Information Security and Privacy Policy

Mission

We are committed to pursuing excellence while delivering services within a secure environment, protecting our customers and our own information assets and continually improving information security within our organisation to minimise exposure to risks.

Purpose 

The purpose of this policy is to establish a general approach to information security and privacy to detect and prevent the compromise of information such as misuse of data, networks, computer systems and applications, and to protect the reputation of the company with respect to its ethical and legal responsibilities.

Scope 

This policy applies to all employees, contractors, customers, visitors, and to all data held or processed by us, including programs, systems, facilities and technical infrastructure.

Policy

Our approach is dynamic and includes a commitment to continual improvement through a process of incident reporting, risk assessment and regular audits. It complements our established Information Security, Privacy and Quality Management System and provides a framework for establishing and reviewing security objectives. An appointed board member is an executive sponsor for information security; to support and ensure effective implementation of an information security system across the business as a priority. 

It is therefore our policy to: 

• Maintain an information security management system and control its information assets appropriately.
• Have clearly defined Information Security and Privacy Objectives to ensure that desired results are achieved.
• Maintain a list of Interested Parties to ensure that the requirements and expectations of all interested parties, in relation to Information Security, are met.
• Manage and maintain a Data Inventory for all information assets we hold and/or process.
• All items with a value of £100.00 or above will be asset tagged and logged in the Asset Register. This excludes the furniture provided to staff for home working, as it is not considered office property and employees are not required to return it upon leaving cT.
• Make information available to authorised Business Processes and employees, when required.
• Ensure confidentiality and protection of all information (however stored) against unauthorised access by implementing document/information classification, access control, conducting daily external vulnerability scans and regular review of infrastructure threats.
• Ensure integrity by safeguarding the accuracy and completeness of information and processing methods and availability – ensuring that authorised users have access to information and associated assets as required to perform their duties.  
• Implement human, organisational, technological and security controls to protect our information assets from unauthorised access, leakage, modification, theft/loss, denial of service attacks, or any other threat, including those expected and required by privacy regulations (and listed in our Privacy Policy).
• Conduct continuous risk assessments to ensure that risks to information in our care are minimised or eliminated. These assessments include the evaluation, mitigation and treatment of the identified risks and are maintained using a Risk Register and Statement of Applicability, which are reviewed and updated (where necessary) by the Governance team on a bi-weekly basis.
• Conduct Pre-Employment Vetting and Screening for all staff to ensure a consistent, fair and efficient recruitment process to maintain our reputation and reduce the risk of business disruption or financial losses.
• Provide regular information security training for all employees, including the publication and training on a Secure System Engineering Policy.
• Conduct annual privacy and security audits to continually improve information security within the business by assessing the effectiveness of processes and controls in place as well as to ensure that opportunities for improvement are identified, acted upon and monitored by the Governance team.
• Ensure that all information security and privacy breaches, actual or suspected, are reported to and investigated by DevOps (with supervision by our Information Security Manager and Data Privacy & Protection Officer) to rapidly locate the root cause, take necessary actions to keep the damage to a  minimum and prevent the recurrence if an incident is posing a threat to information assets.
• Produce Business Continuity Plans for business activities that are regularly maintained and tested (where appropriate). 
• Conduct Supplier Assessments to assess, evaluate and ensure that adequate privacy and security controls and safeguards are in place to ensure privacy and security of data.
• Comply with the laws and regulations as well as the national guidelines, the social standards and norms related to information security.
• Comply with the requirements of and internationally recognised information security management system and to communicate this policy statement to our customers, on request.
• Take Disciplinary Action against an employee if they are in breach of this policy.

Supporting policies have been developed to strengthen and reinforce this policy statement and are published on the Do The Right Thing SharePoint Site as part of the Staff Handbook. All employees are required to familiarise themselves with these supporting documents and to adhere to them in our working environment. The Information Security Officer in partnership with the Kerv Governance Operations team is responsible for implementation, monitoring and communicating the company’s Information Security Policy and making sure it is understood at all levels.

Responsibilities of the Information Security Manager

Our Information Security Manager is responsible for all access policies and documentation, audit trails, event reporting and ensuring compliance through adequate training programs. The role is required to support periodic security audits both internal and external to ensure that all required evidence has been captured, and that information is accurate and complete. 

Our Information Security Manager (assisted by the Kerv Governance Operations team to either fulfil or maintain oversight of the listed tasks) is responsible for:  

• Providing advice to senior management and staff on all security matters. 
• Managing and maintaining oversight of training and our awareness plan for information security.  
• Managing the development, adoption and enforcement of Information Security policies and procedures. 
• Assisting Incident Managers to resolve all security incidents and addressing all security issues that cause incidents. 
• Supporting HR and Legal through disciplinary actions against employees who caused security and personal data breaches. 
• Ensure the Risk Register is reviewed regularly notifying senior management about risks where appropriate 
• Evaluating and recommending new information security technologies and countermeasures against threats to information or privacy.  
• Ensuring we maintain an inventory of all information assets (Data Inventory and Asset Register) 
• Preparing a budget and specifying other required resource for protecting information. 
• Ensuring (in partnership with the Kerv Governance Operations team) the implementation, monitoring and communication of company’s Information Security Policy and to make sure it is understood at all levels. 

Responsibility

The Chief Information Security Officer, supported by the Governance Team, are responsible for this policy and its implementation. We commit to providing the relevant resource and to reviewing this policy annually and communicating it within the organisation and to external interested parties.

Legal Responsibilities

The UK government mandates several statutory obligations regarding information security. This policy therefore actively complies and supports:

• GDPR
• Data Protection Act
• Computer Misuse Act
• NIS

External Assurance

We appoint independent external auditors to assess and confirm our compliance with ISO 27001, 27701 and 9001 standards on an annual basis.