• Home
  • Technical and Organizational Measures

Technical and Organisational Measures

Last updated: June 2, 2026

This document describes technical and organizational security measures and controls implemented by Columbus Global (“Columbus”) to protect personal data and ensure the ongoing confidentiality, integrity and availability of Columbus Global’s services.

This document is a high-level overview of Columbus Global’s “internal IT environment’s” technical and organizational security measures. More details on the measures we implement are available upon request. Columbus reserves the right to revise these technical and organizational measures at any time, without notice, so long as any such revisions will not materially reduce or weaken the protection provided for personal data that Columbus processes in providing its various services. In the unlikely event that Columbus does materially reduce its security, Columbus shall notify its customers.

Columbus shall take the following technical and organizational security measures to protect personal data:

  1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Columbus’s information security program.
  2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to the Columbus organization, monitoring and maintaining compliance with Columbus policies and procedures, and reporting the condition of its information security and compliance to senior internal management.
  3. Maintain Information security policies and make sure that policies and measures are regularly reviewed and where necessary, improve them.
  4. Connectivity with the applications that Columbus deploys internally and as part of customer implementations utilizes cryptographic protocols such as TLS to protect information in transit over public networks. At the network edge, stateful firewalls, web application firewalls, and DDoS protection are used to deter attacks. Within the internal network, applications follow a multi-tiered model which provides the ability to apply security controls between each layer.
  5. Data security controls which include logical segregation of data, restricted (e.g. role-based) access and monitoring, and where applicable, utilization of commercially available and industry-standard encryption technologies.
  6. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur). Multi-factor authentication is implemented for critical assets.

    The access requests are handled via ITSM Service requests. Access provisioning is managed through ITSM workflows with defined approval and validation roles. Logical access controls enforce role-based, least-privilege access using unique user identities, with periodic access reviews and prompt adjustments for role or employment changes.

    Multi-factor authentication is applied to all user identities and critical systems (Data Center Servers)

  7. Password controls designed to manage and control password strength, and usage including prohibiting users from sharing passwords. Password controls enforce strong password requirements and secure usage practices.
  8. System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
  9. Physical and environmental security of data center, server room facilities and other areas containing client confidential information designed through policies and procedures and implemented to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of Columbus facilities, and (iii) guard against environmental hazards such as heat, fire and water damage. Controlled access to Server rooms with access limited to Digital IT team with protections against environmental risks.
  10. Operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Columbus possession.
  11. Industry best practices are followed in software development. Development may be carried out within environments which reside in a Columbus tenant, directly managed by Columbus or within a tenant owned and managed by the Customer. Source code is version controlled. Secure SDLC practices, controlled development environments directly managed by Columbus or within a tenant owned and managed by the Customer.
  12. Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to Columbus technology and information assets.
  13. Incident / problem management procedures designed to allow Columbus to investigate, respond to, mitigate and notify of events related to Columbus technology and information assets.
  14. Network security controls that provide for the use of enterprise firewalls, layered DMZ architectures, intrusion detection systems, other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack. Network security controls are implemented through enterprise-grade firewalls, layered DMZ architectures, intrusion detection systems, and advanced traffic and event correlation mechanisms, designed to prevent unauthorized access and minimize the impact of any successful intrusion.
  15. Vulnerability assessment, patch management, threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code. Proactive vulnerability management, patching, threat protection, and continuous monitoring are implemented to identify and mitigate security risks, protecting systems from vulnerabilities, malware, and evolving threats.
  16. Business resiliency/continuity and disaster recovery procedures, as appropriate, designed to maintain service and/or recovery from foreseeable emergency situations or disasters. Regular backups of the data residing within applications and source code are taken. Business continuity and disaster recovery measures are established to ensure service resilience and recovery during disruptions, supported by regular backups.
  17. Information security awareness and GDPR compliance training are mandatory for all employees. We review and update our security trainings on a periodic basis and track completion rate.

Client Engagements/Projects:

Columbus is an IT Consulting firm. Governance in client engagement/project is largely driven by the information security policies and procedures of the client organization unless stated otherwise. This is agreed upon in an operational manual/project manual/SOW etc.

This includes but not limited to the following:

  • Access Management/Password Controls
  • Change Management
  • Incident Management
  • Back up and restoration

For projects requiring access to customer owned environment/tenant, the access will be managed by client as agreed.