Information Security

Information Security Policy

Introduction
1.1. Background
This Information Security Policy is based upon the International Standard ISEC/ISO 270001 the Code of Practice for Information Security Management and ISEC/ISO 270002.

1.2. Requirements for policy
The Professional CV Writing Ltd has an obligation to clearly define requirements for the use of its information technology (IT) facilities and its information systems (IS) to all staff, apprentices and partners.

The objective of this requirement is to ensurethat users of IT/IS facilities do not unintentionally place themselves, or the company, at risk of prosecution or disciplinary action, by carrying out computer related activities which contravene current policy or legislative restrictions.

Information within Professional CV Writing Ltdis intended to be openly accessible and available to all members of the organisation for sharing and processing. Certain information (sensitive information) has to be processed, handled and managed securely and with accountability.
This policy outlines the control requirements for all information contained within Professional CV Writing Ltd network and IT systems.

1.3. Policy Structure
This document forms Professional CV Writing Ltd Information Security Policy. Its purpose is to provide an overarching framework (a commitment of undertaking) to apply information security controls throughout Professional CV Writing

Supporting Policies and guidance documents containing detailed Information Security requirements will be developed in support of this policy. Dependent upon the subject matter, supporting policies and guidance will either apply across the company or to more specific groups.

1.4. Purpose and scope
All processing of data and collection of information will be processed in accordance with UK law.
This policy defines how the company will secure electronic information, which is found within security of information held in electronic form on any company computer.

And is processed or used by:
Management, Staff and Apprentices who have access to or administer the company network or IT systems.  And individuals who process key data and information within Key Business Systems.

1.5. Objectives
Information Security controls are designed to protect members of the company and the company’sreputation through the preservation of:
Confidentiality – knowing that key data and information can be accessed only by those authorised to do so;
Integrity – knowing that key data and information is accurate and up-to-date, and has not been deliberately or inadvertently modified from a previously approved version; and,
Availability – knowing that the key data and information can always be accessed.

The company is committed to protecting its members and Key Business Systems. Controls will therefore be deployed that mitigate the risk of vulnerabilities being exploited which adversely affect the efficient operation of the company.

1.6. Applicability
This policy applies to all users of the company network and IT Services and includes:
 all full-time, part-time and temporary staff employed by, or working for or on behalf of the company.

 Third party contractors and consultants working for or on behalf of the company
 All other individuals and groups who have been granted access to the company’s network or IT Services.

These categories of persons and agencies are collectively known as the „user‟ in this policy document
Each user is responsible for their own actions and must ensure all actions relating to using the company network and IT Services adheres to the principles and requirements of this policy.

2. Legislation and policy
2.1. Legislation
Supply and use of the company network and IT Services is bound by UK law.

The principles in this policy support and enhance the requirements contained within these documents and ensure compliance with contractual agreements.

3. Information Security – risk management
Information security governance is the structure which supports the implementation of this policy. An IT infrastructure will be implemented within the company to ensure the effective and efficient implementation of this policy across the company.

3.1. Ownership and maintenance of policy
This policy is owned by Professional CV Writing Ltd and is maintained, reviewed and amended by Professional CV Writing Ltd in accordance with company policy, procedures and guidance.
This policy will be subject to annual review.

3.2. Risk management and Electronic Service Incidents
The Managing Director will be responsible for raising an incident message in relation to any reported security incident at the company. These incidents will be recorded as ‟Electronic Security Incidents‟. Electronic Security Incidents will be recorded with a unique reference number; a review of incidents will be conducted at six monthly intervals. Incidents considered to be exhibiting unacceptable levels of risk to the company network or IT Services will be subject to an investigation to identify the inherent vulnerabilities exposed by this incident. A report will be submitted to the IT Manager for consideration of the question of suitable remedial action which may be effectively implemented to mitigate future risks.

3.3. Security of Third Party Access
There is not access granted for third parties to access our information at this present time.

4. Asset Clarification
Information assets will be categorised and recorded to enable appropriate management and control.
4.1. Inventory of assets
IT Services will maintain an inventory, subject to audit, of assets in three categories:-
 Company Business Systems
 Hardware inventory
 Software inventory

An inventory of electronic resources is maintained by the company.

5. Personnel Security Issues – roles and access levels
Controls will be deployed to reduce the risks of human error, theft, fraud, nuisance or malicious misuse of facilities.
Professional CV Writing Ltd maintains the directory of people and accounts which are authorised to use the company network, IT Services and applications.

5.1. Security in job descriptions
Security roles and responsibilities will be included in job descriptions where appropriate. These will include any specific responsibilities for the protection of particular assets, or the execution of particular processes or activities such as data protection.

