Cyber Security Policy

SmartHost Web Services Limited (SmartHost) is committed to providing secure and reliable services to our customers while maintaining compliance with national and international cybersecurity regulations. As an Operator of Essential Services (OES) under the NIS Directive, our primary responsibility is to ensure the resilience, security, and continuity of the critical services we deliver.

This policy outlines SmartHost’s approach to managing cybersecurity risks, reporting and responding to incidents, and fulfilling our obligations under the European Union’s NIS Directive and the Irish NIS Regulations (S.I. 360 of 2018). It provides a structured framework to address threats, minimise their impact, and support recovery in line with best practices and regulatory requirements.

Scope

This policy applies to all SmartHost systems, personnel, contractors, third-party vendors, and stakeholders involved in the delivery, management, and support of essential services. It covers:

• The identification and protection of critical assets, data, and systems.
• The detection and response to cybersecurity threats and incidents.
• Recovery procedures to ensure the continuity of services following an incident.
• Compliance with relevant cybersecurity laws and regulations.

Definitions

• Operator of Essential Services (OES): An organisation designated under the NIS Directive as critical to the continuity of essential services that rely on network and information systems.
• Incident: Any event with an actual adverse effect on the security of network and information systems.
• Significant Impact: A disruption that affects the continuity of essential services, as determined by parameters such as the number of users affected, duration of the incident, and geographic spread.
• Network and Information Systems: The interconnected systems, including electronic communications networks, devices, digital data, and associated services, used to provide essential services.
• NIS Directive: EU legislation (2016/1148) designed to ensure a high level of network and information system security across Member States.
• Confidentiality, Integrity, and Availability (CIA): The core principles of cybersecurity ensuring data is protected, accurate, and accessible as required.
• SmartHost: SmartHost Web Services Limited.

Commitment

Our objective is not only to comply with regulatory mandates but also to embed a culture of risk management across SmartHost. This ensures that all risks to our network and information systems are assessed and managed appropriately, enabling us to provide uninterrupted services while safeguarding the confidentiality, integrity, and availability of critical data.

By adhering to this policy, SmartHost strives to maintain the trust of our customers, stakeholders, and the broader digital ecosystem, reinforcing our role as a reliable provider of services.

SmartHost operates in alignment with the requirements of the NIS Directive and the Irish NIS Regulations (S.I. 360 of 2018). These regulations establish obligations for Operators of Essential Services (OES) to ensure the security of their network and information systems and to report incidents that may significantly impact the continuity of essential services.

Our compliance framework is built on the following five core functions, as outlined in the NIS Guidelines:

2.1 Identify

SmartHost identifies critical assets, services, and processes that support essential services.

This includes:

• Documenting systems, data, personnel, devices, and facilities critical to operations.
• Assessing risks associated with these assets to ensure proper prioritisation and allocation of resources.
• Mapping organisational dependencies and supply chain vulnerabilities.

2.2 Protect

SmartHost implements appropriate and proportionate measures to protect the confidentiality, integrity, and availability of its network and information systems. This involves:

• Enforcing strong access controls and identity management practices.
• Ensuring data security through encryption and secure storage.
• Providing regular cybersecurity awareness training for employees and partners.
• Maintaining a baseline configuration for systems to minimise exposure to vulnerabilities.

2.3 Detect

SmartHost employs monitoring systems to identify and respond to potential security threats. Key activities include:

• Monitoring systems for anomalies and suspicious activity.
• Implementing continuous security monitoring processes to assess the effectiveness of protective measures.
• Maintaining and testing detection mechanisms to ensure reliability.

2.4 Respond

SmartHost has established response procedures to contain and mitigate the effects of incidents. These include:

• Developing and maintaining documented incident response plans.
• Coordinating with internal teams and external stakeholders, such as the CSIRT and law enforcement, to handle incidents effectively.
• Conducting thorough analyses of incidents to inform mitigation and recovery efforts.

2.5 Recover

SmartHost ensures the timely restoration of essential services following an incident. This is achieved by:

• Executing recovery plans to restore systems and data.
• Incorporating lessons learned from incidents to improve future response and recovery efforts.
• Engaging with stakeholders to communicate recovery progress and outcomes.

2.6 Legal and Regulatory Compliance

SmartHost adheres to the NIS Directive and other applicable laws, including GDPR for data protection. The organisation cooperates with the Department of Communications, Climate Action, and Environment, as well as the National Cyber Security Centre (NCSC), to meet reporting obligations and compliance requirements.

2.7 Continuous Improvement

SmartHost reviews its security policies annually or after major incidents, incorporating lessons learned and updated standards.

Effective risk management is central to SmartHost’s approach to ensuring the security and continuity of essential services. By identifying, assessing, and mitigating risks to our network and information systems, SmartHost ensures a proactive stance against potential disruptions and threats.

3.1 Asset Management

SmartHost maintains an up-to-date inventory of all assets supporting essential services, including:

• Physical Assets: Hardware, devices, and facilities critical to service delivery.
• Digital Assets: Software, applications, databases, and other virtual systems.
• Personnel: Staff and contractors with roles related to cybersecurity and service continuity.
• Third-Party Services: Vendors and partners whose systems or services impact essential operations.

