Technical & Organisational Measures

Introduction

This document describes the technical and organisational security measures Oxford Economics implement to protect personally identifiable information. Oxford Economics operates with security by design, focusing on Confidentially, Availability, Integrity and Privacy. Oxford Economics reserves the right to revise our technical and organisational measures at any time, providing it does not reduce or weaken the protection provided.

Measures

The organisation will use the following measures to protect personal data:

Access Control
1. Principle of Least Privilege
2. Access control systems (access card/access code)
3. Identity cards
4. Procedure for visitors (staff must accompany visitors at all times & complete the visitor log)
5. CCTV for sensitive areas
6. Secured entrance
7. Security desk
8. Occupied Reception desk
9. Locked cabinets sorting personal or sensitive data
Authentication & Authorisation Controls
1. Unique User Accounts
2. Access only upon successful login
3. Role-based permissions
4. Licence-controlled environments
5. Regular password change policy
6. Behaviour Analysis (unusual location detection, risk assessment, conditional access policies)
7. Multi-factor Authentication
8. Standardisation of security systems (e.g. using SAML SSO authentication where possible)
9. Automatic inactivity lockout
10. Automatic account blocking after a defined number of unsuccessful logins
11. Password complexity requirements
12. Periodic log analysis
Integrity Controls
1. Separation of duties
2. Separation of testing, staging and production environments
3. Linking records for specific purposes
4. Anonymisation or Pseudonymisation of personal data where possible
5. Read-only automated log management
6. Quarterly vendor account reviews
7. Data validation rules
8. Intercompany sub-processing agreements
9. Secure data erasure and disposal
10. Use of corporate devices to make and receive business calls
Technical Controls
1. Enterprise Firewalls
  1. Advanced Malware Protection systems
  2. Intrusion Prevention Systems
  3. Content Filtering
  4. Layer 7 Packet Inspection
  5. SD-WAN
  6. SSL VPN
  7. Site-to-Site VPN
2. Endpoint Protection
  1. Firewall
  2. On-access scanning
  3. Signature-less detection (Machine Learning)
  4. Web Threat Protection
  5. Ransomware Mitigation
  6. Automatic Disinfection and Removal
  7. Device Control
3. Email Security
  1. Inbound protection
  2. Internal protection
  3. Outbound protection
  4. Data Loss Prevention
  5. URL Sandbox/rewrite
  6. Attachment Sandbox
  7. AI Threat Detection
4. Automated Vulnerability and penetration testing
  1. Monthly Vulnerability testing
  2. Half-yearly Penetration testing
5. Centralised Device Management
  1. Active Directory
  2. Group Policy
  3. Mobile Device Management
6. High Availability
7. Fault Tolerance
Data Controls
1. Logical separation of data assets
2. Encryption in transit
3. Encryption at rest
4. Data Classification measures and policy
5. Data Loss Prevention systems
6. Data lifecycle procedure (Live, Cold, Archive)
7. Shared responsibility model with clients
8. Contractual vendor requirements
  1. Only have access to data required to fulfil the contractual requirements
  2. Must have the same or better security measures in place
  3. Employees must not have access to our environment
Availability Controls
1. Multisite replication
2. Off-site/Offline backup
3. Use of uninterrupted power supplies (UPS)
4. Storage systems with redundancy
5. Formal backup, recovery, business continuity and disaster recovery processes
6. Change Management Process
7. Monthly Technical Board (review impending changes from vendors)
8. Cloud-Centric Environment
Privacy Management
1. Annual and Ad-hoc Staff Awareness Training
2. Online Training
3. Monthly Awareness campaigns (IT Newsletter)
4. Evaluation and preparation of upcoming legislations
5. Staff Contractual Non-Disclosure Agreements
6. Clear Desk Policy
7. Prohibiting the sharing of passwords
8. Unusual behaviour alerting (unsuccessful login, login from unknown location)
9. Designated Data Protection Officer
Accreditations
1. ISO 27001:2022
2. Cyber Essentials Plus
3. PCI-DSS SAQ C

Sub-Processors

General

Organisation

Purpose

Applicable Service

Location

Freshworks Inc

(Freshservice)

Technical Support Centre Used for the technical support of prospective or existing clients

United Kingdom

Google LLC (Analytics)

Website Analytics

Used for website analytics and performance enhancement purposes United States

Microsoft Ireland Operations Limited

(Microsoft Office365)

Communication Used for email and instant message communication. Communication Metadata

Austria, Finland, France, Ireland, Netherlands

*Data is transported to the local computer using encryption

Mimecast Services Limited

Email Security Gateway Used for the protection of inbound and outbound emails. Communication Metadata United Kingdom ON24, Inc. Webinar Platform Webinar platform used to deliver live and pre-recorded webinars to enrolled users.
United Kingdom

Roxhill Media Ltd

Customer Relationship

Management Database

Record Store and Email Delivery for Media
United Kingdom Salesloft, Inc. Sales Engagement Platform Sales Engagement Automation Platform
United States

ZoomInfo Technologies, Inc.

Customer Relationship

Management Database

B2B Sales Platform United States

Subscription

Organisation Purpose Applicable Service Location Amazon Web Services, Inc.

User Provisioning and Management

Used for the provisioning of users to our services and hosting of systems
United Kingdom
Okta, Inc. (Formally Auth0® Inc.) Identity & Access Management Used for authentication of users to our website, databanks and support platform
United States
Microsoft Ireland Operations Limited
(Azure)

User Provisioning and Management

Used for the provisioning of users to our services and hosting of systems
United Kingdom & Netherlands
OwnBackup, Inc.
Salesforce Backup Solution Hosted backup service for Customer Relationship Management system.
United Kingdom
Content Catalyst Limited
Content Management System Used for the hosting of subscription content
United States
Salesforce, Inc.

Customer Relationship Management Database

Data hosting provider for prospective and existing client records
United Kingdom

SAP SE

Accounts Receivable and Payable Used to generate customer invoices and process payments Germany

SendGrid, Inc.

Subscription Emails
Used for distribution of subscription email content
United States

Oxford Economics Sub-Processors

Organisation
Purpose
Location
BIS Oxford Economics Australia Pty. Ltd
Services & Support
Australia
Oxford Economics Africa
Services & Support
South Africa
Oxford Economics Asia Pacific & Middle East Pte. Ltd
Services & Support
Singapore
Oxford Economics Australia Pty. Ltd
Services & Support
Australia
Oxford Economics Canada Inc
Services & Support
Canada
Oxford Economics France
Services & Support
France
Oxford Economics GmbH
Services & Support
Germany
Oxford Economics Hong Kong
Services & Support
Hong Kong
Oxford Economics Japan KK
Services & Support
Japan
Oxford Economics Ltd
Services & Support
United Kingdom
Oxford Economics Mexico & Latin America
Services & Support
Mexico
Oxford Economics Middle East DMCC
Services & Support
Dubai
Oxford Economics Nordics Filial
Services & Support
Sweden
Oxford Economics SRL
Services & Support
Italy
Oxford Economics USA Inc
Services & Support
United States
Stone McCarthy Research Associates
Services & Support
United States
Tourism Economics LLC
Services & Support
United States & United Kingdom