Information Security Policy

Introduction

This information security policy is a key component of our management framework. It sets the requirements and responsibilities for maintaining the security of information within our organisation. This policy may be supported by other policies and by guidance documents to assist in putting the policy into practice day-to-day.

Aim and Scope of this policy

The aims of this policy are to set out the rules governing the secure management of our information assets by:

• Preserving the confidentiality, integrity, and availability of our business information
• Ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this and other policies
• Ensuring an approach to security in which all members of staff fully understand their own responsibilities
• Creating and maintaining within the organisation a level of awareness of the need for information
• Detailing how to protect the information assets under our control

This policy applies to all information/data, information systems, networks, applications, locations, and staff of Jones AV Ltd or supplied under contract to it.

Responsibilities

• The ultimate responsibility for information security rests with the managing director, but on a day-to-day basis, the system administrator shall be responsible for managing and implementing the policy and related procedures
• Responsibility for maintaining this Policy, the business Information Risk Register, and for recommending appropriate risk management measures is held by the system administrator. Both the Policy and the Risk Register shall be reviewed by the system administrator at least annually
• Management are responsible for ensuring that their permanent staff, temporary staff, and contractors are aware of:
  • The information security policies applicable in their work areas
  • Their personal responsibilities for information security
  • How to access advice on information security matters
• All staff shall comply with the information security policy and must understand their responsibilities to protect the company’s data. Failure to do so may result in disciplinary action
• Each member of staff shall be responsible for the operational security of the information systems they use
• Each system user shall comply with the security requirements that are currently in force, and shall also ensure that the confidentiality, integrity, and availability of the information they use are maintained to the highest standard
• Access to the organisation’s information systems by external parties shall only be allowed where a contract that requires compliance with this information security policy is in place. Such a contracts shall require that the staff or sub-contractors of the external organisation comply with all appropriate security policies

Legislation

• We are required to abide by certain UK, European Union and international legislation
• The requirement to comply with legislation shall be devolved to employees and agents of the organisation, who may be held personally accountable for any breaches of information security for which they are responsible
• In particular, we are required to comply with:
  • The Data Protection Act (2018)
  • General Data Protection Regulation
  • The Computer Misuse Act (1990)
  • The Health and Safety at Work Act (1974)
  • Human Rights Act (1998)

Personnel Security

Contracts of Employment

• Staff security requirements shall be addressed at the recruitment stage and all contracts of employment shall contain a security and confidentiality clause
• References for new staff shall be verified and a passport, driving license, or other documents shall be provided to confirm identity
• Information security expectations of staff shall be included within appropriate job definitions
• Whenever a staff member leaves the company their accounts will be disabled the same day they leave

Information Security Awareness and Training

• The aim of the training and awareness programmes are to ensure that the risks presented to information by staff errors and by bad practice are reduced
• Information security awareness training shall be included in the staff induction process and shall be carried out annually for all staff
• An on-going awareness programme shall be established and maintained in order to ensure that staff awareness of information security is maintained and updated as necessary

Intellectual Property Rights

• The organisation shall ensure that all software is properly licensed, and approved by the system administrator or Managing Director. Individual and organisational intellectual property rights shall be protected at all times
• Users breaching this requirement may be subject to disciplinary action

Access Management

Physical Access

• Only authorised personnel who have a valid and approved business need shall be given access to areas containing information systems or stored data
• The office entrance is securely locked. Only employees shall have keys to access the office
• All visitors shall be registered in the printed Visitor Log

Passwords and access control

• Passwords must be difficult to guess and contain at least 8 characters. Staff are encouraged to avoid common or easily discoverable passwords, such as a pet's name, common keyboard patterns or passwords they have used elsewhere. A longer password is encouraged, such as using multiple (at least three) random words to construct a password
• Passwords must be protected against brute-force password guessing by at least one of the following:
  • Multi-factor Authentication (MFA)
  • 'Throttling' the rate of attempts. This means the time the user must wait between attempts increases with each unsuccessful attempt. This should permit no more than 10 guesses in 5 minutes
  • Locking accounts after no more than 10 unsuccessful attempts
• Multi-factor Authentication (MFA) shall be used whenever possible by using an authenticator app where possible instead of SMS
• Technical controls are used to manage the quality of passwords by at least one of the following:
  • Using multi-factor authentication (see below)
  • A minimum password length of at least 12 characters, with no maximum length restrictions
  • A minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list
• If a staff member suspects that a password or account has been compromised, then the system administrator should be informed, and the password changed as soon as possible

Device unlocking

• Where a device requires the physical presence of a user to gain access to the services the device offers (e.g., laptop logon, mobile phone unlock) the user must unlock the device using a credential such as a biometric, password or PIN before gaining access to the services
• If credentials are solely to unlock a device a minimum password or PIN length of at least 6 characters must be used. When the device unlocking credentials are used elsewhere, then the full password requirements in “Passwords and access control” must be applied to the credentials
• Computers are set to automatic password-protected screen saver mode and employees are required to lock their computers when leaving the devices

