1.1.1 Satsafe Limited (The Company) is a private limited company registered in England and Wales no.: 08415883, with information processing as a fundamental part of its business. It is therefore necessary for the Company to have a clear and relevant Information Security Policy allowing it to comply with information legislation.
1.1.2 The purpose of the Company’s Information Security policy is to protect all information assets to a consistently high standard. The policy covers security which can be applied through technology but perhaps more crucially; it encompasses the behaviour of the people who manage information in the course of carrying out their duties in the line of the business.
1.1.3 Information security is primarily about people but is facilitated by the appropriate use of technology. The business benefits of this policy and associated guidance are:
- Assurance that information is being managed securely and in a consistent and corporate way.
- Assurance that the Company is providing a secure and trusted environment for the management of information used in delivering its business.
- Clarity over the personal responsibilities around information security expected of staff when working on Company business.
- A strengthened position in the event of any legal action that may be taken against the Company (assuming the proper application of the policy and compliance with it).
- Demonstration of best practice in information security.
- Assurance that information is accessible only to those authorised to have access.
- Assurance that risks are identified and appropriate controls are implemented and documented.
1.2.1 The aim of the Company’s Information Security Policy is to preserve:
- Confidentiality – Access to Data shall be confined to those with appropriate authority.
- Integrity – Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.
- Availability – Information shall be available and delivered to the right person, at the time when it is needed.
1.3.1 The objectives of this policy are to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by the Company by:
- Ensuring that all members of staff are aware of their roles, responsibilities and accountability and fully comply with the relevant legislation as described in this and other Information Governance policies.
- Working with others who share a common supply partner, to develop collaborative approaches, systems and processes relating to information security.
- Describing the principles of security and explaining how they shall be implemented in the Company.
- Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibilities.
- Creating and maintaining within the organisation a level of awareness of the need for Information Security as an integral part of the day to day business.
- Protecting information assets under the control of the Company.
2.1 All Company Staff, employees, Directors and consultants are within the scope of this document including staff working in or on behalf of the Company (this includes sub-contractors, temporary staff and all permanent employees).
3. Roles and Responsibilities
3.1 Chief Executive
3.1.1 Information Security is everyone’s business although responsibility resides ultimately with the Chief Executive but this responsibility is discharged through the designated roles of Senior Management and employees under their direct, day to day control. The CEO is the Senior Information Risk Officer (SIRO) for Satsafe.
3.2 Senior Managers
3.2.1 Senior Managers shall be individually responsible for the security of their physical environment where information is processed or stored. Furthermore, they are responsible for:
- Ensuring that all staff, permanent, temporary and contractor, are aware of the information the information security policies, procedures and user obligations applicable to their area of work.
- Ensuring that all staff, permanent, temporary and contractor, are aware of their personal responsibilities for information security.
- Determining the level of access to be granted to specific individuals.
- Ensuring staff have appropriate training for the systems they are using.
- Ensuring staff know how to access advice on information security matters.
3.3 Information Security Officer (ISO)
3.3.1 The role of ISO will fall under the day to day responsibilities of the Operations Director.
3.3.2 The Information Security Officer shall:
- Have lead responsibility for information security management within the Company acting as a central point of contact on information security for both staff and external organisations.
- Manage and implement this policy and related procedures.
- Monitor potential and actual security breaches.
- Ensure that staff are aware of their responsibilities and accountability for information security.
- Ensure compliance with relevant legislation and regulations.
3.3.3 In carrying out these tasks the Information Security Officer will work closely with the CIO. The role of designated Information Security Officer is undertaken by the Operations Director supported by all Senior Managers and other staff members of the Company.
3.4.1 All staff are responsible for information security and therefore must understand and comply with this policy and associated guidance. Failure to do so may result in disciplinary action. In particular all staff should understand:
- What information they are using, how it should be protectively handled, stored and transferred.
- What procedures, standards and protocols exist for the sharing of information with others.
- How to report a suspected beach of information security within the organisation.
- Their responsibility for raising any information security concerns with the Information Security Officer.
3.4.2 Contracts with external contractors that allow access to the organisation’s information systems must be in operation before access is allowed. These contracts must ensure that the staff or sub-contractors of the external organisation comply with all appropriate security policies.
4. Policy Framework
4.1 Contracts of Employment
4.1.1 Staff security requirements shall be addressed at the recruitment stage and all contracts of employment shall contain an appropriate confidentiality clause.
4.1.2 Information security expectations of staff shall be included within appropriate job definitions.
4.2 Security Control of Assets
4.2.1 Satsafe Limited will establish an ICT asset management process and associated system, this will involve support and collaboration from the sub-contractor where applicable.
4.2.2 All ICT assets, (hardware, software, application or data) shall have a named Information Asset Owner (IAO) who shall be responsible for the information security of that asset.
4.3 Access Controls
4.3.1 Access to information shall be restricted to users who have an authorised business need to access the information and as approved by the relevant IAO.
4.4 Computer Access Controls
4.4.1 Access to ICT facilities shall be restricted to authorised users who have business need to use the facilities.
4.5 Application Access Controls
4.5.1 Access to data, system utilities and program source libraries shall be controlled and to those authorised users who have a legitimate business need e.g. systems or database administrators. Authorisation to use an application shall depend on the availability of a license from the supplier.
4.6 Equipment Security
4.6.1 In order to minimise loss of, or damage to, all assets, equipment shall be; identified, registered and physically protected from threats and environmental hazards.
