Information Security Policy

Version number 1

First published: January 2022

Updated: (only if this is applicable)

 

Prepared by: Treat Marketing Ltd

Contents

1Introduction

1.1Background

 

Treat Marketing Ltd. is a private digital marketing agency, with information processing as a fundamental part of its purpose. It is important, therefore, that the organisation has a clear and relevant Information Security Policy. This is essential to our compliance with data protection and other legislation and to ensuring that confidentiality is respected.

The purpose of Treat Marketing Ltd.’s Information Security policy is to protect, to a consistently high standard, all information assets. The policy covers security which can be applied through technology but perhaps more crucially it encompasses the behaviour of the people who manage information in the line of Treat Marketing Ltd. business.

Information security is about peoples’ behaviour in relation to the information they are responsible for, facilitated by the appropriate use of technology. The business benefits of this policy and associated guidance are:

  • Assurance that information is being managed securely and in a consistent and         corporate way.

  • Assurance that Treat Marketing Ltd. is providing a secure and trusted environment for the management of information used in delivering its business.

  • Clarity over the personal responsibilities around information security expected of staff when working on Treat Marketing Ltd. business.

  • A strengthened position in the event of any legal action that may be taken against Treat Marketing Ltd. (assuming the proper application of the policy and compliance with it).

  • Demonstration of best practice in information security.

  • Assurance that information is accessible only to those authorised to have access.

Assurance that risks are identified and appropriate controls are implemented and documented.

 

1.2Aim

 

The aim of Treat Marketing Ltd.’s Information Security Policy is to preserve:

 

 

Confidentiality

Access to Data shall be confined to those with appropriate authority.

Integrity

Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.

Availability

Information shall be available and delivered to the right person, at the time when it is needed.

 

1.3Objectives

 

The objectives of this policy are to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by Treat Marketing Ltd. by:

  • Ensuring that all members of staff are aware of their roles, responsibilities and accountability and fully comply with the relevant legislation as described in this and other Information Governance policies.

  • Working with email processing providers to comply with processes and systems relating to information security.

  • Describing the principles of security and explaining how they are implemented in the organisation. Introducing a consistent approach to security, ensuring that  all members of staff fully understand their own responsibilities.

  • Creating and maintaining within the organisation a level of awareness of the need for Information Security as an integral part of the day to day business.

  • Protecting information assets under the control of the organisation.

 

2Scope

Staff of the following Treat Marketing Ltd. areas are within the scope of this document:

  • Staff working in or on behalf of Treat Marketing Ltd. (this includes contractors, temporary staff, embedded staff, secondees and all permanent employees);

 

3Roles and Responsibilities

The information within scope includes:

 

3.1Director

 

The Director is responsible for information risk within Treat Marketing Ltd. and advises the Board on the effectiveness of information risk management across the Organisation.

 

3.2Data Protection Officer (DPO)

 

Treat Marketing Ltd. is required to appoint a Data Protection Officer by the General Data Protection Regulation (GDPR). The Information Governance Policy      establishes this role. The DPO is responsible for providing advice, monitoring compliance, and is the first point of contact in the organisation for data protection matters. The DPO is the Director and is directly responsible for data protection matters.

 

3.3All Staff

 

All staff are responsible for information security and therefore must understand and comply with this policy and associated guidance. Failure to do so may result in disciplinary action. In particular all staff should undertake their mandatory annual Data Security Awareness training and understand:

  • What information they are using, how it should be protectively handled, stored and transferred.

  • What procedures, standards and protocols exist for the sharing of information with others.

  • How to report a suspected beach of information security within the organisation.

  • Their responsibility for raising any information security concerns with the Head of Corporate ICT Technology & and Security.

Contracts with external contractors that allow access to the organisation’s information systems must be in operation before access is allowed. These contracts must ensure that the staff or sub-contractors of the external organisation comply with all appropriate security policies.

 

 

4Policy Framework

4.1Contracts of Employment

 

Staff security requirements shall be addressed at the recruitment stage and all contracts of employment shall contain an appropriate confidentiality clause.

Information security expectations of staff shall be included within appropriate job definitions and descriptions.

 

4.2Access Controls

Access to information shall be restricted to users who have an authorised business need to access the information and as approved by the relevant IAO.

 

4.3Computer Access Controls

Access to data, system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. systems or database administrators. Authorisation to use an application shall depend on the availability of a license from the supplier.

 

4.4Application Access Controls

Access to data, system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. systems or database administrators. Authorisation to use an application shall depend on the availability of a license from the supplier.

 

4.5Equipment Security

 

In order to minimise loss of, or damage to, all assets, the Corporate ICT Team shall ensure that all electronic equipment and assets shall be; identified, registered and physically protected from threats and environmental hazards.

 

4.6Computer and Network Procedures

 

Management of computers and networks shall be controlled through standard documented procedures. This will also require agreed systems and processes with third party vendors working for and on behalf of Treat Marketing Ltd..

