Virtus Group - Cloud Governance Baseline
v1.2 FINAL • Standardised 2025-09-04
Owner: Virtus Group Ltd • Audience: Clients, Reviewers & Operations • Classification: Public • Next Review: 2026-09-04
Executive Summary
This document describes Virtus Group’s standard for this area and how it is applied in practice. It is derived from our internal policies and standards and is intended for both reviewers and operations.
Scope & Assumptions
- In scope: systems and processes directly managed by Virtus Group per contract.
- Out of scope: client-owned or third‑party systems not onboarded to our managed service.
- Dependencies: connectivity, power, and named client contacts for decision making.
Requirements (Key Controls)
- All staff members must report any suspicious activity or potential AML risks to the finance team, including transactions that are inconsistent with a customer's known business, or transactions that involve high-risk countries, individuals, or entities. (VGL.Anti.Fraud.Anti.Corruption.Policy.docx)
- Security patches must be applied within 14 days for high-risk vulnerabilities, 30 days for medium-risk (VGL.Cybersecurity.Policy.docx)
- Third-party integrations must undergo risk assessments (VGL.Cybersecurity.Policy.docx)
- Risk registers must be maintained and reviewed quarterly. (VGL.Information.Security.Policy.docx)
- Formal Risk Assessments (RA) required for all critical assets, projects, and major changes (VGL.Risk.Management.Policy.docx)
- Exemptions must be approved by the Head of Security & Compliance and the Director. (VGL.Risk.Management.Policy.docx)
- They must be documented, reviewed annually, and cannot be indefinite. (VGL.Risk.Management.Policy.docx)
- All staff must adhere to risk management responsibilities as outlined. (VGL.Risk.Management.Policy.docx)
- All suspected risks, threats, or vulnerabilities must be reported immediately to the Head of Security & Compliance or via the Virtus Group Service Desk.Contact: compliance@virtusgroup.biz | 0800 847 887 (VIRTUS). (VGL.Risk.Management.Policy.docx)
- This document will be reviewed at least once every two years, or whenever a major update is required, whichever happens first (VGL.Risk.Management.Policy.docx)
- Residual risk must be signed by risk owner and Director (VGL.Risk.Management.Procedure.docx)
- Exemptions must be approved by the Head of Security & Compliance and the Director. (VGL.Risk.Management.Procedure.docx)
- All suspected risks, vulnerabilities, or breaches must be reported immediately to the Head of Security & Compliance or via the Virtus Group Service Desk.Contact: compliance@virtusgroup.biz | 0800 847 887 (VIRTUS). (VGL.Risk.Management.Procedure.docx)
- This document will be reviewed at least once every two years, or whenever a major update is required, whichever happens first (VGL.Risk.Management.Procedure.docx)
- Security policies, standards, and procedures must be maintained and embedded into business processes. (VGL.Information.Security.Assurance.Policy.docx)
- Compliance requirements must be built into operational practices and systems. (VGL.Information.Security.Assurance.Policy.docx)
- Director – Provides governance, oversight, and approves exceptions.Head of Security & Compliance – Owns this policy, coordinates audits, and tracks compliance.IT Operations Manager – Ensures technical compliance and remediation.Managers – Ensure team-level adherence to security requirements.All Staff – Must comply with this policy, participate in audits, and report issues. (VGL.Information.Security.Assurance.Policy.docx)
- Exemptions must be approved by the Head of Security & Compliance and Director. (VGL.Information.Security.Assurance.Policy.docx)
- All exemptions must be documented, tracked, and reviewed regularly. (VGL.Information.Security.Assurance.Policy.docx)
- All suspected issues or breaches must be reported immediately to the Head of Security & Compliance.Contact: compliance@virtusgroup.biz | 0800 847 887 (VIRTUS). (VGL.Information.Security.Assurance.Policy.docx)
Procedures / Playbooks
| Area | Examples |
|---|---|
| Identity & Access | Conditional Access, MFA, privileged boundaries |
| Data Protection | Encryption at rest/in transit, key mgmt, backup retention |
| Workload Hygiene | Patch/Vuln SLAs, change control, hardening baselines |
| Monitoring | SIEM integration, alerting, audit trails |
| Vendors & Third Parties | Due diligence, right-to-audit, breach notice windows |
Baseline Targets
- Conditional Access policy coverage ≥ 95% of interactive sign‑ins
- Public object storage/buckets: continuous scan & alerting; no unauthorised public ACLs
- Keys & secrets: rotation ≤ 12 months; automated alerting on age/expiry
- Backups: immutability enforced for critical workloads; restore evidence captured monthly
KPIs & Reporting
- CA policy coverage ≥ 95%
- Critical vuln remediation ≤ 7d
- Backup immutability evidence monthly
Evidence & Records
Records are maintained per the VGL Document & Record Control guidelines, including logs, approvals, test outputs, meeting minutes, and reports.
© Virtus Group Ltd — Final version.