3.2 Business Context

SmartHost prioritises a clear understanding of the business environment to guide risk management activities:

• Documenting mission, objectives, and the role of SmartHost in the broader supply chain.
• Identifying critical dependencies and functions essential for service continuity.
• Aligning cybersecurity roles and responsibilities across all levels of the organisation.

3.3 Risk Assessment

SmartHost employs a structured approach to assess cybersecurity risks:

• Threat Identification: Recognising potential internal and external threats, including cyberattacks, natural disasters, and system failures.
• Vulnerability Analysis: Evaluating weaknesses in systems, processes, and supply chains that could be exploited.
• Impact Assessment: Estimating the potential consequences of a risk event, including financial, reputational, and operational impacts.
• Likelihood Evaluation: Determining the probability of risks materialising based on current threat intelligence.

3.4 Risk Mitigation

SmartHost implements measures to minimise identified risks:

• Prioritising risks based on criticality and likelihood.
• Applying technical controls, such as firewalls, encryption, and regular software updates.
• Establishing procedural controls, including access management, incident response protocols, and regular security training.
• Engaging with third-party vendors to ensure compliance with cybersecurity standards and contractual obligations.

3.5 Supply Chain Risk Management

SmartHost recognises that vulnerabilities in the supply chain can compromise its internal systems:

• Identifying and assessing third-party suppliers critical to service delivery.
• Monitoring supplier compliance with cybersecurity standards.
• Including cybersecurity requirements in contracts with vendors and partners.
• Conducting regular audits and reviews of third-party security practices.
• SmartHost offshores multiple services but ensures no personal data leaves the EU and fully complies with GDPR.

3.6 Continuous Risk Monitoring

Risk management at SmartHost is an ongoing process:

• Regularly updating risk assessments to reflect changes in technology, services, and the threat landscape.
• Monitoring industry trends and emerging threats to adapt risk management strategies.
• Leveraging real-time monitoring tools to detect and address risks proactively.

3.7 Documentation and Reporting

SmartHost maintains detailed records of risk management activities, including:

• Inventories of assets and systems.
• Risk assessment reports and mitigation plans.
• Supply chain risk evaluations.
• Audit findings and recommendations.

SmartHost implements a range of technical and organisational security measures to protect the confidentiality, integrity, and availability of its network and information systems. These measures are designed to align with the NIS Directive’s requirements and ensure the delivery and continuity of essential services.

4.1 Technical Security Measures

4.1.1 Identity Management and Access Control

• Access Restrictions: Role-based access controls (RBAC) are enforced to ensure users only access systems and data necessary for their roles.
• Authentication Mechanisms: Multi-factor authentication (MFA) is mandatory for privileged accounts, with regular revalidation to ensure ongoing access is legitimate.
• User Lifecycle Management: A structured joiner-mover-leaver process ensures that user accounts are created, updated, or removed promptly as personnel change roles or leave the organisation.

4.1.2 Data Security

• Encryption: Data at rest is encrypted using AES-256 standards, while TLS 1.3 is used for encrypting data in transit. Data on portable devices is encrypted.
• Data Classification: All data is classified based on sensitivity, with additional controls for highly confidential data.
• Data Loss Prevention (DLP): DLP technologies are deployed to monitor and prevent unauthorised data transfers, ensuring adherence to GDPR and other data protection regulations.

4.1.3 Protective Technologies

• Firewall and Intrusion Detection: Enterprise-grade firewalls and intrusion detection/prevention systems (IDPS) are configured to monitor and block malicious traffic.
• Endpoint Protection: All endpoints, including employee devices, are equipped with advanced anti-malware and endpoint detection and response (EDR) solutions.
• Segmentation: Critical systems are isolated within segmented servers to limit the potential impact of breaches.

4.1.4 Monitoring and Detection

• Real-Time Monitoring: Security Information and Event Management (SIEM) systems are used to centralise and analyse for anomalies.
• Automated Alerts: Alerts are configured to notify the security team immediately upon detecting suspicious activities, such as unusual login attempts.
• Threat Intelligence: SmartHost integrates external threat intelligence feeds to identify and respond to emerging threats proactively.

4.2 Organisational Security Measures

4.2.1 Policies and Procedures

• Security Policy: A security policy governs all aspects of cybersecurity, including acceptable use, remote work, and device management.
• Configuration Management: A baseline configuration for all systems ensures consistency and reduces vulnerabilities, with any deviations logged.

4.2.2 Training and Awareness

• Employee Education: Cybersecurity awareness training is conducted, covering phishing, password management, and incident reporting.
• Role-Specific Training: Administrators and privileged users undergo further training on managing and securing critical systems.
• Third-Party Awareness: Vendors and contractors are briefed on SmartHost’s security policies and are required to adhere to them during their engagements.

4.2.3 Supply Chain Security

• Vendor Risk Assessments: Evaluations are conducted before onboarding new suppliers, focusing on their cybersecurity practices.
• Contractual Requirements: Contracts with third-party vendors mandate compliance with SmartHost’s security standards.
• Ongoing Audits: Periodic reviews of vendor performance and security practices ensure continued compliance and risk mitigation.