 

4.7Information Risk Assessment

 

All information assets will be identified and assigned an Information Asset Owner (IAO). IAO’s shall ensure that information risk assessments are performed at least annually, following guidance from the Senior Information Risk Owner (Director). IAO’s shall submit the risk assessment results and associated mitigation plans to the Director for review. Please see the Information Risk Procedures for further information.

 

4.8Information Security Events and Weaknesses

 

All Treat Marketing Ltd. information security events, near misses, and suspected weaknesses are to be reported to the Director or designated deputy and where appropriate reported as an Adverse

Incident. All adverse incidents shall be reported to the Treat Marketing Ltd. DPO. The Information Security Incident Reporting procedures must be complied with.

 

4.9Classification of Sensitive Information

 

Treat Marketing Ltd. shall implement appropriate information classifications controls, based upon the results of formal risk assessment and guidance contained within the Data Security and Protection (DSP) Toolkit to secure their information assets. Further details of the classifications controls can be found in the Records Management Policy.

 

4.10Protection from Malicious Software

The organisation and its Corporate ICT service providers shall use software countermeasures and management procedures to protect itself against the threat of malicious software. All staff shall be expected to co-operate fully with this policy.

Users shall not install software on the organisation’s property without permission from the Corporate ICT Senior Manager or Head of Corporate ICT Technology & and Security. Users breaching this requirement may be subject to disciplinary action.

 

4.11Removable Media

 

Corporate IT systems automatically encrypt removable media. Removable media that contain software require the approval of the Corporate ICT Senior Manager or Head of Corporate ICT Technology & and Security before they may be used on Treat Marketing Ltd. systems. Users breaching this requirement may be subject to disciplinary action.

 

4.12Monitoring System Access and Use

 

An audit trail of system access and staff data use shall be maintained and reviewed on a regular basis. Treat Marketing Ltd. will put in place routines to regularly audit compliance with this and other policies. In addition it reserves the right to monitor activity where it suspects that there has been a breach of policy. The Regulation of Investigatory Powers Act (2000) permits monitoring and recording of employees’ electronic communications (including telephone communications) for the following reasons:

Establishing the existence of facts

Investigating or detecting unauthorised use of the system Preventing or detecting crime

Ascertaining or demonstrating standards which are achieved or ought to be achieved by persons using the system (quality control and training)

In the interests of national security

Ascertaining compliance with regulatory or self-regulatory practices or procedures

Ensuring the effective operation of the system.

Any monitoring will be undertaken in accordance with the above act and the Human Rights Act and any other applicable law.

 

4.13Accreditation of Information Systems

 

The organisation shall ensure that all new information systems, applications and networks include a System Level Security Policy (SLSP) and are approved by the Head of Corporate ICT Technology & and Security and/or Corporate IT Senior Manager before they commence operation.

 

4.14Business Continuity and Disaster Recovery Plans

 

The organisation will implement a business continuity management system (BCMS) that will be aligned to the international standard of best practice.

Business Impact Analysis will be undertaken in all areas of the organisation. Business continuity plans will be put into place to ensure the continuity of prioritised activities in the event of a significant or major incident.

The Director has a responsibility to ensure that appropriate disaster recovery plans are in place for all priority applications, systems and networks and that these plans are reviewed and tested on a regular basis.

 

4.15Training & Awareness

 

Data Security and Protection training is mandatory and all staff are required to complete annual on-line Data Security Awareness training.

All Treat Marketing Ltd. staff are required to read the Information Governance user handbook and accept the declaration.

 

4.16IG requirements for New Processes, Services, Information Systems and Assets

The IG requirements for New Processes, Services, Information Systems and Assets procedure must be complied with when:

  • A new process is to be established that involves processing of personal data (data relating to individuals);

  • Changes are to be made to an existing process that involves the processing of personal data;

  • Procuring a new information system which processes personal data, or the licensing of a third-party system that hosts and or processes personal data.

  • Introducing any new technology that uses or processes personal data in any way

 

5Distribution and Implementation

 

5.1Training Plan

 

A training needs analysis will be undertaken with Staff affected by this document.

Based on the findings of that analysis appropriate training will be provided to Staff as necessary.

 

6Monitoring

Compliance with the policies and procedures laid down in this document will be monitored revised and updated on a 3 yearly basis or sooner if the need arises.

 

7Equality Impact Assessment

This document forms part of Treat Marketing Ltd.’s commitment to create a positive culture of respect for all staff and service users. The intention is to identify, remove or minimise discriminatory practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age, religious or other belief, marriage and civil partnership, gender reassignment and pregnancy and maternity), as well as to promote positive practice and value the diversity of all individuals and communities.

 

As part of its development this document and its impact on equality has been analysed and no detriment identified.

 

8Associated Documentation

 

9References – legislation

  • The Data Protection Act (2018)

  • The General Data Protection Regulation

  • The Copyright, Designs and Patents Act (1988)

  • The Computer Misuse Act (1990)

  • The Health and Safety at Work Act (1974)

  • Human Rights Act (1998)

  • Regulation of Investigatory Powers Act (2000)

  • Freedom of Information Act (2000)

 

Treat Marketing Ltd. 2022

First published May 2022