User Access

• Access to information are based on the principle of “least privilege” and is restricted to authorised users who have a business need to access the information
• Internal networks and file access require a user ID and password

Administrator-level access

• Administrator-level access shall only be provided to individuals with a business need who have been authorised by the managing director
• Administrator-level accounts shall not be used for day-to-day activity. Such accounts shall only be used for specific tasks requiring administrator privileges
• A list of individuals with administrator-level access shall be held and reviewed every 12 months
• The assessment is performed by the company management and duly recorded. IT admin staff is only permitted to use administrative access for the performance of administrative tasks and must use regular access level accounts for the performance of any other office work
• Administrator level accounts must not be used for e-mails, web browsing or any other activities which do not require a high level of access
• As part of the assessment, the staff is required to re-familiarise themselves with the company IT policy and reminded of the clauses within their employment contracts referring to IT and confidentiality
• All administrator-level passwords shall be changed at least every 60 days
• Where available, two-factor authentication shall be used to provide additional security
• All users shall use uniquely named user accounts
• Generic user accounts that are used by more than one person or service shall not be used

Application Access

• Access to data, system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. systems or database administrators
• Authorisation to use an application shall depend on a current licence from the supplier

Hardware Access

• Where indicated by a risk assessment, access to the network shall be restricted to authorised devices only

System Perimeter access (firewalls)

• The boundary between business systems and the Internet shall be protected by firewalls, which shall be configured to meet the threat and continuously monitored
• All servers, computers, laptops, mobile phones, and tablets shall have a firewall enabled if such a firewall is available and accessible to the device’s operating system
• The default password on all firewalls shall be changed to a new password that complies with the password requirements in this policy
• All firewalls shall be configured to block all incoming connections
• If a port is required to be opened for a valid business reason, the change shall be authorised following the system change control process and shall be registered in the Open Ports Record. The port shall be closed when there is no longer a business reason for it to remain open
• The firewall is configured by the System Administrator

Monitoring System Access and Use

• An audit trail of system access and data use by staff shall be maintained wherever practical and reviewed on a regular basis
• The business reserves the right to monitor and systems or communications activity where it suspects that there has been a breach of policy in accordance with the Regulation of Investigatory Powers Act (2000)

Asset Management

Asset Ownership

• Each information asset, (hardware, software, application or data) shall have a named custodian who shall be responsible for the information security of that asset

Asset Records and Management

• An accurate record of business information assets, including source, ownership, modification, and disposal shall be maintained
• All data shall be securely wiped from all hardware before disposal

Asset Handling

• The organisation shall identify particularly valuable or sensitive information assets through the use of data classification
• All members of staff are responsible for handling information assets in accordance with this security policy. Where possible the data classification shall be marked upon the asset itself
• All company information shall be categorised into one of the three categories in the table below based on the description and examples provided:

Category	Description	Examples
Public	Information that is not confidential and can be made available publically through any channels.	Details of products and services on the website Published company information Social media updates Press releases
Amber Information	Information which, if lost or made available to unauthorised persons could impact the company’s effectiveness, benefit competitors or cause embarrassment to the organisation and/or its partners	Company operating procedures and policy Client contact details Company plans and financial information Basic employee information including personal data ORCS software and related materials, including user manuals, explanatory videos
Red Information	Information which, if lost or made available to unauthorised persons, could cause severe impact on the company’s ability to operate or cause significant reputational damage and distress to the organisation and/or its partners. This information requires the highest levels of protection of confidentiality, integrity and availability.	Client intellectual property Data in e-commerce systems Employee salary details Any information defined as “sensitive personal data” under the Data Protection Act

Removable media

• Only company-provided removable media (such as USB memory sticks and recordable CDs/DVDs) shall be used to store business data and its use shall be recorded (e.g. serial number, date, issued to, returned)
• Removable media of all types that contain software or data from external sources, or that has been used on external equipment, require the approval of the system administrator before they may be used on business systems. Such media must be scanned by anti-virus before being used
• Where indicated by the risk assessment, systems shall be prevented from using removable media

Mobile working

• Staff must take reasonable steps to prevent theft and loss of data; and keep information confidential where appropriate
• Members of staff may choose any preferred location for work, but it is their responsibility to ensure non-staff members cannot access company data on the device. Passwords must be kept confidential at all times. Users must be careful who can see the screen when accessing company data
• Devices must have anti-malware software installed (if available for the device), must have PIN, password or other authentication configured, and be capable of being remotely locked or wiped. They must also comply with the software management requirements within this policy
• The device must lock itself with a PIN, password, or other authentication if it’s idle for five minutes
• Equipment must not be left on view in a vehicle
• If the device is lost or stolen, users must inform the system administrator as soon as possible, but no later than 24 hours after finding out. Follow the Lost/stolen device procedure
• The Company IT policy applies to the use of all equipment
• The Company IT policy applies to the use of all equipment:
  • company-provided devices
  • BYOD devices
  • or a mix of both

