete it securely when it’s no longer needed.
- Access Controls: Role-based access and least-privilege policies ensure only the right people can access sensitive data.
- Ongoing Monitoring: Continuous monitoring and regular audits help us maintain strong data protection at all times.
Learn more about our Data Privacy policy here.
Network Security
ICE is committed to adopting network security industry best practices, enforcing core principles to achieve an end goal of protecting ICE critical assets, systems and individuals who have entrusted ICE with sensitive information. In addition, these network security commitments help to ensure ICE meets its GDPR obligations. Core principles include the use of and are not limited to:
- Firewalls and VPNs for network segregation/separation
- Zero Trust Network principles (if applicable)
- Intrusion Detection/Prevention Systems (IDS/IPS)
Cloud and Infrastructure Security
In addition to the above network security controls, ICE is committed to adopting cloud and infrastructure industry best practices with the same end goal. Core principles include the use of and are not limited to:
- Endpoint protection, logging and monitoring
- Incident management (prevention, detection and response)
- Email security practices including phishing prevention
- Identity and access management, zero trust and least privilege
- Cloud security posture management
- Patch and vulnerability management
Application Security
At ICE, IT Security and Governance collaborates directly with the Engineering teams to institutionalise and integrate application security practises throughout the software development process. This includes performing threat modelling, providing application security requirements and guidance, implementing application security testing solutions and application vulnerability management.
Employee Security Awareness
A strong security culture begins with informed and vigilant employees. The following initiatives ensure all staff understand and uphold the organisation’s security standards:
- Security Onboarding for New Hires: All new employees complete mandatory security awareness training during onboarding. This includes an overview of security policies, data protection principles, and procedures for reporting incidents.
- Phishing Simulations and Awareness Training: Regular phishing simulations and training sessions are conducted to educate employees on identifying and avoiding phishing attempts, social engineering, and other cyber threats.
- Acceptable Use Policy (AUP): Employees must review and acknowledge the organisation’s Acceptable Use Policy, outlining the appropriate and secure use of company systems, devices, and data.
- Insider Threat Prevention: Continuous monitoring, training, and awareness programmes are in place to detect and prevent insider threats. Employees are encouraged to report any suspicious behaviour through established reporting channels.
Incident Response and Reporting
We take cybersecurity incidents seriously and have a structured process in place to respond quickly and effectively.
- Incident Response Plan (IRP): Our Incident Response Plan ensures that any security event is identified, contained, and resolved with minimal impact. It defines clear steps and responsibilities for managing incidents across all teams.
- Business Continuity and Recovery: To maintain operations during unexpected disruptions, we have defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). These guide how quickly we restore services and recover data, keeping downtime and data loss to a minimum.
- Data Breach and Customer Notification: In the rare event of a data breach, we follow a transparent notification process. Affected customers are informed promptly, in line with legal and regulatory requirements, and we provide clear information on what happened, what we’re doing to fix it, and how we’ll prevent it happening again.
Third-Party Risk Management
We carefully manage vendor and partner risks to protect our systems and your data.
- Vendor Assessments: Every third-party provider is reviewed to ensure they meet our security and compliance standards.
- Controlled Access: Vendors only receive access necessary for their role, and all activity is monitored.
- Contracts and Agreements: Service Level Agreements (SLAs) and security addendums outline expectations for data protection, incident response, and compliance.
- Cloud and SaaS Monitoring: We continuously monitor cloud and software providers to ensure ongoing security and reliability.
Certifications & Audit Reports
We’re committed to maintaining the highest standards of security and compliance. Independent assessments and certifications relevant to our service reflect our ongoing dedication to protecting your information and ensuring transparency.
- PCI-DSS certified (in progress)
- Third-party penetration test summaries
- RiskRecon rating: A
- GDPR compliant: We are fully GDPR compliant and committed to protecting your personal data in accordance with the General Data Protection Regulation. Transparency and responsible data handling are central to our approach.
- Annual internal audit: Biannual user recertification, annual internal audit in app, and policy compliance.