5.2. Confidential personal data – sensitive information
All data which identifies any individual will be handled in accordance with the Data Protection Act 1998. All personal details will be held securely and in accordance with current UK legislation. All data classified as Sensitive Data will be processed and stored in compliance with the current Sensitive Information guidelines and company policies and procedures.
5.3. Confidentiality undertaking
All staff are reminded of their obligation to protect confidential information in accordance with the company’sstandard terms and conditions of employment. All users will be bound by the confidentiality agreement in either their contract or terms of employment.

5.4. Employee responsibilities
All staff (including agency and casual staff) must agree to written terms and conditions contained within the ICT Acceptable Use Policy when they register to use an IT account. Casual staff accounts will be set to expire at the end of the staff contract period.
oConfidentiality agreements form part of the terms and conditions of employment
oAwareness training about electronic information security forms part of company staff induction programmes
oInformation for all staff on electronic information security is maintained in the staff handbook.
oAll references for a period extending to 3 years prior to the recruitment date are checked by Personnel prior to a member of staffs commencement of employment.

5.5. Staff leaving employment
On termination of employment with the company, the user account will be managed in accordance with the procedure detailed in the ICT Acceptable Use Policy.
In accordance with the ICT Acceptable Use policy, all user accounts will be closed at the termination of employment. Files and folders will be deleted shortly after the user leaves the company.

5.6. Responding to security incidents
5.6.1. Suspected security breach
Staff using or administering the company network or IT Services must not in any circumstances try to prove or collect evidence in relation to any suspected or perceived security breach. The exception to this rule is where staff has been granted a specific policy exemption which allows them to do so as part of their role. The Managing Director will be responsible for identifying members of staff who are responsible for security breach investigations.
A security incident is any incident which alters, destroys or amends data within the Key Business Systems without authority. May cause damage to or reduces the efficiency of the company network or IT Services. This includes any actions or behaviour which contravenes company policy, statutory or common law legal requirement or professional regulation or guidance.

5.6.2. Reporting Security incidents
All suspected security incidents are to be reported in the first instance to the Managing Director.

5.6.3. Security Incident management/ investigation
Security Incidents will be processed immediately and classed as priority. The senior member of staff identified as being responsible for investigating the incident will ensure that all steps are taken to limit damage and loss of data whilst preserving the reputation of the company.  IT services will maintain written procedures for the operation (e.g. start up, backup, shut down and change control) of those company Key Business Systems where threat, risk and organisational impact would adversely the operational effectiveness or organisational reputation.

5.6.4. Investigating Information Security Incidents
On receipt of information indicating that a security incident may have taken place the Managing Director will nominate a member of staff to coordinate the investigation.

5.6.5. Network isolation and reconnection
Any device perceived as placing the integrity of the company IT network at risk to harm or service interruption will be isolated from the main network domain. Suspension of network connectivity will remain in force until the issue has been investigated and a plan of action agreedto resolve the issue. Subsequent reinstatement will only be permitted once the requirements of that action plan have been met, verified and authorised by the Managing Director.

6. Physical and Environmental Security
Controls will be implemented as appropriate to prevent unauthorised access to, interference with, or damage to information assets.

6.1. Physical security
Computer systems and networks will be protected by suitable physical, technical, procedural and environmental security controls. File servers and machines that hold or process high criticality, high sensitivity or high availability data will be located in physically secured areas.

6.3. Equipment Security
Servers holding corporate information will be held in a secure environment protected by:-
 Physical security and access control
 Fire detection
 Temperature and humidity control
 Stable, conditioned electrical supply
 Company electronic information will be held on servers approved by the Managing Director and IT Manager.

IT services must ensure the IT Infrastructure is covered by appropriate hardware and software maintenance and support.Workstations must be appropriately secured and operated by staff who must be trained in and fully conversant with this policy and their personal responsibilities for confidentiality of information displayed on the screen or in printed output. Backup media must be retained in accordance with company policy on retention of records and the Data Protection Act 1998. All company data must be cleared securely from company IT equipment and media on disposal.

7. Communications and Operations Management
Controls will be implemented to enable the correct and secure operation of information processing facilities.

7.1. Documented operating procedure
Design, build and configuration documentation will be produced in respect of system platforms. Sensitive documentation will be held securely and access restricted to staff on a need to know basis.

7.2. Segregation of duties
Access to Key Business Systems and key data and information will only be granted based on the user role and access classification. Segregation of duties between operations and development environment shall be strictly maintained and all work on Key Business Systems will be strictly segregated. Permanent and full access to live operating environments will be restricted to staff on role-based requirements.
Sensitive operations will be identified and action taken to implement split functional controls where appropriate.