4.7 Computer and Network Procedures
4.7.1 Management of computers and networks shall be controlled through standard documented procedures. This will also require agreed systems and processes with third party vendors working for and on behalf of Satsafe Limited
4.8 Information Risk Assessment
4.8.1 All information assets will be identified and assigned an Information Asset Owner (IAO). IAO’s shall ensure that information risks assessments are performed at least annually, following guidance form the Senior Information Risk Owner (SIRO). This should be increased to quarterly for all ‘major’ assets. IAO’s shall submit the risk assessment results and associated mitigation plans to the SIRO for review. Please see the Information Risk Procedures for further information.
4.9 Information Security Events and Weaknesses
4.9.1 All Satsafe Limited information security events, near misses,and suspected weaknesses are to be reported to the Information Security Officer or designated deputy and where appropriate reported as an Adverse Incident. Please see the security incident reporting procedures for further information.
4.10 Classification of Sensitive Information
4.10.1 Satsafe Limited shall implement appropriate information classifications controls, based upon the results of formal risk assessment and guidance contained within the IG Toolkit to secure their information assets. Further details of the classifications controls can be found in the Records Management Policy.
4.11 Protection from Malicious Software
4.11.1 The organisation and its Corporate ICT service providers shall use software countermeasures and management procedures to protect itself against the threat of malicious software. All staff shall be expected to cooperate fully with this policy. Users shall not install software on the organisation’s property without permission from their Senior Manager or Information Security Officer. Users breaching this requirement may be subject to disciplinary action.
4.12 Removable Media
4.12.1 Corporate IT systems automatically encrypt removable media. Removable media that contain software require the approval of the Company’s ICT Senior Manager or Information Security Officer before they may be used on Satsafe Limited systems. Users breaching this requirement may be subject to disciplinary action.
4.13 Monitoring System Access and Use
4.13.1 An audit trail of system access and staff data use shall be maintained and reviewed on a regular basis. Satsafe Limited will put in place routines to regularly audit compliance with this and other policies. In addition it reserves the right to monitor activity where it suspects that there has been a breach of policy. The Regulation of Investigatory Powers Act (2000) permits monitoring and recording of employees’ electronic communications (including telephone communications) for the following reasons:
- Establishing the existence of facts.
- Investigating or detecting unauthorised use of the system.
- Preventing or detecting crime.
- Ascertaining or demonstrating standards which are achieved or ought to be achieved by persons using the system (quality control and training).
- In the interests of national security.
- Ascertaining compliance with regulatory or self-regulatory practices or procedures.
- Ensuring the effective operation of the system.
4.13.2 Any monitoring will be undertaken in accordance with the above act and the Human Rights Act and any other applicable law.
4.14 Accreditation of Information Systems
4.14.1 The organisation shall ensure that all new information systems, applications and networks include a System Level Security Policy (SLSP) and are approved by the Information Security Officer and/or Senior Manager before they commence operation.
4.15 System Change Control
4.15.1 Changes to information systems, applications or networks shall be reviewed and approved by the Information Security Officer.
4.16 Business Continuity and Disaster Recovery Plans
4.16.1 The Company will implement a Business Continuity Management System (BCMS) that will be aligned to the international standard of best practice (ISO 22301:2012 – Societal security – Business continuity management systems – Requirements)
4.16.2 Business Impact Analysis will be undertaken in all areas of the organisation. Business continuity plans will be put into place to ensure the continuity of prioritised activities in the event of a significant or major incident.
4.16.3 The SIRO has a responsibility to ensure that appropriate disaster recovery plans are in place for all priority applications, systems and networks and that these plans are reviewed and tested on a regular basis.
4.17 Training & Awareness
4.17.1 Information Governance training is mandatory and all staff are fully briefed by their line manager as part of the Company’s induction training.
4.17.2 All staff are required to read this Information Governance Policy and accept the declaration.
5. Distribution and Implementation
5.1 Distribution Plan
5.1.1 This document will be made available to all Staff via the Satsafe Limited internet site.
5.1.2 A global notice will be sent to all Staff notifying them of the release of this document.
5.2 Training Plan
5.2.1 A training needs analysis will be undertaken with Staff affected by this document.
5.2.2 Based on the findings of that analysis appropriate training will be provided to Staff as necessary.
6.1 Compliance with the policies and procedures laid down in this document will be monitored via the Information Governance Team, together with independent reviews by both Internal and External Audit on a periodic basis or as required.
6.2 The Head of Corporate Information Governance is responsible for the monitoring, revision and updating of this document on a 3 yearly basis or sooner if the need arises.
7. Equality Impact Assessment
7.1 This document forms part of Satsafe’s commitment to create a positive culture of respect for all staff, clients and service users. The intention is to identify, remove or minimise discriminatory practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age, religious or other belief, marriage and civil partnership, gender reassignment and pregnancy and maternity), as well as to promote positive practice and value the diversity of all individuals and communities.
7.2 As part of its development this document and its impact on equality has been analysed and no detriment identified.
Further information and useful contacts:
The Senior Information Risk Owner (SIRO) for Satsafe Limited is:
Stuart Millward — CEO: firstname.lastname@example.org
The Information Governance Team are:
Philip Collins — Technical Director: email@example.com
Lindsey Rhodes – Information Governance Officer: firstname.lastname@example.org
8. Associated Documents
7.1 The following documents will provide additional information:
8.1 All staff members are required to read this and associated policies and procedures documentation and sign the following declaration:
8.2 I have read the above terms and statements and understand and accept my obligations to comply fully in carrying out my duties in the Company. I understand that if I fail to do so, my actions may cause actual and/or reputational risk damage to the Company which may result in disciplinary action being taken against me.