Cyber Security & Data Protection

Cyber Security & Data Protection

GMS takes a risk-based approach to implementing cyber security controls and capabilities to protect company, customer, payment, and employee data and information. Using industry standards and best in class technology and partners, our focus on cyber security is an important part of our overall risk management program and our board of directors reviews our cyber security and data protection programs on a quarterly basis.

Cyber Security

Our cyber security program is managed by our Information Security and Privacy Office, a team of information security professionals led by our Chief Information Officer, and is aligned with three recognized control frameworks:  ISO 2701: 2013, NIST SP 800-53, and SANS Top 20 Critical Cyber Security Controls.  As threats continually evolve, updating our programs is an ongoing process. We have invested, and will continue to invest, in protecting, monitoring, alerting and mitigating information security risks across the organization.

In the event of a security issue, our IT Security Incident Response Policy is used to triage, contain, and understand the issue as quickly as feasible, as well as to determine how to protect against it going forward. We have also retained an external provider to further support our efforts to prevent security incidents and to appropriately respond if we encounter one.

External and internal resources perform penetration testing and audits in areas such as incident response and cyber security risk on a regular basis. An external qualified security assessor performs an annual review to certify our compliance with the Payment Card Industries Data Security Standards.

Data Protection

Our Privacy Policy governs how we collect, use, and share information we receive from our customers or website visitors. We maintain both data classification and retention policies to reduce the exposure of unauthorized access of data and comply with regulatory requirements. We make every effort to have reasonable security procedures in place to protect the loss, misuse or alteration of information under our control, including striving to minimize the customer data collected to limit the potential data exposure risks. We also perform disaster recovery exercises regularly to validate our ability to recover data and technology in the event of a major incident or disaster event.

Training and Awareness

We provide security and data protection awareness training to employees on a quarterly basis as well as other targeted security training for key departments dealing with sensitive data types. We also perform regularly phishing exercises to ensure team members are aware and educated about phishing threats and trained to identify and avoid them.


Reach Out and Talk to Us

It’s easy to get in touch with us. We’re your neighbors, and we’re here to help. Give us a call, drop by, or send us an email and let’s talk.