7.3. System planning and acceptance

7.3.1. System changes
All changes to live Key Business Systems will follow a pre-defined change management process, to ensure that activities are undertaken in accordance with stringent change control processes.

7.3.2. Controls against malicious software
Controls will be implemented to check for malicious or fraudulent code being introduced to Key Business Systems.
Source code written by contractors and staff will be subjected to security scrutiny before being installed on any live Key Business system.
All systems will be protected by a multi-level approach involving firewall, router configuration, e-mail scanning, and virus and spy/malware protection on all workstations on the company network.
All company workstations will have appropriate anti-virus software installed and set up to update anti-virus signatures automatically. Any device found to pose a threat to data or the provision of the company network will be isolated from the company network until the security issues are resolved.
Staff may not use their own PC hardware to connect to the companyWiFi network.
Network traffic will be monitored for any anomalous activity which may indicate a security threat to the network.

7.3.3. Virus protection
A Virus Protection procedure will be implemented to prevent the introduction and transmission of computer viruses both within and from outside the company. Failure to maintain a device in a state which prevents or detects virus infection will leave the device liable to exclusion from the company network until the security issue is resolved.

7.3.4. Security patches fixes and workarounds
IT Manager is responsible for the day to day management of systems and is responsible for ensuring that security patches, fixes and workarounds are applied in a timely manner to reduce vulnerabilities to devices within the company network. Such patches, fixes and workarounds must be tested and approved before deployment and the efficiency of the deployment to the company IT estate will be monitored to ensure the effective mitigation of risk due to known vulnerabilities.

7.4. IT Housekeeping and storage
7.4.1. Data Storage
System backups will be performed by the relevant IT support staff in accordance with documented procedures. The procedure will include keeping backups off site in secure storage. Periodic checks will be made to ensure backup media can be read and files restored. Records of backups will be monitored by the IT Manager and be subject to random audit by the Managing Director or nominated representative.
Backups of corporate data are taken on a daily basis for Key Business Systems or less frequently if appropriate. Backups protect electronic information from major loss or failure of system software and hardware. Backups are not designed to guard against accidental deletion or overwriting of individual user data files Backup and recovery of individual user files is the responsibility of the owner.

7.5. Network management
Controls will be implemented to achieve, maintain and control access to computer networks, including wireless LANs.
The configuration of critical routers, firewall and other network security devices will be the responsibility of, maintained by, documented and kept securely by the Managing Director and IT Manager.  No IT equipment may be connected to the company network without approval. Any device found to be installed without prior authority will be disconnected, the equipment removed and an investigation commenced to establish the cause of the network compromise. Users should be aware that installation of such devices is potentially a disciplinary and criminal offence under the Misuse of Computers Act 1990.

7.6. Device Disposal
Removable magnetic and optical media containing Key Business System data or Sensitive Information will be reused or disposed of through controlled and secure means when no longer required. Redundant computer equipment will be disposed of in accordance with the Waste Electrical and Electronic (WEEE) Regulations and through secure and auditable means.
Procedures will be made available for the secure disposal of removable data storage media containing Key Business System data or sensitive information when these become defunct or unserviceable.

7.7. Software usage and control
Software will be used, managed and controlled in accordance with legislative and company policy requirements in relation to asset management and licence agreements.
All major software upgrades and in-house systems development for Key Business Systems will be appropriately controlled and tested through a managed process before live implementation and deployment.
All software used on devices managed by IT services must be installed in compliance with current software licensing policy. Software installed without authority and agreement may leave a user liable to prosecution under the Misuse of Computers Act 1990 and disciplinary action.

8. Information Exchange Requests
Use of the company network will be governed by the Information Security Policy.
Failure to comply with these requirements will leave a user liable to disciplinary and/or possible criminal legal penalties.

8.1. Exchange of information with outside organisations
Requests by external bodies for the provision of electronic information from Key Business Systems will in all instances be referred to the system owner. This includes Data Subject Access Requests made under the auspices of the Data Protection Act 1998.
Responses to Data Subject Access Requests in respect of systems owned and operated will be coordinated by the Managing Director and IT Manager.

9. Access control
Policy Statement
Procedures for the registration and deregistration of users and for managing access to all information systems shall be established to ensure that all users access rights match their authorisations. These procedures shall be implemented only by suitably trained and authorised staff. A periodic review will be conducted to verify user access and roles.

