Information Security & Compliance

Achievements

Our process and roadmap.

• ISO27001:2022

• TISAX

• UK Cyber Security Essentials

• ProcessUnity Tier 2 Report

• Security Controls

• ISO27001:2022

  • ISO27001:2022

    Our global Information Security Management System has been certified under the ISO27001 standard. This certification means that Monks has implemented and maintains a rigorous security program in accordance with the ISO27001:2022 standard, has a systematic approach to managing sensitive information and has implemented controls to protect it against unauthorized access, misuse, disclosure, or destruction. This certification provides assurance to our customers, stakeholders, and partners that we have implemented adequate measures to protect their information.

    ISO 27001 covers controls in 14 sections: information security policies, organization of information security, human resource security, asset management, access control, cryptography, physical and environmental security, operations security, communications security, system acquisition, development and maintenance, supplier relationships, information security incident management, and information security aspects of business continuity management.

• TISAX

  • TISAX

    We are committed to the automotive industry information security standards with the TISAX (Trusted Information Security Assessment Exchange) certification allowing us to process sensitive information from your customers as it follows.

    The TISAX assessment covers a wide range of information security topics, including access control, data protection, incident management, business continuity, and physical security. The TISAX certification provides a standardized and recognized approach to information security assessment in the automotive industry, which helps to improve the overall security posture of companies working in this sector. It also facilitates the exchange of sensitive information between companies by providing a trusted platform for sharing data.

• UK Cyber Security Essentials

  • UK Cyber Security Essentials

    Monks UK offices are certified under the UK Cyber Essentials scheme, a set of guidelines developed by the UK Government to help businesses and organizations protect themselves from common cyber threats. The guidelines are based on five key principles: secure your Internet connection, secure your devices and software, control access to your data and services, protect yourself from viruses and other malware, keep your devices and software up to date.

• ProcessUnity Tier 2 Report

  • ProcessUnity (former CyberGRX) Tier 2 Report

    Monks has successfully completed the ProcessUnity Tier 2 assessment proving an adequate security posture within this Third Party Risk Management framework.

• Security Controls

  • Security Controls

    We’ve set up safeguards to avoid and minimize any security risks. These protections cover four main areas: organizational security, internal security, infrastructure security, and data protection. Learn more about these controls in detail.

  • Organizational Security

    Security policies established and reviewed

    Our Information Security framework is aligned with the ISO27001 standard and it is formed with more than 20 policies and additional standards and procedures which are reviewed at least annually.

    Information Security Management System

    We maintain a global ISMS in compliance with the ISO27001 standard which guarantees continuous audits and improvement.

    Cybersecurity risk management

    We manage cybersecurity risk on a continuous basis, identifying, evaluating and treating risks that could impact on data protection.

    Information Security team

    A global team is fully dedicated to cybersecurity, information security compliance, governance and risk management.

    Employee background checks performed

    Background checks are implemented according to local legislation and roles criticality considering employee´s data access and handling.

    Security awareness training implemented

    The company requires employees to complete the mandatory security awareness training which is maintained and updated on a continuous basis. New joiners receive security training and best practices during the onboarding. 

    Confidentiality Agreement acknowledged

    At the time of engagement or onboarding, the company mandates that contractors and employees sign a confidentiality agreement, affirming their commitment to maintaining the confidentiality of sensitive information. NDAs are also signed with third parties.

  • Internal Security Procedures

    Vulnerability Management

    At Monks we manage technical vulnerabilities implementing a process for continuous upgrade and updates in our infrastructure and endpoints.  Periodic analysis (and necessary fixes) in our networks and equipment are performed.

    Incident response policies established

    The company has an incident response policy and a procedure in place to guide the security incident management. The defined processes include steps to log, track, resolve, and communicate security and privacy incidents to the relevant parties. Lessons learned are identified to prevent future incidents.

    Improvement opportunities for incident management are identified, recorded, and subsequently followed up on.

    Access control

    Permissions are granted to users on a need-to-know basis. Privilege rights are only granted to the employees assigned to administration roles and closely followed up along the user´s life cycle. Periodic access reviews are performed to guarantee users have the correct access privileges in place.

    Password policy enforced

    The company requires adherence to its policy for configuring passwords on in-scope system components. Additionally, the policy establishes specific requirements regarding password complexity, length, and regular updates to ensure robust security measures are in place.

    Backup methodology

    Backup schemes are implemented to protect the valuable information against loss, based on risk, impact and business requirements. 

    Vendor management 

    The company maintains formal agreements with vendors and third parties, encompassing confidentiality and privacy commitments specific to each entity.

    Third party risk is managed in order to ensure that these vendors take good care of Monks information during our relationship. 

    Change management procedure

    Properly controlled change management is performed in productive environments to ensure that critical changes are appropriate, effective, properly authorized and carried out in such a manner as to minimize the unexpected impact. 

    Management roles and responsibilities defined

    Monks has correctly identified and assigned the roles and responsibilities regarding information security for a correct segregation of duties and accountability.

    Physical access controls

    Security perimeters are defined in facilities and controls are implemented to authorize access on a need-to-know basis. Different perimeters are designated for general entrance, sensitive areas and server rooms. An access management process is in place to grant and revoke privileges accordingly.

    Secure Development lifecycle

    We implement a secure software development life cycle (SSDLC) in which we define security best practices based on OWASP top 10 and other widely recognized standards, and security controls such as code analysis.  We also train our developers and technical experts on security best practices on a continuous basis.

    Cybersecurity insurance maintained

    The company has cybersecurity insurance to mitigate the impact of incidents.

  • Data Protection

    Data classification

    The company has an Information Sensitivity policy in place to help ensure that data is properly classified, secured and restricted to authorized personnel.

    Data encryption

    Sensitive data is encrypted in transit and at rest when processed in our systems following our Encryption and Hashing Standard. Endpoints disks are encrypted through MDMs policies and external disks used for business purposes are encrypted.

    Data retention policy established

    The company has a formal Data Retention Policy in place based on regulations and internal standards.

    Client data

    We protect client data under our policies, which includes segregation, classification, encryption, retention and access control. 

  • Infrastructure Security

    Intrusion detection system and monitoring

    IDS and DDoS prevention capabilities are implemented on on-premise and cloud infrastructure. Endpoint firewalls are being enforced through MDM. Additionally, a SOC monitors the on-premise core equipment, the EDR solution and the cloud environments.

    Production infrastructure access restricted

    The company restricts privileged access to operating systems, databases, production networks and encryption keys to authorized users with a business need.

    Remote working

    Remote working is implemented in Monks in compliance with our Security Remote Working Policy to ensure a safe environment for our data and processes. Technical measures and user awareness are implemented to reach that objective.

    Access revoked upon termination

    The company diligently performs termination procedures to ensure timely revocation of access for terminated employees in accordance with service level agreements (SLAs).

    Access control procedures established

    We implement access control to all our environments —physical and logical—applying measures according to the current state of the art in terms of threats that could lead to unauthorized access. Control measures are reviewed periodically in order to update them to maintain their accuracy.

    Log management utilized

    The company records and correlates logs to detect events that could potentially impact the organization's ability to accomplish its security objectives.

    Network segmentation implemented

    The company's network is logically segmented to segregate critical services and data and to protect client data.

    Anti-malware technology utilized

    We implement an antimalware solution (next-generation antivirus [NGAV], endpoint detection and response [EDR], cyber threat intelligence, managed threat hunting capabilities and security hygiene) in all our equipment and it is configured to be updated automatically.