Information Security Statement
This statement provides an overview of The Craneware Group’s approach to cyber security.
Craneware plc, doing business as The Craneware Group, places the utmost priority on reliable protection of customer data. Our promise is to defend against reasonably anticipated threats and hazards, including risks created by unauthorized access, to the security and integrity of sensitive customer information entrusted with The Craneware Group.
Information Security Policy
The Craneware Group maintains a detailed Written Information Security Program (WISP), which aligns with applicable laws and regulations. This program governs how The Craneware Group employees and applications interact with sensitive, protected customers’ and company data. The policies and procedures that inform the Information Security Program are reviewed and updated no less than annually and with any significant changes to laws, regulations, infrastructure or company structure.
Organizational Security
Key oversight of the Information Security Program is managed by The Craneware Group’s Security Council and led by the Chief Information Officer. The Council is comprised of experts, including the Chief Technology Officer, and representatives with relevant expertise from key functional areas across the business, including: Information Security, Information Technology Infrastructure and Operations, Engineering, and the Risk & Compliance Committee. The Craneware Group employs a dedicated Information Security Team and contracts with specialist third party services, who assist with monitoring, testing, and improving our security position and technology.
The highest ethical standards are foundational to The Craneware Group’s Business Ethics Policy. The Craneware Group requires stringent training on information security and data protection for all employees at hire and refreshed annually. Confidentiality agreements are required of all employees as well and are also required of any contractors that may work with us from time to time.
Vendor Relationships
Craneware selects its partners very carefully and will only do business with vendors (i.e. suppliers) that operate with the same or similar key values and ethical standards - around integrity, legal compliance and privacy - as Craneware. As part of its mandatory onboarding review process, we screen our vendors and bind them to appropriate confidentiality and security obligations, especially if they, on rare occasions, may help manage any customer data.
Our Information Security team may perform checks and audits from time to time on any vendors in an effort to ensure the confidentiality, integrity, and availability of data that our third-party vendors may handle.
Data Management
Data and Information System assets include customer data and company resources; these are protected with Data Loss Prevention software and processes. The Craneware Group’s Information Security Program manages those assets that are subject to legislative requirements, i.e., HIPAA and GDPR amongst any other corporate data.
Third Party Audits and Testing
The Craneware Group engages with third party auditors to support effective security practices and compliance with HITRUST and AICPA SOC 1 and 2.
Core operations, including product platforms Trisus and InSight, of The Craneware Group abide by the HITRUST CSF security controls across 19 domains and other security frameworks, such as HIPAA, AICPA (SOC2), NIST, GDPR and ISO27001. Trisus and InSight product platforms as well as Sentinel, Sentrex, Trisus Decision Support, Trisus Labor Productivity and Trisus Medication Inpatient Rebate applications meet AICPA Service Organization Controls (SOC) requirements, completing SOC 2 Type II audit assessments annually.
Full HITRUST CSF assessments are conducted every two years; interim assessments are conducted during the intervening periods.
For HITRUST our products and corporate infrastructure are evaluated against more than 600 controls mapped across 19 domains:
| Information Protection Program | Transmission Protection | Business Continuity and Disaster Recovery |
|---|---|---|
| Endpoint Protection | Password Management | Risk Management |
| Portable Media Security | Access Control | Physical and Environmental Security |
| Mobile Device Security | Audit Logging & Monitoring | Data Protection and Privacy |
| Wireless Security | Education, Training and Awareness | |
| Configuration Management | Third Party Assurance | |
| Vulnerability Management | Incident Management | |
| Network Protection |
The HITRUST CSF includes a wide array of standards, frameworks, and regulations; it maps to about 40 authoritative sources:
Our portfolio of product groups regularly arranges for penetration testing to be conducted by external security testing companies. This testing occurs in conjunction with major product updates, and no less than annually.
The Craneware Group also follows individual US state-based guidance and criteria where appropriate.
Contact
For more information, please contact The Craneware Group Information Security at [email protected].