Virtus Group - Security Overview (NZISM)
Version: v1.2 • Classification: Public Owner: Virtus Group Ltd
Audience: Clients, Reviewers & Operations • Next Review: 2027-02-23
Executive Summary
This document describes Virtus Group’s standard for this area and how it is applied in practice. It is derived from our internal policies and standards and is intended for both reviewers and operations.
Scope & Assumptions
- In scope: systems and processes directly managed by Virtus Group per contract.
- Out of scope: client-owned or third‑party systems not onboarded to our managed service.
- Dependencies: connectivity, power, and named client contacts for decision making.
Control Summary & Source References
| Domain | Practices | Primary Sources |
|---|---|---|
| Governance & Policy | ISMS-light approach; policies approved; annual review; risk mgmt integrated. | Information Security Policy; Governance Policy; Risk Policy |
| Identity & Access | MFA for admins; RBAC; PAM; JML lifecycle; quarterly access reviews. | IAM Standard |
| Endpoint & Device | EDR; encryption; baseline hardening; monthly patch cycle; compliance ≥95%. | End User Device Mgmt; Encryption Standard; Patch/Ops |
| Network | Segmentation; secure configs; config backup; change control; Wi‑Fi WPA3/802.1X. | Network Security Standard; Ops Runbook |
| Data Protection | Encryption at rest/in transit; retention schedules; secure disposal. | Encryption Standard; Doc & Record Control |
| Vulnerability Mgmt | Monthly authenticated scans; risk-based SLAs; exception handling. | Cybersecurity Ops; Assurance Procedure |
| Backup & DR | Immutable options; restore drills; RPO/RTO by tier; annual tests. | BCM Standard; BCP; Backup Standard |
| Privacy | Privacy policy; DPIA; breach response; processor due diligence. | Privacy Policy; Privacy Pack; Vendor Mgmt |
| Incident Response | Severity matrix; RACI; evidence handling; tabletop schedule. | Cybersecurity Ops; IR Plan |
| Physical & HR | Access control; visitor mgmt; HR onboarding & leavers; AUP. | Physical Security; HR Security Standard; AUP |
Key sources include: Information Security Policy (present), Governance Policy (present), IAM Standard (present), Network Security Standard (present), Encryption Standard (present), BCM/BCP (present), Privacy Policy (present), Cybersecurity Ops Standard (present), Assurance Procedure (present).
Requirements (Key Controls)
- Acceptable Use: It is vital that we safeguard both our customers and ourselves and ensure that the trust they place in us is retained. (VGL.Acceptable.Usage.Policy.docx)
- BCDR: The purpose of this policy is to ensure that all our staff members, and business partners act in compliance with our ethical standards and relevant laws and regulations. (VGL.Anti.Fraud.Anti.Corruption.Policy.docx)
- General: Virtus Group Ltd staff members must comply with all applicable anti-fraud, anti-corruption and anti-bribery laws and regulations, including but not limited to the Organised Crime Bill, OECD Anti-Bribery Convention, the United Nations Convention Against Corruption (UNCAC), the Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act. (VGL.Anti.Fraud.Anti.Corruption.Policy.docx)
- Risk Management: All staff members must report any suspicious activity or potential AML risks to the finance team, including transactions that are inconsistent with a customer's known business, or transactions that involve high-risk countries, individuals, or entities. (VGL.Anti.Fraud.Anti.Corruption.Policy.docx)
- Vendor Management: Virtus Group Ltd staff members must not give or receive gifts or hospitality that could be perceived as an inducement or influence on business decisions, and/or might place the Virtus Group Ltd staff member under an obligation to a third party. (VGL.Anti.Fraud.Anti.Corruption.Policy.docx)
- Capacity Management: The purpose of this Capacity Management Plan is to ensure that Virtus Group Ltd. (VGL.Capacity.Management.Plan.docx)
- Incident Response: Cybersecurity operations must address the following domains: (VGL.Cybersecurity.Operations.Standard.docx)
- Identity & Access: Multi-Factor Authentication (MFA) must be enabled for all business systems (VGL.Cybersecurity.Policy.docx)
- Endpoint / MDM: All devices must be managed by Virtus Group (MDM/endpoint protection) (VGL.Cybersecurity.Policy.docx)
- Encryption: Encryption must be enabled on all laptops and mobile devices (VGL.Cybersecurity.Policy.docx)
- Change Management: Change Advisory Board (CAB) – Reviews and approves changes, ensures risk and impact assessments, holds regular meetings, and monitors change trends.Head of Security & Compliance – Policy owner, chairs the CAB, and has final authority to accept or reject changes.IT Operations Manager / Principal Engineer – Acts as subject matter expert (SME), provides technical input, supports CAB decision-making, and ensures testing and rollback plans are in place.Managers – Approve changes for their teams, ensure communication of impacts, and verify staff compliance.All Staff – Must follow this policy, participate in approvals or testing where relevant, and report breaches or issues. (VGL.IT.Change.Management.Policy.docx)
