Information Security Policy =========================== Purpose ------- This document sets the policy by which Authentic Digital Limited “the company” or “the organisation” will protect the company’s and all associated client’s information assets [1]_ from all threats, whether internal or external, deliberate or accidental, to ensure business continuity, minimise business damage and maximise return on investments and business opportunities. Policy ------ - The company directors have approved the Information Security Policy. - This policy will be reviewed every year and updated, as applicable, to ensure that it remains appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations. - It is the policy of Authentic Digital to ensure that: - Information will be protected from a loss of confidentiality [2]_, integrity [3]_ and availability [4]_. - Confidential or Restricted information shall only be imported to or taken for use away from the organisation in an encrypted form. - All information of a Confidential or Restricted nature is to be shredded or similarly destroyed when no longer required. The relevant information owner must authorise this destruction. All users have one or more unique identifier(s) (user ID) for their personal and sole use for access to all the organisation’s information services. The user ID must not be used by anyone else and associated passwords shall not be shared with any other person for any reason whatsoever. - Regulatory and legislative requirements will be met [5]_. - Business continuity plans will be produced, maintained and tested. - Information security training will be available to all staff. - All breaches of information security, actual or suspected, will be reported to, and investigated by a company director. - Guidance and procedures will be produced to support this policy. These may/will include incident handling, information backup, system access, virus controls, passwords and encryption. [6]_ - Controls are implemented to ensure that electronic messaging is suitably protected. Email is appropriately protected from unauthorised use and access. Responsibilities ---------------- - The designated owner of the Information Security Policy, James Webster, has direct responsibility for maintaining and reviewing the Information Security Policy. The role and responsibility of the designated owner of the policy is to manage information security and to provide advice and guidance on implementation of the Information Security Policy. - All directors are directly responsible for implementing the Information Security Policy within their business areas. - It is the responsibility of each employee to adhere to the Information Security Policy and any applicable laws. Where appropriate compliance will be monitored, failure to comply will be dealt with under the appropriate disciplinary procedure. - All third party suppliers who are given access to the organisation’s information systems, must agree to follow the organisation’s information handling, retention and security policies. A copy of the information security policies and the third party’s role in ensuring compliance will be provided to any such third party, prior to their being granted access. - The organisation will assess the risk to its information and, where deemed appropriate because of the confidentiality, sensitivity or value of the information being disclosed or made accessible, the organisation will require external suppliers of services to sign a confidentiality agreement to protect its information assets. Review Dates ^^^^^^^^^^^^ 2020-05 - merge of Croftsware and Authentic Policies Footnotes ^^^^^^^^^ .. [1] Information takes many forms and includes data printed or written on paper, stored electronically, transmitted by post or using electronic means, stored on tape or video, spoken in conversation. .. [2] Confidentiality: ensuring that information is accessible only to authorised individuals. .. [3] Integrity: safeguarding the accuracy and completeness of information and processing methods. .. [4] Availability: ensuring that authorised users have access to relevant information when required. .. [5] This includes the requirements of legislation such as the Companies Act, the Data Protection Act, the Computer Misuse Act and the Copyright, Design and Patents Act .. [6] The IT Operation Manual provides details guidance and procedures to support this high level policy.