It is SSAFA policy that the minimum standards are maintained:

• Government’s Cyber Security Essentials (annually)
• Penetration testing (at least annually)
• Application testing of web-based services (at least quarterly)
• That all relevant and in-scope servers, applications and services are patched within the relevant timeframes (14 days for critical or security related patches / 30 days for non-critical)
• Software purchased must be supported by the vendor/manufacturer for at least one year after the purchase date and additionally approved by IT to ensure compatibility between all existing hardware and software.
• That key changes are logged, documented, subject to approval and only implemented once risk and impact have been minimised.
• That all new assets (software, hardware, subscriptions/services etc) introduced to the organisation goes through a thorough vetting process before (potentially) being approved. (Required as part of Cyber Security Essentials: - “maintaining an approved software whitelist”.)
• Employees are trained and tested as “human firewalls” at least annually, with access to IT systems dependent on a successful pass, to reduce risk and exposure to malware.
• Employees and volunteers are kept up to date via security blogs and scam alerts at least twice per month.
• That phishing simulations will be targeted at all people at least twice per year to trend risk exposure.
• That anti-malware solutions are in place and centrally governed for all Windows based computing devices.
• That all mobile access to systems or data is managed through an MDM portal (mobile device management) to ensure compliance and encryption standards are met. (Required as part of Cyber Security Essentials: - “controlling access to data with mobile devices”)
• All mobile devices are encrypted to a minimum standard.
• That all on premises servers are backed up to the Acronis DR cloud to mitigate ransomware attacks and data loss.