DefinitionInformation security shall be defined as the following:
- Preservation of confidentiality,
- Protecting information from unauthorised access and disclosure,
- Data and systems integrity,
- Safeguarding the accuracy, completeness and availability of information and processing methods and
- Ensuring that information and associated services are available to authorised users when required.
Security and protection are required for all forms of information to ensure business continuity and to comply with statutory and contractual obligations.
PS&P attaches great importance on information security to ensure that it meets its basic components as outlined within the definition of this policy statement.
Information can be stored on computers, computer media (e.g. tapes, diskettes etc.), transmitted across networks, printed out or written down on paper. Appropriate security protection shall therefore be applied to all types of information media, including databases, disks/diskettes, tapes, optical media, paper, films, slides, models, conversations, and any other methods used to convey information.
The framework outlined within this policy is designed to ensure that computer equipment (hardware), software, systems and data are maintained in a secure, controlled environment.
Security of computer equipment includes all servers, networks, personal computers, portable computers, modems, printers and scanners in use throughout the company.
The attention of all management and staff is drawn to the company’s Code of Practice for Use of E-mail and the Internet, which should be read in conjunction with this document.
Information security shall be the responsibility of all employees of the Company and they shall be expected to observe and comply with all relevant policies and procedures established by the Company to ensure its obligations are met.
This Policy is the responsibility of the Board of Directors with implementation being managed through the Company Secretary and other designated personnel with information security responsibilities.
PS&P holds and processes information about employees, debtors and other data subjects for debt collection purposes. All employees and other authorised users of the data that process or use personal information shall comply with the Data Protection Principles defined within the Data Protection Act 1998 and set out within the Company’s Code of Practice – Data Protection.
Computer Equipment - Hardware
All managers and staff shall be responsible for computer equipment under their control to ensure its proper use. The Board of Directors shall be responsible for all IS/IT/IC procurement within the company.
The use of equipment for purposes not directly connected with company business is forbidden, except with the express written permission of a director.
Wherever reasonably practicable, computer servers shall be secured in the server farms at either London or Bolton and protected from fire, smoke, water, dust, vibration, electrical interference and protected from power failures where possible. An uninterruptible power supply (UPS) must be available for all computer servers.
Critical or sensitive data that is handled by computer systems outside of secure areas shall receive levels of protection necessary to ensure integrity and confidentiality.
All computer equipment moves, whether within the same office or to a different location, shall be authorized in advance by a director of the company who will ensure the inventory database is amended to reflect any moves and changes.
Any laptop computer used outside the company’s premises must be safeguarded against theft, damage or accidental data disclosure.
Food and drink shall be kept well away from equipment.
Personal computers may be linked to the company’s Computer Network only with the prior approval of a Company Director.
No telecommunication links, whether dedicated or otherwise, are to be established between any of the company’s computer equipment and any computer equipment outside the company, except with the prior authority of a Company Director.
All communications equipment including cabinets containing hubs, switches and routers and all voice and data points shall not be interfered with by any unauthorised person. Any equipment that requires connection to the company’s infrastructure shall require he prior approval of a Company Director.
Computer Systems – Software and Data
Care should be taken to ensure that no unauthorised or unlicensed software is loaded onto any computer. Public domain, private software, computer games, free and/or sales software shall never be loaded onto any of the company’s machines. All media containing any other files must be put through an approved Company VIRUS Checker prior to installation.
All servers shall run daily backups protecting data stored in application areas and shared work areas. No Company data shall be stored on individual desktops or diskettes or other portable storage devices without the prior approval of a Company Director.
Data backups shall be taken and removed to a remote storage site on a daily basis.
All computer software, systems and data developed for the company are to be used only for the purposes of the company, unless prior approval is expressly given by a Company Director.
All databases created within the company shall be generated using approved and fully licensed software packages and must be recorded with the Company Administration Manager prior to use.
Deliberately crashing or attempting to crash an information system shall be prohibited and shall be considered to be an act of gross misconduct. Deliberate unauthorised attempts at gaining access to, copying of, destruction of, alteration to or interference with computer systems or data shall be prohibited and may also be considered as an act of gross misconduct.
Security of data held or controlled by a user is the responsibility of that user. Unauthorised disclosure of information from computer input or output is prohibited and a breach of this provision shall be considered to be an act of gross misconduct. Employees shall not leave their computer screens unattended, whilst displaying confidential information.
Information shall be made available to authorised personnel only for authorised purposes. It shall be the responsibility of senior managers to ensure that appropriate and reasonable precautions are taken to guard against unauthorised disclosure and access.
