Introduction
This policy document encompasses all aspects of security surrounding confidential information and is distributed to all employees. Employees must read this document in its entirety,
confirming they have read and fully understand its contents. The policy will be reviewed and updated by Company Management annually or when relevant to include newly developed
security standards, and re-distributed where applicable.
It is important that you fully understand this Information Security Policy, our collective and individual responsibilities and the actions we need to take. If you are in any doubt
you should also seek reference with the ICO (Information Commissioner's Office) at https://ico.org.uk/
Information Security Management
Employees of Quadzu Limited will be expected to report to Company Management for any security related issues.
Company Management will effectively communicate all security policies and procedures across the organisation and oversee the scheduling of security training sessions,
monitor and enforce the security policies outlined in both this document and at these training sessions and oversee the implementation of the incident response plan in the
event of a sensitive data compromise/breach. The Information Security Management Policy - QUA-POL-0065 is available from the company One Drive share and sets out how we
manage Information Security to BS EN ISO/IEC 27001:2013 standard's requirements.
Information Security Policy
Quadzu is responsible for handling personal information daily, which must have adequate safeguards in place to protect the privacy of that data, ensuring compliance with
regulatory bodies and reducing risk to the company. The Information Security Policy is an essential element of the company's infrastructure and compliance, ensuring
business continuity by reducing and/or mitigating the risk and impact of security incidents.
Quadzu Limited commits to respecting the privacy of all personal information and to protecting any personal information provided via third parties. We are committed to
maintaining a secure environment in which to process information so that we can meet these promises.
Information Security Management has three basic components: -
- CONFIDENTIALITY - protecting sensitive information from unauthorised disclosure
- INTEGRITY - safeguarding the accuracy and completeness of information and computer software
- AVAILABILITY - ensuring that information and vital services are available to users when required
Information takes several forms as it is stored on computers, transmitted across networks, held on paper and removable electronic media and is communicated in conversations.
For security purposes all forms of information must be protected.
Systems can be the target of many serious threats including computer based fraud, sabotage, vandalism, theft, virus attack and computer hacking.
The extensive use of Information Technology in organisations presents new opportunities for unauthorised access to systems and information and the responsibility for
protecting systems is shared across all business departments.
In line with General Data Protection Regulations Policy - QUA-POL-0006 employees handling personal information should ensure they: -
- Handle personal information in a manner that fits with it's sensitivity and classification;
- Limit personal use of Quadzu Limited equipment and ensure it doesn't interfere with job performance;
- Do not use e-mail, internet and other resources to engage in any action that is offensive, threatening, discriminatory, defamatory, slanderous, pornographic, obscene, harassing or illegal;
- Do not disclose personal information unless authorised;
- Keep passwords and accounts secure;
- Request approval prior to establishing any new software, hardware, third party connections, etc.
- Do not install unauthorised software or hardware, including modems and wireless access unless you have explicit approval;
- Always leave desks clear of personal information and lock computer screens when unattended in line with the Clear Desk Policy - QUA-POL-0003;
- Report Information security incidents without delay to Company Management.
Quadzu Limited reserves the right to monitor, access, review, audit, copy, store or delete any electronic communications, equipment, systems and network traffic for any purpose.
We all have a responsibility for ensuring our systems and data are protected from unauthorised access and improper use. If you are unclear about any of the Company's policies you
should seek advice and guidance from Company Management.
Acceptable Use
Quadzu's IT Acceptable Use Policy - QUA-POL-0011 - is not intended to impose restrictions that are contrary to a culture of openness, trust and integrity.
Rather, we are committed to protecting employees and the business from illegal or damaging actions, either knowingly or unknowingly by individuals.
Examples of technologies include, but are not limited to, remote access and wireless technologies, laptops, tablets, removable electronic media, e-mail usage and Internet usage.
Quadzu Limited will maintain an approved list of applications in adherence to the Approved Application Policy - QUA-POL-0070.
Employees are responsible for exercising good judgment regarding the reasonableness of personal use and should take all necessary steps to prevent unauthorised access to sensitive and confidential data which includes any personal information.
Passwords must be kept secure to comply with the Password Policy - QUA-POL-0044 and accounts must not be shared. Authorised users are responsible for the security of their passwords and accounts.
All PCs, laptops and workstations must be secured with a password-protected screensaver with the automatic activation feature and comply with the IT Acceptable Use Policy - QUA-POL-0011.
