THESAURUS SOFTWARE LTD.
Internal Information & IT Security Policy
Introduction
This policy has been created in accordance with increased awareness to the process of protecting information.
The Company’s information must be protected from risks that jeopardise its availability, integrity and confidentiality. To reduce the Company’s exposure to risk it is necessary for all staff to be aware of their roles and responsibilities in using the Company’s information and information technology resources.
The term information should be broadly understood to mean both electronic and paper-based information that is used or created in the course of serving our clients or managing our business. It also refers to the IT systems used to create, process, transmit and store the information itself.
This policy should also be read in conjunction with the Data Protection Policy, Email, Internet and Telecommunications Policy and Social Media Policy.
Failure to comply with this policy will likely lead to disciplinary action up to and including dismissal.
Information Security
- Security Standards
Thesaurus Software does not currently hold any data standards such as ITIL or ISO27001.
- Two Factor Authentication (2FA)
2FA is currently reviewed within our organisation with a view to implementing where possible.
- Network Monitoring
Our networks are regularly PEN tested for any weaknesses or potential breaches.
- Personal Data Breach
We have implemented a personal data breach response procedure. We have procedures in place to notify individuals affected by a personal data breach.
- Confidential Information
Confidential Information is encrypted at rest on our network (and in transit). Confidential information is not stored on end-user workstations and portable devices.
Data Protection
- Third Party Data Processors
We maintain a register of third party data processors. A Data Processor Agreement is in place with all third party processors.
- Confidentiality Agreements
All staff, contractors and temporary workers with access to client, data are bound by confidentiality agreements.
- Staff Training
All Thesaurus Software staff have received training on data protection and information security. It is also included in the induction of all staff.
Regulatory Issues
Has Thesaurus Software ever been subject to any litigation or claims for compensation in respect of a data protection offence? |
NO |
Has Thesaurus Software ever been subject to any regulatory action or penalised by a regulator for any regulatory non-compliance, data protection issues, anti-bribery, corruption, tax evasion, anti-money laundering? |
NO |
Access
Access to sensitive data and the Company’s network is granted on a “need to know” basis.
- Remote Access: employees may remotely access Company logins using Company hardware only. Software programs used in the day-to-day running of our business should not be accessed through unknown hardware.
- Physical Access to our premises is monitored in the following ways:
- Services personnel and outside contractors (i.e. cleaners) are not permitted to enter the premises out of office hours unless they have prior approval.
- CCTV recording is in place.
Data Destruction
Each employee who has access to sensitive date is responsible for
- The secure deletion of electronic documents containing sensitive data
- Shredding and disposal of paper documents that contain sensitive data. Confidential information including customer data should not be left available on desks.
Customer files
Employees are required to comply with Company reminders to delete any customer backups on their PC as well as their download folders. It is strictly prohibited for customer backups and information to be held indefinitely on an employee’s PC.
The IT department have secure process in place for the destruction of electronic technology.
Passwords
On joining the Company, employees will be provided with PC and email passwords. Employees are required to change their password as soon as possible and once a year thereafter.
It is recommended that the longer the password the better. When creating a password a recommended website is: https://passwordsgenerator.net.
Employee Responsibilities
Employees must adhere to the following;
- to access only data that they have authority to access and only for authorised purposes;
- not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation;
- to keep data secure by complying with rules on access to premises, computer access; including password protection, and secure file storage and destruction
- not to leave printed documents containing confidential and personal data unattended on your desk or in public spaces such as a meeting room or wastebasket,
- exercise caution when sending confidential information to intended parties.
- not to remove confidential or personal data, or devices containing, or that can be used to access confidential or personal data, from The Company’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
- to shred and dispose of personal data securely when finished processing;
- ask for help from a line manager if unsure about data protection or would like to make suggested improvements on how personal data is processed within The Company;
- report all suspected breaches to a line manager immediately so that proper investigations can be taken and necessary follow-up steps put in place.