Connections to systems may be automatically deactivated (timed-out) after a period of disuse. Management shall determine and implement the appropriate deactivation time for the application/session concerned.
Computer media shall be disposed of safely and securely when dealing with sensitive or confidential data and in accordance with any Company retention and disposal policy in place.
It shall be the responsibility of each individual user to ensure that waste computer printed output is disposed of securely and with due regard to its sensitivity. Confidential output must be either shredded or placed in a designated receptacle for secure and proper disposal.
The telephone is not a secure means of communication. Caution must therefore be exercised when discussing sensitive matters. Sensitive data shall not be released unless and until the caller’s identity has been satisfactorily established. Care shall be taken to authenticate the identity of the caller before information is imparted. If there is any possibility that the company’s position, or that of its clients, could be compromised, the request for information must be refused. Similar care should be taken with voice messaging services. Whenever in doubt, staff should contact their line manager for guidance.
Confidential data shall not be sent to an unattended facsimile machine.
Only authorised users shall be given access to data held on computer systems and commensurate with the levels of access required for specified jobs or roles. Authorised users shall be responsible and accountable for their actions.
Managers have a responsibility to notify the Administration Manager the names of any new starters and all persons leaving the company, or moving between departments/locations.
Managers are responsible for ensuring that security is not compromised when staff in their supervision change jobs or leave the company. It is their responsibility to scrutinise user privileges, ensure all access rights, passwords known to an individual are amended where appropriate, and when an employee leaves the company, that access is revoked with immediate effect.
In respect of the company’s computer network and information systems the Administration Manager will facilitate a request to set up user id's/profiles/access rights for any authorised user. All users are required to enter their own personal passwords, when issued with user IDs for IT systems. Users are required to change their passwords when prompted by the system.
A password is the personal property and responsibility of the individual to whom it is issued. A user must not divulge password information to any other person, or use any password or personal computer that has been signed on by another user.
Personal Computers shall be closed down in a controlled manner at the end of each working day and must never be left unattended when signed onto any system.
PS&P computer suites are defined as Security Area's and include Croydon Server Room and Bolton Server Room. Only those persons authorised by the Administration Manager or a Company Director shall be allowed access to these areas. All visitors must conform to the formal logging procedure for entry and exit.
The transfer of access authorisation, security cards or codes to unauthorised persons is prohibited and shall be considered to be an act of gross misconduct.
Keys for secure areas must be kept safely and not handed to unauthorised persons.
In computer rooms and associated facilities appropriate safety equipment, including heat and smoke detectors, fire alarms, fire extinguishing equipment and air conditioning units, are installed and must be checked regularly and routinely maintained by authorised personnel for that purpose.
Senior Managers shall be responsible for ensuring that any persons leaving the employment of the company return on or before their last working day, all access control equipment (e.g. keys, swipe cards), manuals, equipment, documentation and any other materials belonging to the company to the Administration Manager.
Attention is drawn to the Computer Misuse Act 1990 and the Copyright, Design and Patents Act 1988. Employees shall never copy any programme without first checking that the licence for it permits copying and shall not in any case copy software for non Company purposes. Employees shall not use software that has not been approved by the Company in accordance with this policy nor shall they use Company equipment, hardware, software or infrastructure for any purpose that is not properly authorised Company business.
Violation of Policy
Any violation of this policy must be reported immediately to a Senior Manager or Company Director.
Any deliberate or serious violation of the rules and procedures contained in this document will be investigated in accordance with the company’s Discipline, Appeals & Grievance Policy. Violation of certain matters (those in bold type) will be regarded as deliberate or serious violations, and would generally be considered misconduct and could be regarded as gross misconduct, which would result in dismissal.
Information security training shall be incorporated within new entrants’ induction programme and each new entrant shall be provided with a copy of the information security policy. Changes that may be made to the policy over time shall be communicated to employees in the form of briefing sessions and specific training.
This policy shall be issued to all employees upon either commencement with the company or its update and amendment. Additionally, it shall be included on main notice boards and be made available to company’s clients upon request.
This policy will be reviewed at least annually and as and when appropriate by the Board of Directors. This document may be modified from time to time to respond to changes in operational, organisational or statutory requirements. In addition to the general requirements covered by this statement, additional requirements for specific items of equipment and/or sites may be defined as appropriate.
Employees shall contribute to the Company’s business continuity arrangements to enhance the resilience of the business as an intrinsic part of their role.
For and on behalf of PS&P Limited
23rd May 2018