Users are to be made aware of data security with annual ISO27001 awareness course training. Any suspicious behaviour will be reported and recorded accordingly via Company Management.
Information contained on portable computers is especially vulnerable to external sources and special care should be exercised.
Postings by employees from a @quadzu.com email address to social media and newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of
Quadzu Limited unless posting is in the course of business duties.
Employees must use extreme caution when opening e-mail attachments received from unknown senders which may contain viruses, ransomware or malware in attachments.
Protection of Stored Data
All personal information stored and handled by Quadzu Limited and its employees must be securely protected against unauthorised use at all times. Any personal information that is no longer required by Quadzu Limited for
business reasons must be discarded in a secure and irrecoverable manner in line with the Confidential Waste Policy - QUA-POL-0001and the Information Retention and Disposal Policy - QUA-POL-0009.
Information Classification
Data and media containing data must always be labelled to indicate sensitivity level: -
- CONFIDENTIAL data might include information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure, or data that would cause severe damage to Quadzu Limited if disclosed or modified.
- INTERNAL USE data might include information that the data owner feels should be protected to prevent unauthorised disclosure.
- PUBLIC data is information that may be freely disseminated
Physical Security
Access to sensitive information in both physical ('hard') and electronic ('soft') media format must be physically restricted to prevent unauthorised individuals from obtaining sensitive data.
Media is defined as any printed or handwritten paper, emails, spread sheets, back-up tapes, computer hard drive, etc. Media containing personal information must be handled and distributed in a secure manner by trusted individuals.
Quadzu has no permanent office premises so it is the responsibility of all staff to ensure that all work related information is secured accordingly in their home offices.
Protection of Data in Transit
All confidential and personal information must be protected securely if it is to be transported physically or electronically. If there is a business justification to send confidential or personal information via
email or by any other mode then it should be done after authorisation and by using a strong encryption mechanism in adherence to the Data Transfer Policy - QUA-POL-0073.
The transportation of media containing confidential or personal information to another location must be authorised by management and logged before leaving the premises.
Only secure courier services may be used for the transportation of such media. The status of the shipment should be monitored until it has been delivered to its new location.
Disposal of Stored Data
All data must be securely disposed of when no longer required by Quadzu Limited, regardless of the media or application type on which it is stored in line with the Information Retention and
Disposal Policy - QUA-POL-0009 and the Confidential Waste Policy - QUA-POL-0001.
Incident Response Plan
All employees and contractors must be aware of the procedure for reporting the different types of incident - security breach, threat, weakness or malfunction - that might have an impact on the security of the data or assets.
They must also report any observed or suspected incidents as quickly as possible to Company Management using the established procedures. The Data Breach Policy - QUA-POL-0002 identifies the process that must be followed if such an incident occurs.
By being security aware at all times all employees and other individuals can contribute to the security of the information held by the company, which is an important part of Information Risk Management.
Should an incident occur, by promptly following procedures listed in the Data Breach Policy - QUA-POL-0002, employees can minimise the potential impact of the security incident on both the company and themselves.
In the event of a suspected security breach, alert Company Management immediately who will carry out an initial investigation of the suspected security breach. Upon confirmation that a security breach has occurred,
Company Management will begin informing all relevant parties that may be affected by the compromise.
Network Security
Quadzu does not utilise any physical or virtual networking infrastructure and has no responsibility for the maintenance of such infrastructure. All data is stored in cloud-based hosted solutions and the responsibility for the
security of the networks where this data is held sits with the service provider.
System Configuration
All users, including contractors and vendors with access to Quadzu Limited systems are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords in conjunction with Quadzu Limited
Password Policy
All accounts and passwords have to be changed at the time of provisioning the account on the relevant Quadzu system/application.
All system-level passwords (e.g., root, enable, Windows Administrator, application administration accounts, etc.) must be changed on at least a quarterly basis.
All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed in accordance with the Password Policy - QUA-POL-0044.
Third Party Security
All third-party companies providing critical services must: -
- Provide an agreed Service Level Agreement
- Comply with the Access Control Policy - QUA-POL-0063.
- Have appropriate provisions for business continuity in the event of a major disruption, disaster or failure.
- Provide full cooperation and access to conduct a thorough security review after a security/data breach.
User Access Management
Access to the Company's IT systems is controlled as part of the Starters and Leavers Procedure - QUA-PRO-0005.
