Information Security Statement
This statement provides an overview of The Craneware Group’s approach to cyber security.
Craneware PLC, doing business as The Craneware Group, places the utmost priority on reliable protection of customer data. Our promise is to defend against reasonably anticipated threats and hazards, including risks created by unauthorized access, to the security and integrity of sensitive customer information entrusted with The Craneware Group.
Information Security Policy
The Craneware Group maintains a detailed Information Security Program, which aligns with applicable laws and regulations. This program governs how The Craneware Group employees and applications interact with sensitive, protected customers data. The policies and procedures that inform the Information Security Program are reviewed and updated no less than annually and with any significant changes to laws, regulations, infrastructure or company structure.
Organizational Security
Key oversight of the Information Security Program is managed by The Craneware Group’s Security Council and led by the Chief Information Officer. The Council is comprised of expert representatives from key functional areas across the business: Information Security, Risk & Compliance, Information Technology Infrastructure and Operations, Engineering, and the Risk & Compliance Committee. The Craneware Group employs a dedicated Information Security Team and contracts with specialist 3rd party services, who assist with monitoring, testing, and improving our security position and technology.
The Craneware Group requires stringent training on information security and data protection for all employees at hire and annually. Confidentiality and nondisclosure agreements are required of all employees as well. The highest ethical standards are foundational to The Craneware Group’s code of conduct.
Data Management
Data and Information System assets include customer data and company resources; these are protected with Data Loss Prevention software and processes. The Craneware Group’s Information Security Program manages those assets that are subject to legislative requirements, i.e., HIPAA and GDPR.
Third Party Audits and Testing
The Craneware Group engages with third party auditors to support effective security practices and compliance with HITRUST and AICPA SOC.
Core operations, including product platforms Trisus and InSight, of The Craneware Group abide by the HITRUST CSF security controls across 19 domains and other security frameworks, such as HIPAA, AICPA (SOC2), NIST, and ISO27001. Sentinel, Sentrex and Trisus Decision Support applications meet AICPA Service Organization Controls (SOC) requirements, completing SOC Type II audit assessments annually.
Full HITRUST CSF assessments are conducted every two years; interim assessments are conducted during the intervening periods.
For HITRUST our products and corporate infrastructure are evaluated against more than 500 controls mapped across 19 domains:
| Information Protection Program | Transmission Protection | Business Continuity and Disaster Recovery |
|---|---|---|
| Endpoint Protection | Password Management | Risk Management |
| Portable Media Security | Access Control | Physical and Environmental Security |
| Mobile Device Security | Audit Logging & Monitoring | Data Protection and Privacy |
| Wireless Security | Education, Training and Awareness | |
| Configuration Management | Third Party Assurance | |
| Vulnerability Management | Incident Management | |
| Network Protection |
The following is a comparison of HITRUST CSF against two other similar frameworks audited in this area
Our portfolio of product groups regularly conducts penetration testing using external security testing companies. This testing occurs in conjunction with major product updates, and no less than annually.
The Craneware Group also follows individual US state-based guidance and criteria where appropriate.
Contact
For more information, please contact The Craneware Group Information Security at [email protected].