- Asset Management: Director – Provides governance, approves exceptions, and ensures adequate resources.Head of Security & Compliance – Owns this procedure, oversees compliance, and ensures audits.IT Operations Manager – Maintains the asset register and oversees provisioning and de-provisioning.People & Culture – Ensures HR processes trigger asset allocation and retrieval.Managers – Approve allocation requests and ensure proper use of assigned assets.Asset Owners – Ensure correct classification, handling, and compliance.Custodians – Maintain custody and day-to-day protection of assigned assets.All Staff – Must comply with this procedure, report loss/theft, and return assets on termination. (VGL.Information.Asset.Management.Procedure.docx)
- Privacy & Breach: Availability: Ensuring information and systems are accessible when required. (VGL.Information.Security.And.Privacy.Framework.docx)
- Governance & Assurance: Security policies, standards, and procedures must be maintained and embedded into business processes. (VGL.Information.Security.Assurance.Policy.docx)
- Network Security: To define the required controls and responsibilities for securing Virtus Group Ltd’s network environments, ensuring alignment with ISO/IEC 27001:2022, CERT NZ, NCSC guidelines, and applicable New Zealand legislation. (VGL.Network.Security.Standard.docx)
- Physical Security: This procedure provides detailed definitions and process steps for implementing physical security controls to ensure Virtus Group Ltd premises are properly managed and protected. (VGL.Physical.Security.Procedure.docx)
- Collaboration / DLP: Collaboration must occur using approved VGL systems (Microsoft 365: Outlook, SharePoint, OneDrive, Teams) (VGL.Sharing.and.Collaboration.Standard.docx)
- SDLC / DevSecOps: The purpose of this standard is to ensure that security and compliance are embedded into all system, service, and technology acquisitions or developments at Virtus Group Ltd. (VGL.System.Acquisition.and.Development.Standard.docx)
Procedures / Playbooks
| Domain | # of Controls (extract) |
|---|---|
| General | 195 |
| BCDR | 69 |
| Endpoint / MDM | 60 |
| Asset Management | 48 |
| Acceptable Use | 40 |
| Collaboration / DLP | 39 |
| Governance & Assurance | 37 |
| Identity & Access | 36 |
| Vendor Management | 36 |
| Privacy & Breach | 24 |
| SDLC / DevSecOps | 23 |
| Encryption | 22 |
| Physical Security | 22 |
| Change Management | 20 |
| Risk Management | 15 |
| Network Security | 14 |
| Incident Response | 13 |
| Capacity Management | 10 |
Standards Mapping — NZISM ↔ PSR
This table maps our public artefacts to the PSR pillars and the most relevant NZISM chapters/sections.
| Document | PSR Pillars | NZISM References |
|---|---|---|
| VirtusGroup_Security_Overview_NZISM_v1_2.html | Governance; Information Security; Personnel Security; Physical Security | NZISM 3.9: ch.3 Roles & Responsibilities; ch.4 Certification & Accreditation; ch.5 System Security Plans; ch.7 Incidents; ch.16 Authentication & Access Controls |
| VirtusGroup_BCDR_Summary_v1_3.html | Information Security; Governance | NZISM 6.4 Business Continuity & Disaster Recovery; 23.4.12 Cloud DR integration |
| VirtusGroup_Incident_Response_Plan_v1_3.html | Information Security; Governance | NZISM ch.7 Information Security Incidents |
| VirtusGroup_Breach_Response_Procedure_v1_3.html | Information Security; Governance | NZISM ch.7 Information Security Incidents; 5.4 System Security Plans (records) |
| VirtusGroup_MDM_Baseline_v1_2.html | Information Security | NZISM ch.16 Authentication & Access Controls; ch.18.2 Wireless LANs |
| VirtusGroup_Cloud_Governance_Baseline_v1_2.html | Information Security; Governance | NZISM 23.4 Data Protection in Public Cloud; 6.4 BCDR (RTO/RPO & backups) |
| VirtusGroup_Vulnerability_Management_Procedure_v1_2.html | Information Security; Governance | NZISM ch.6 Risk & assurance context; ch.7 Incidents (detection/escalation linkages) |
| VirtusGroup_Runbook_Network_Ops_v1_2.html | Information Security; Physical Security | NZISM ch.18 Network Security (incl. 18.2 WLAN) |
| VirtusGroup_Runbook_Infrastructure_Ops_v1_2.html | Information Security; Governance | NZISM ch.16 Authentication & Access Controls; ch.6.4 BCDR (restore testing) |
| VirtusGroup_Runbook_EndUser_Support_v1_2.html | Information Security; Personnel Security | NZISM ch.16 Authentication & Access Controls; ch.7 Incidents (reporting) |
| VirtusGroup_DPIA_Template_v1_2.html | Information Security; Governance | NZISM ch.5 System Security Plans (records); ch.17 Cryptography (if using encryption) |
| VirtusGroup_DIA_MS_Evidence_Pack_v1.3.html | Information Security; Governance | References a subset of the above artefacts and controls |
| VirtusGroup_DIA_CPS_Evidence_Pack_v1.3.html | Information Security; Governance | References a subset of the above artefacts and controls |
KPIs & Reporting
- Policy review ≤ 12 months
Evidence & Records
Records are maintained per the VGL Document & Record Control guidelines, including logs, approvals, test outputs, meeting minutes, and reports.
© Virtus Group Ltd — Final version.