Each user is identified by a unique user ID and/or email address so that users can be linked to and made responsible for their actions. The use of group IDs is only permitted where they are suitable for the work carried out.
There is a standard level of access for all employees and other services can be requested and approved via Company Management.
As soon as an individual leaves the Company's employment, all system accoutns will be immediately disabled as part of the leaver process.
The Leaver Checklist - QUA-CHE-0002 identifies the steps that must be followed when an employee leaves the business.
Access Control Policy
Access Control systems are in place to protect the interests of all users of the company's computer systems by providing a safe, secure and readily accessible environment in which to work.
All employees and other users will be provided with the information they need to carry out their responsibilities in an as effective and efficient manner as possible. Generic or group IDs shall
not normally be permitted, but may be granted under exceptional circumstances if sufficient other controls on access are in place.
The allocation of privilege rights (e.g. local administrator, super-user, root access) shall be restricted and controlled, and authorisation provided by Company Management.
Access rights will be accorded following the principles of least privilege and need to know.
Every user should attempt to maintain the security of data at its classified level even if technical security mechanisms fail or are absent.
Users electing to place information on digital media or storage devices or maintaining a separate database must only do so where such an action is in accord with the data's classification.
Users are obligated to report instances of non-compliance to Company Management.
Access to systems and services will be given through the provision of a unique account and no access to any IT resources and services will be provided without prior authentication to a company device and system.
Password issuing, strength requirements, changing frequency and control will be managed in adherence with the Password Policy - QUA-POL-0044.
Access to Confidential, Restricted and Protected information will be limited to authorised persons whose job responsibilities require it, as determined by the data owner or their
designated representative. Requests for access permission to be granted, changed or revoked must be made to Company Management.
Users are expected to become familiar with and abide by company policies, standards and guidelines for appropriate and acceptable usage of the networks and systems.
Access for remote users shall be subject to authorisation by Company Management and be provided in accordance with the Access Control Policy - QUA-POL-0063 and this
Information Security Policy. No uncontrolled external access shall be permitted to any company device or system.
Access to data is variously and appropriately controlled according to the levels described in the Information Security Management Policy - QUA-POL-0065. Access control methods include logon
access rights, user account privileges, server and workstation access rights, IIS intranet/extranet authentication rights, SQL database rights and other methods as necessary.
A formal process shall be conducted at regular intervals by system owners and data owners in conjunction with Company Management to review users' access rights. Findings will be recorded in the Access
Review Register - QUA-REG-0004 and Company Management shall sign off the register following the review to give authority for users' continued access rights.
Training
Information Security must be included as part of the training process for all new starters and the ISO27001 Introduction Presentation - QUA-PRE-0001 is included in the Starter Checklist - QUA-CHE-0001.
All other IT Security related policies and the process for dealing with requests as applicable under data protection regulations must be covered as part of the company induction. To ensure the integrity of all
data, staff should receive training on any application that they would be required to access and any software package they will be required to use in line with the IT Acceptable Use Policy - QUA-POL-0011.
Compliance & Audit
Quadzu Limited has a responsibility under vendor licensing contracts to ensure all products are used within their respective terms and conditions:
- All software installed on Quadzu systems must be purchased through and installed in accordance with normal procurement policies and in adherence to the Approved Application Policy - QUA-POL-0070.
- Under no circumstances should personal or unsolicited software be loaded onto a company owned device.
- All software is required to have a licence and the organisation will not condone the use of any software that does not have a licence.
- Unauthorised changes to software must not be made and users must not attempt to disable or reconfigure security software.
- Users are not permitted to bring software from home (or any other external source) and load it onto company owned devices.
- Unauthorised use and illegal reproduction of software is subject to civil damages and criminal penalties.
- All systems and data access will be audited to comply with BE EN ISO/IEC 27001:2013 standards.
Data Retention & Disposal
In order to comply with records management best practice together with data protection legislation, information should not be kept any longer than necessary. This period of time can usually be defined as "once it is no longer needed"
but practical application of this definition is required given to comply with regulatory compliance and HMRC.
The Information Retention and Disposal Policy - QUA-POL-0009 identifies retention schedules and the ways in which different types of data should be disposed of.
Business Continuity
The Business Continuity Policy - QUA-POL-0076 sets out in detail how the organisation approaches the availability of key systems in the event of their unavailability.
The policy sets out the organisations attitude to managing this risk and establishes the priority with which systems will be re-enabled.