We understand that the NYS: SHIELD Act applies to businesses processing New York State residents. Reward Gateway designs it's controls centrally and applies them to all of our office locations and customers, regardless of their physical location in the world. Our controls are largely based around the General Data Protection Regulation (GDPR), ISO 27001 and industry best practise. As such, compliance with the NYS SHIELD Act fits into our existing control structure.
- Information Security is managed by our Information Security Team, managed by the Head of Information Security (CISSP) who reports to our Chief Technology Officer on the Leadership Team
- A risk management programme is in place as part of our ISO 27001 ISMS, based on the ISO 3100 standard for risk management.
- Internal audits are carried out throughout the year with an external audit by the British Standards Institute (BSI) annually to measure our compliance with ISO 27001.
- Security Awareness Training is delivered to all new hires, and all employees annually on a range of topics, including but not limited to;
- Data Protection principles and individual rights
- Acceptable Use of IT
- Social engineering
- Physical security
- Incident Management, including how to detect and report an incident
- All projects and new systems go through a 'Security and Privacy By Design' process to ensure risks and threats are identified and appropriate controls designed to address them.
- Monitoring systems are in place throughout our infrastructure to alert us to potential threats and attacks
- Controls are frequently tested, through internal audit and automated tests
- We conduct external, consultant-lead penetration tests every 6 months, and share a summary of results in our Security Pack.
- We never store or process customer data on portable or removable media, nor on paper/hardcopy format.
- Our offices are protected by on-site security, access controlled doors and CCTV
- Our infrastructure - the only location we store customer data - is managed by Amazon Web Services who have leading physical security controls.
- We erase encryption keys and overwrite data when it hits our retention policy limits
- Our Incident Management processes include specific requirements for New York State residents, including notifying the New York State Attorney General, department of state and division of state police as required.
- We have breach notification templates already configured inline with our Incident Response processes and will liaise with our clients before sending, in the event of an applicable incident.