Mobile Working

• Staff must take reasonable steps to prevent theft and loss of data; and keep information confidential where appropriate
• Members of staff may choose any preferred location for work, but it is their responsibility to ensure non-staff members cannot access company data on the device. Passwords must be kept confidential at all times. Users must be careful who can see the screen when accessing company data
• Devices must have anti-malware software installed (if available for the device), must have PIN, password or other authentication configured, and be capable of being remotely locked or wiped. They must also comply with the software management requirements within this policy
• The device must lock itself with a PIN, password, or other authentication if it’s idle for five minutes
• If the device is lost or stolen, users must inform the system administrator as soon as possible, but no later than 24 hours after finding out
• The Company IT policy applies to the use of all equipment
• Remote working can be carried out by using:
  • company-provided devices
  • BYOD devices
  • or a mix of both

Equipment provided by the company

• Where necessary, staff may use company-supplied mobile devices such as phones, tablets, and laptops to meet their job role requirements
• The company will not provide any secondary equipment (e.g. monitors, printers, headsets, microphones, etc.)
• The provided equipment must have sufficient technical specifications to fulfil the job role of its user
• Company-provided computers shall be and configured by the system administrator prior to use:
  • Must have anti-malware software installed (if available for the device), must have PIN, password or other authentication configured, must be encrypted (if available for the device), and be capable of being remotely wiped
  • Must be registered on company domain and managed via group policies and configured with Always On VPN
  • Must have all software installed that are required for the work
• Any equipment, hardware or software provided by the company for use in work remains the property of the company, including all data stored on the equipment
• Users must take care of the equipment and keep it in good working order. Issues are to be reported to the system administrator
• If the device is lost or stolen, users must inform the system administrator as soon as possible, but no later than 24 hours after finding out. Follow the Lost/stolen device procedure
• The employee’s device may be remotely wiped if 1) the device is lost, 2) the employee terminates his or her employment, 3) IT detects a data or policy breach, a virus or similar threat to the security of the company’s data and technology infrastructure
• ​​​​​​​While IT will take every precaution to prevent the employee’s personal data from being lost in the event it must remote wipe a device, it is the employee’s responsibility to take additional precautions, such as backing up email, contacts, etc
• The equipment shall only be used for activities that directly or indirectly support the business of Jones AV Ltd. Personal data shall not be stored on the equipment
• Devices may not be used at any time to:
  • Store or transmit illicit materials
  • Store or transmit proprietary information belonging to another company
  • Harass others
  • Engage in outside business activities
  • Etc.

Bring Your Own Device (BYOD)

Our company recognises the benefits that can be achieved by allowing staff to use their own electronic devices when working, whether that is at home, in the office or while travelling. Such devices include laptops, smartphones, and tablets, and the practice is commonly known as ‘bring your own device’ or BYOD. This policy is intended to protect the security and integrity of our data and technology infrastructure. Limited exceptions to the policy may occur due to variations in devices and platforms. Employees must agree to the terms and conditions set forth in this policy in order to be able to connect their devices to the company network.

• The following devices are allowed to be used under the BYOD policy:
  • smartphones, including iPhone and Android phones
  • tablets, including iPads, and Android or Windows tablets
  • computers, including Windows, Linux, or MacOS laptops, desktop PCs
• Rooted (Android) or jailbroken (iOS) devices are strictly forbidden from accessing the network and only store-approved applications are allowed to be installed
• The device must be capable of being remotely locked or wiped
• The use of BYOD devices for business purposes requires the approval of the system administrator or managing director. Users must not connect any device to the network that has not been approved
• Devices must have anti-malware software installed (if available for the device)
• Biometric test, password, or PIN must be used to unlock the device and access applications in line with the "Passwords and access control" and "Device Unlocking" sections of this policy
• Company data can only be stored locally on the device if it is encrypted
• Confidential data must not be stored on removable media
• If the device is lost, stolen, or under repair users must inform the system administrator as soon as possible, but no later than 24 hours after finding out. Following the Lost/stolen device procedure
• Devices and apps must be regularly patched and upgraded. All high-risk or critical security updates for operating systems and firmware must be installed within 14 days of release. A device that is not supported anymore must not be used to access company data at any time
• Issues related to connecting the company network, applications, or systems are supported by the company. Issues related to the hardware, the operating system, or any software that was not provided by the company, are not supported by the company. The employee shall address these to the manufacturer for support
• The employee is personally liable for all costs associated with his or her device. The company will not reimburse the employee for the cost of the device or phone/data plan, roaming, plan overages, etc
• The devices may be used for personal and professional purposes, but must be used in an ethical manner at all times
• The company reserves the right to revoke this privilege or disable services without prior notice if users do not abide by the policies

