ISO 27001 is an internationally renowned standard viewed as a benchmark by most organizations and security professionals. The ISO 27001 standard contains the core security controls that other standards use as a base. GTT holds ISO 27001: 2013 compliance at multiple locations, please view the certifications list for further information.
The ISO 27001 series focuses on the entire information security stack. All information security aspects surrounding the core elements of people, process, organization and technology are considered. It also has specific controls around physical security which relate to physical access to assets that have information stored on them, or that can be used to access the information itself.
The standard itself is fundamentally centered around the deployment of an Information Security Management System (ISMS) which helps to ensure that an organization understands its information security posture and drives to continually improve it.
GTT uses a continuous security improvement approach to all information security objectives. This includes the continuous identification, grading, control and maintenance of risks. The GTT lifecycle is based upon the Edward Deming Plan, Do, Check and Act (PDCA) lifecycle which is internationally recognised and used by numerous standards and frameworks.
SOC stands for “Service Organization Control”. SOC1 and SOC 2 service assurance reports are provided by independent third parties (auditors) against defined control framework.
A SOC1 report examines the Controls of a Service Organisation which are relevant to a user entity’s internal control over financial reporting. It is specifically intended to meet the needs of customers who require assurance on the effectiveness of the controls at the service organisation on the customers’ financial statements. GTT’s SOC 1 scope includes Managed Hosting and VDC services.
A SOC 2 audit report provides detailed information and assurance about security, availability, processing integrity and confidentiality controls, based on their compliance with the AICPA’s (American Institute of Certified Public Accountants) TSC (Trust Services Criteria). GTT’s SOC 2 scope includes the SD-WAN and SIP Trunking services.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard governed by the PCI Security Standards Council. The Council was founded by the major payment brands – American Express, Discover, Visa, JCB and MasterCard. Its goal is to develop and maintain common standards which encourage cardholder data security and to facilitate broad adoption of consistent data security measures across the industry.
PCI DSS applies to all entities involved in payment card processing. This includes merchants, processors, acquirers, issuers and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data and/or sensitive authentication data.
If you want to request the GTT PCI DSS Attestation of Compliance (AOC) and Responsibility Model, please contact your Account Manager.
ISO 20000 is a global standard that describes the requirements for an information technology service management (ITSM) system. The standard was developed to mirror the best practices described within the IT Infrastructure Library (ITIL) framework.
This international IT service management (ITSM) standard enables IT organizations (whether in-house, outsourced or external) to ensure that their ITSM processes are aligned both with the needs of the business and with international best practice.
ISO 20000 helps organizations benchmark how they deliver managed services, measure service levels and assess their performance. It is broadly aligned with, and draws strongly on, ITIL.
This policy statement covers GTT Communications Inc.’s (“GTT” or the “Company”) UK business and is intended to satisfy the UK tax strategy publication requirement under Schedule 19 to the Finance Act 2016.
GTT is committed to (i) complying with tax laws in a responsible manner and (ii) building and maintaining professional and constructive working relationships with tax authorities based on principles of mutual transparency and trust. These commitments, which are explained in more detail below, apply to all countries and all employees.
GTT’s tax department proactively manages, reviews and reports on tax risks and employs an experienced tax team that is part of the central finance function reporting to the Chief Financial Officer (“CFO”). Day to day responsibility for these functions sits with the Vice President of Tax (“VP of Tax”) who reports to the CFO. The Company’s Audit Committee oversees the Company’s tax policies and affairs through periodic reviews.
The tax team, which is led by the VP of Tax, is accountable for the day-to-day management of tax affairs, unless accountability is clearly devolved and accepted elsewhere. Any decisions to be made in respect of uncertain tax issues are subject to diligent professional care and judgement by the tax team but also after consulting with and justifying the decision with local and international management teams. In those situations where the level of uncertainty is high the tax department will utilise outside advisors to help evaluate the risks.
The Company manages tax costs through maximising the tax efficiency of business transactions. This includes taking advantage of available tax incentives and exemptions. This is done in a way that is aligned with the Company’s commercial objectives and meets its legal obligations and ethical standards. This is also be done in a way that the Company reasonably believes is not contrary to the clear intentions of the legislation concerned.
GTT recognises that it is responsible for paying an appropriate amount of tax in the UK. Against this GTT must balance its responsibilities to maximise its sustainable returns to shareholders. GTT will not undertake any tax planning that cannot be sustained by the commercial requirements of the group and does not have economic substance. GTT will not undertake any tax planning unless GTT believes that the strategy is compliant with tax legislation and more likely than not to succeed.
A. The General Data Protection Regulation (GDPR) not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.
A. Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million, whichever is higher. This is the maximum fine that can be imposed for the most serious infringements. It is important to note that these rules apply to both controllers and processors — meaning the GDPR subjects data processors to direct liability in certain circumstances, for example in relation to a data security breach and joint liability to data subjects where the data controller is at fault.
A. Any information related to a person, that can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
A. GDPR is a regulation which, if in scope, organizations must comply with. At this time, there are no approved certification criteria or accredited certification bodies for issuing GDPR certificates. GTT holds an ISO 27001:2013 Information Security Management System certification and our technical and organizational measures are based on the Plan, Do, Check, Act cycle. GTT is assessed and regularly audited by independent third parties to ensure that the highest security standards are maintained and continuously improved.
A. Our customers choose to work with us because a fundamental pillar for the success of our business is our robust data privacy framework. It ensures compliance with current privacy and data protection laws and encourages a culture of best practice when it comes to handling data. As a telecommunications service provider we adhere to the ePrivacy Directive (Directive on privacy and electronic communications) and also follow strict country specific telecommunication legislation which sometimes may override GDPR.
GTT applies what we consider to be state of the art technology to secure the data that we hold on behalf of our customers. By further implementing detailed policies, procedures, and processes that are certified as compliant with the most rigorous industry accepted data security standards, we are fully committed to providing compliant, multi-jurisdictional, segregated and secure solutions for all our customers. GTT is also aligned with multiple well-known certification schemes such as ISO 27001 and PCI-DSS. GTT is committed to adhering to these standards and applies robust technical, physical and cyber security controls.
A. GTT carries out data privacy impact assessments on all aspects of its business, both internally and for products used by our customers. GTT applies privacy by design via governance processes such as architecture boards and as a key milestone at the beginning of every project.
A. Yes, GTT can tailor any bespoke service for our customers’ requirements and to meet GDPR. We have several cyber security offerings that can help our customers achieve a strong level of cyber security maturity, and with it, GDPR compliance.