9.1. Operational Policy
Access to Key Business Systems will be appropriately controlled and comply with the access rights of the user.
Access to the company network and IT services will be restricted according to the access classification of the user.
Staff and apprentices may use:
 Standard software portfolio
 Shared file store
 Email, calendar and public folders**
 Business systems**
 VLE
 Electronic learning resources
 Internet

**These services will not be provided to all EX account users (e.g. representatives of external organisations with their own email accounts).

9.2. User responsibilities
Users of the company network must comply with the Information Security Policy.
All staff (including agency and temporary staff) must agree to written terms and conditions covering use of IT when they register to use company IT.
Temporary staff accounts will be set to expire at the end of the staff contract period.
 Confidentiality agreements form part of the terms and conditions of employment
 Awareness training about electronic information security forms part of company staff induction programmes
 Information for all staff on electronic information security is maintained in the staff handbook.
 All references for a period extending to 3 years prior to the recruitment date are checked by management prior to a member of staff’s commencement of employment.

9.6. University Key Business System access
9.6.1. Subject access Management and administration
Formal procedures will be implemented for granting access to both the company network and IT Services. This will be supported by a formal review of user privileges on a regular basis to ensure that they remain appropriate to the role and relationship with the company. Accounts identified as dormant accounts will be closed in accordance with current procedures.

9.6.2. Remote access
Controls will be implemented to manage and control remote access to the company’s network and IT services.  Users should note that failure to comply with the Remote Access Policy and Agreement will leave the user liable to disciplinary action and possible criminal law prosecution under the appropriate legislation.

9.6.3. Mobile computing
The companyrecognisees the inherent dangers of information stored on portable computers (laptops, notebooks, tablets and smart phones) as well as removable media. Management will provide security advice to staff via the induction and handbook. This advice is issued as a guideline for users and failure to follow recommended guidance will leave a user vulnerable to disciplinary action should Key Business System data or sensitive information be lost or altered.
Wireless computer networks potentially introduce new security risks which are the subject of specific “Wireless Security Policy” which should be read in conjunction with this Information Security Policy.

9.6.4. Password management
Users are required to follow good security practices in the selection, use and management of their passwords and to keep them confidential.  Primary access to the company network and IT services is governed by a network username and password giving access to a set of network services.  IT Services maintain procedures for the issue of and closure of network accounts.
Authorisation of access to Key Business Systems and to the data held by them is the responsibility of the system owner.
The company aims to minimise the number of accounts required by each individual.
The Control of network passwords is the responsibility of management. Network passwords are stored in encrypted form.
Records will be maintained of the issue of system administrator passwords and ensures they are stored securely. System administrator passwords will be issued on the express authority of the Managing Director and on a need to know basis. Such passwords will be changed regularly and when authorised system administrator staff leaves.
For Windows operating systems the following will be enforced
 network passwords must be a minimum of 6 characters
 Network passwords will be subject to enforced periodic change, the life of a chosen password will be 6 months.
 network password history will prevent reuse of the last 3 password changes
 accounts will be locked on the third failed login attempt

Policy on network password complexity will be reviewed periodically.
Management must be notified when staff leave and will be responsible for closing the associated accounts.
.
9.6.5. Unattended user equipment
Users of the company network and IT Services are responsible for safeguarding Key Business System data and sensitive information. In order to protect these information assets users are required to ensure that devices are not left logged-on when unattended and that portable equipment in their custody is not exposed to opportunistic theft, unauthorised access or observation of sensitive information.
Where available, password protected screen-savers and automatic log-out mechanisms are to be used on office based systems to prevent individual accounts being used by persons other than the account holders, but not on cluster computers that are shared by multiple users. Users will utilise the following security features of the system:
 Keyboard lock
 Logging out of sessions when session finished.
 Logging out of sessions when a computer is to be left more than 15 minutes.
 Whenever possible and at the end of the working day switch off computers when not in use.

Users are required to follow the guidance on user responsibilities for Information Security failure to adhere to these recommendations will leave the user liable to possible disciplinary or criminal prosecution.

9.6.6. Monitoring systems access and use
Access to and use of the company network and IT systems will be monitored.

10. Compliance
10.1. Compliance with legal policy
Supply and use of the company network and IT services is bound by UK law current at the time of any reported incident. The Policy for using IT resources provides guidance on the most common legal and policy requirement pertaining to company network use.
Management will maintain and monitor, at six-monthly intervals, reports of records of electronic security incidents, Reports will be considered by the IT Manager, who will decide if further action or investigation is required.

The IT services password matrix, listing members of staff with access to key systems and services, will be maintained by the Managing Director.