4.2.4 Maintenance and Testing

• System Maintenance: Scheduled updates and patches are applied to systems to close vulnerabilities and maintain security controls.
• Backup Testing: Backups are tested monthly to ensure they can be restored successfully during emergencies.
• Vulnerability Assessments: Periodic scans and penetration tests identify weaknesses, with remediation actions tracked to completion.

4.3 Incident Preparedness and Response

• Incident Classification: Incidents are categorised based on severity and impact to prioritise response efforts. All incidents are documented, and post-incident analyses are conducted to improve standards.
• Response Team: An Incident Response Manager (CSIRT) is on standby to handle incidents and coordinate efforts across the Company.
• Stakeholder Communication: Communication protocols ensure timely updates to internal teams, affected customers, and regulatory bodies, such as CSIRT or the Data Protection Commissioner.

4.4 Continuous Improvement

4.4.1 Threat Landscape Updates

• Industry Trends: SmartHost monitors industry developments, including new attack vectors, to adapt its security measures.
• Policy Reviews: Security policies and procedures are reviewed annually or after major incidents to incorporate lessons learned.

4.4.2 Post-Incident Analysis

• Lessons Learned: Detailed post-mortems identify gaps in existing controls and inform enhancements.
• Control Refinements: New tools or processes are implemented to address weaknesses exposed during incidents.

SmartHost employs a structured and efficient approach to managing incidents that impact the security or availability of its network and information systems. This ensures that disruptions are minimised and essential services are restored as quickly as possible.

5.1 Incident Classification

• Severity Levels: Incidents are categorised as Major, Moderate, Minor, or Informational based on their impact on essential services.
• Criteria: Classification considers the number of users affected, duration of the incident, geographic spread, and implications.

5.2 Incident Reporting

• Initial Notification: Incidents with a significant impact are reported to the CSIRT within 72 hours of identification.
• Reporting Templates: A standardised template is used for reporting, including details such as the nature of the incident, affected services, and mitigation steps. Incidents are fully documented, and outcomes are used to refine processes.
• Stakeholder Engagement: Notifications are also sent to impacted parties, internal teams, and relevant regulatory bodies.

5.3 Response and Containment

• Immediate Actions: Containment measures, such as isolating affected systems, are implemented to prevent further impact.
• Collaboration: The response team works with external partners, including third-party vendors and law enforcement, where necessary.

5.4 Post-Incident Reporting

• Final Reports: A detailed report is submitted to the CSIRT within 72 hours of incident resolution, summarising findings, impacts, and actions taken.
• Internal Review: Lessons learned are documented and shared with relevant teams to prevent recurrence.

SmartHost’s commitment to continuous improvement ensures that its cybersecurity practices remain effective in the face of evolving threats.

6.1 Lessons Learned

• Incident Analysis: A thorough analysis of incidents identifies gaps in current processes and opportunities for enhancement.
• Improvements: Corrective actions, such as updated controls, enhanced training, or new tools, are implemented promptly.

6.2 Audits and Assessments

• Internal Reviews: Regular audits evaluate the effectiveness of security measures and identify areas for improvement.

6.3 Threat Intelligence Integration

• Updates: SmartHost leverages real-time threat intelligence to anticipate and counter emerging threats.
• Proactive Measures: Security controls are updated to address new vulnerabilities or attack vectors.

SmartHost complies with all applicable legal and regulatory requirements to ensure secure and reliable operations.

7.1 NIS Directive Compliance

• Incident Reporting: Adherence to the reporting timelines and guidelines specified in the NIS Regulations.
• Security Measures: Implementation of proportionate measures to manage risks and ensure service continuity.

7.2 GDPR Compliance

• Data Protection: Ensuring personal data is processed in compliance with GDPR principles.
• Data Breaches: Immediate notification to the Data Protection Commissioner in the event of a breach involving personal data.

7.3 Collaboration with Authorities

• CSIRT Engagement: Coordinating with the CSIRT-IE for incident resolution and compliance reviews.
• Audits and Inspections: Facilitating inspections and audits conducted by regulatory bodies.

SmartHost maintains comprehensive records to ensure transparency and accountability in its cybersecurity practices.

8.1 Record-Keeping

• Incident Logs: Detailed logs of all incidents, including classification, actions taken, and outcomes.
• Risk Management Records: Documentation of asset inventories, risk assessments, and mitigation plans.
• Policy Documents: Up-to-date policies and procedures covering all aspects of cybersecurity.

8.2 Accountability

• Roles and Responsibilities: Defined roles for managing compliance, risk, and incidents.
• Reporting: Timely submission of reports to stakeholders and regulatory authorities as required.

8.3 Audit Trails

• System Logs: Comprehensive logging of user activities and system events to support investigations.
• Change Records: Documentation of all changes to critical systems, including configurations and updates.

To ensure timely communication during incidents and compliance activities, SmartHost provides clear contact details.

9.1 Primary Contact

• Compliance Officer: Graeme Conkie
• Email Address: management@smarthost.ie
• Phone Number: 01 901 9700

9.2 Reporting Channels

• CSIRT Notification: All significant