Information Security Policy | Ratebay Care Technologies

This policy applies to all Ratebay Care Technologies employees, contractors, and third parties with access to Ratebay systems and data. Compliance is mandatory. Questions should be directed to p.nair@ratebay.co.uk.

1. Purpose & Scope

This policy establishes Ratebay Care Technologies' approach to information security in accordance with ISO/IEC 27001:2022, the UK General Data Protection Regulation (UK GDPR), and the NHS Data Security and Protection Toolkit (DSPT). It applies to all information assets owned or processed by Ratebay, including those processed by third parties on Ratebay's behalf.

Ratebay's information assets include: the RateCare360 SaaS platform and associated Azure infrastructure; on-premises server infrastructure (RATEBAY.LOCAL domain); clinical data held on behalf of NHS GP practice clients; and corporate data held on file servers RCARE-FS-01 and RCARE-FS-02.

2. Access Control

Access to Ratebay systems and data is granted on the principle of least privilege. All user accounts must be approved by the relevant line manager and provisioned by the IT team.

2.1 Password and Authentication Requirements

All staff accounts must use multi-factor authentication (MFA). Exceptions require formal risk acceptance documented on the risk register.
Current MFA exceptions (as of October 2024): svc_veeam, svc_aadconnect, admin-legacy — documented in RCT-RISK-2024-047. Review date: Q1 2025.
Shared accounts are prohibited except where operationally necessary and explicitly approved. The helpdesk_admin shared account is approved for helpdesk operations only — password reset cycle: 90 days.
Service accounts must not be used for interactive login except where operationally required and logged.
Password minimum length: 14 characters. Complexity required. No reuse of last 12 passwords.

2.2 Third-Party Access

Third-party access to Ratebay systems is permitted only where:

A signed data processing agreement (DPA) or service agreement is in place
Access is limited to systems required for the stated service purpose
All access is logged and reviewed quarterly

ClearConnect Systems — approved third-party with persistent VPN access to Corporate LAN (10.10.10.0/24), Management VLAN (10.10.30.0/24), and Clinical Segment (10.10.20.0/24) for infrastructure support and monitoring. Network ACL restricting access to named destination hosts during non-maintenance windows is planned but not yet implemented (deferred — see RCT-RISK-2024-051). ClearConnect engineer accounts must be deprovisioned within 5 working days of engineer departure from ClearConnect — compliance with this requirement is reviewed annually.

3. Backup and Recovery

All production data must be backed up in accordance with the following schedule:

On-premises servers: daily Veeam backup to rcare-bkp-01 (10.10.30.60). Weekly tape offsite rotation.
Azure data: Azure SQL geo-redundant backup. Azure Blob Storage LRS replication.
Restore tests must be conducted quarterly and results documented. Failures must be reported to the ISMS committee within 48 hours.

Outstanding action: Restore test failure logged June 2024 (RCT-INC-2024-003). Recovery completed July 2024. Follow-up restore test due Q4 2024 — not yet completed as of policy review date. Owner: m.tennant@ratebay.co.uk.

4. Incident Response

All suspected security incidents must be reported to the IT team immediately via helpdesk@ratebay.co.uk or the support portal. The IT incident response procedure (RCT-PROC-IR-001) defines escalation paths and notification obligations under UK GDPR Article 33.

The Data Protection Officer (Priya Nair, p.nair@ratebay.co.uk) must be notified of any incident involving personal data within 4 hours of discovery. ICO notification (where required) must be made within 72 hours of discovery.

5. Asset Management

All information assets must be recorded in the asset register. The current asset register is maintained by the IT team and reviewed quarterly. Network-connected assets include all devices within the 10.10.0.0/8 address space and the Azure VNet (172.16.0.0/16).

End-of-life systems: Where systems cannot be immediately decommissioned due to operational dependencies, a formal risk acceptance must be documented. Current EOL systems on the risk register:

LEGACY-CLIN-01 (10.10.20.10) — Windows Server 2008 R2. EOL January 2020. Risk acceptance RCT-RISK-2022-003. Compensating controls: network segregation, restricted inbound access, no internet connectivity. Decommission target: Q1 2026 subject to application vendor migration timeline.

6. Policy Compliance

Breaches of this policy may result in disciplinary action. Questions regarding this policy should be directed to Priya Nair (p.nair@ratebay.co.uk). This policy is reviewed annually and following any significant security incident.

Document control: RCT-POL-ISMS-001 v3.2 · Approved 14 June 2024 by Dr. Sarah Okafor, CEO · Owner: Priya Nair, DPO · Stored: \\RCARE-FS-01\IT\Policies\ISMS · ISO 27001 control: A.5.1