Approved Software List

• The software/applications that can be used to access company data can be found in the Apps and Services list
• Mobile devices: only approved applications, downloaded from Google Play or AppStore can be used
• Adding new software to the approved software must adhere to the IT Operating Procedure

Social Media

Social media use at work

• Social media may only be used for business purposes by using official business social media accounts with authorisation from Managing Director. Users of business social media accounts shall be appropriately trained and be aware of the risks of sharing sensitive information via social media
• The organisation reserves the right to monitor how employees use company-owned property, including computers and networking equipment, and employees should be mindful that any and all web browsing they do on the company’s premises may be monitored

Social media posts about the company

• Users shall behave responsibly while using any social media whether for business or personal use, bearing in mind that they directly or indirectly represent the company. If in doubt, consult the management
• Employees are forbidden from using social networks to post or display comments about co-workers, supervisors, or the organisation that are vulgar, obscene, threatening, harassing
• Employees may not use social networks to disclose any confidential or proprietary information about the organisation, its employees, customers, or business partners
• When appropriate, employees should disclose their relationship with the company in their online posts and refrain from speaking on behalf of the company when not authorized
• Employees should keep in mind that they are personally responsible for what they post online and be mindful that what they say will be available publicly for a long time
• Social media use is subject to the same workplace policies employees must follow in other situations, including but not limited to the Staff Policy handbook policies regarding harassment, discrimination, defamation, confidentiality, non-competition, and general Internet use

Company social media accounts

• Business social media accounts shall be protected by strong passwords in-line with the password requirements for administrator accounts

Users breaching these requirements may be subject to disciplinary action.

Physical and Environmental Management

• In order to minimise loss of, or damage to, all assets, equipment shall be physically protected from threats and environmental hazards. Physical security accreditation should be applied if necessary
• Systems shall be protected from power loss by UPS if indicated by the risk assessment

Computer and Network Management

Operations Management

• Management of computers and networks shall be controlled through standard documented procedures that have been authorised by the system administrator

System Change Control

• Changes to information systems, applications or networks shall be carried out by the system administrator and reviewed and approved by the managing director

Accreditation

• The organisation shall ensure that all new and modified information systems, applications and networks include security provisions
• They must be correctly sized, identify the security requirements, be compatible with existing systems according to an established systems architecture (as required) and be approved by the system administrator before they commence operation

Local Data Storage

• Data stored on the business premises shall be backed up regularly and restores tested at appropriate intervals (at least monthly)
• A backup copy shall be held in a different physical location to the business premises
• Backup copies of data shall be protected and comply with the requirements of this security policy and be afforded the same level of protection as live data

External Cloud Services

• Where data storage, applications, or other services are provided by another business (e.g. a ‘cloud provider’) there must be independently audited, written confirmation that the provider uses data confidentiality, integrity, and availability procedures which are the same as, or more comprehensive than those set out in this policy

Protection from Malicious Software

• The business shall use software countermeasures, including anti-malware, and management procedures to protect itself against the threat of malicious software
• All computers, servers, laptops, mobile phones, and tablets shall have anti-malware software installed, where such anti-malware is available for the device’s operating system
• All anti-malware software shall be set to:
  • scan files and data on the device on a daily basis
  • scan files on-access
  • automatically check for, and install, virus definitions and updates to the software itself on a daily basis
  • block access to malicious websites

Vulnerability scanning

• The business shall have a yearly vulnerability scan of all external IP addresses carried out by a suitable external company
• The business shall act on the recommendations of the external company following the vulnerability scan in order to reduce the security risk presented by any significant vulnerabilities
• The results of the scan and any changes made shall be reflected in the company risk assessment and security policy as appropriate

Response

Information security incidents

• All breaches of this policy and all other information security incidents shall be reported to an incident controller (system administrator or office coordinator) at data-admin@jonesav.info
• If required as a result of an incident, data will be isolated to facilitate forensic examination. This decision shall be made by the system administrator
• Information security incidents shall be recorded in the Security Incident Log and investigated by the incident controller to establish their cause and impact with a view to avoiding similar events. The risk assessment and this policy shall be updated if required to reduce the risk of a similar incident re-occurring

Business Continuity and Disaster Recovery Plans

• The organisation shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission-critical information, applications, systems, and networks
• In case of a disaster, steps must be followed according to the Emergency plan

Reporting

• The Information Security Officer shall keep the business informed of the information security status of the organisation by means of regular reports to senior management