Womble Bond Dickinson (UK) LLP (referred to as "we", "us" or "our") is committed to ensuring the security, availability and integrity of the information you entrust to us, including your personal data. This security statement contains an overview of the variety of measures we use to achieve this.
We work hard to ensure our security arrangements remain robust and meet ever changing challenges and threats so we will update this statement as we add new capabilities and make improvements to our systems.
How we protect your information
We maintain an assurance programme which is designed to pro-actively identify potential threats and opportunities to improve. With the exception of our new Edinburgh office (which works to the same standards but has yet to undergo an external certification audit), we are certified to ISO 27001 (information security). This is an international standard published by the International Standardization Organization (ISO) and describes best practice in information security management. To maintain our ongoing ISO 27001 accreditation we undergo regular independent security audits.
We are also certified to Cyber Essentials Plus. This is a UK Government-backed, industry-supported scheme. To achieve certification, cyber security controls have to be assessed and verified by independent security experts.
We also run our own internal audit programme to verify that our staff are familiar with and adhere to our policies and procedures.
We have an established management framework to identify, assess and manage information security risks. This is supported by a suite of information security procedures including, data protection, business continuity plans, acceptable use (including remote access and social media) and breach reporting and response.
Our security measures and business continuity plans also help us to prevent and manage any interruptions to the services we deliver to you. Our plans utilise our UK office locations, robust IT failover and back-up systems (confirmed by our ISO 27001 accreditation) and extensive remote working facilities to provide resilience and continuity of service to our clients.
Verification checks and security training
We conduct appropriate pre-employment security verification checks on all prospective new staff as well as targeted refresher checks.
All new staff complete compulsory information security and data protection training during their induction period and we issue refresher training and regular updates on current risks and issues to our current staff.
We have physical entry controls at all of our offices to restrict access to premises and equipment on a need-to-know basis.
For long term storage of paper records we use off-site archives facilities provided by a supplier which complies with industry best practice.
We have a process in place to manage our user accounts for authorised individuals and to restrict access as necessary. We have appropriate complex password security procedures and a process in place to log and monitor user and system activity which can be used to detect any unauthorised access or anomalous activity and to help prevent data breaches.
Change control and supplier management
Change initiatives are underpinned by due diligence and testing processes to verify integrity, ensure security and avoid business interruptions.
Supplier relationships start with a robust due diligence process. We use certified and trusted suppliers to help us maintain and support the smooth running of our systems.
Data encryption, protection and back up
We utilise industry-standard strong encryption algorithms for all content, including documents and on all of our laptops and smart phones. We also use controls to manage the use of removable media including enforced encryption.
We routinely back-up electronic information to help restore information in the event of disaster or ransomware attack.
We run virus scans on all incoming email correspondence (and any attached documents) and use malware protection software to scan our computers to detect and prevent threats.
We utilise software to scan outgoing emails to help reduce the risk of misdirected emails.
We provide secure transmission methods to protect your information, including opportunistic TLS encryption for emails (with enforced encryption applied where requested) and options to use secure file transfer (SFTP) for bulk transfers of data and (UK hosted) secure document and deal rooms via an extranet service.
Our boundary firewalls are designed to stop attacks before our network can be compromised and we use Internet filtering to prevent our users accessing websites or other online services which we have assessed as presenting a threat or which we do not trust. We have a managed service solution in place to detect and respond to threats.
We have effective procedures for patch management and software updates. Our server certificates are issued by leading certificate vendors.
Further information and how to report concerns
Further information about this security statement can be obtained from our Risk and Best Practice Helpdesk by email at RiskandBestPracticeHelpdesk@wbd-uk.com or by telephone on +44 (0)191 279 9468.
If you are concerned or suspect that your information has been compromised, please get in touch with your usual contact at Womble Bond Dickinson (UK) LLP or with the Risk and Best Practice Helpdesk using the contact details above.
Last updated September 2019.