Information Security
Section outline
-
The purpose of this course is to provide training on information security and to ensure information is protected, and secure from risk at all times and that the firm is compliant with GDPR and DPO.
All data and information must be appropriately secured to protect against the consequences of breaches of confidentiality, failures of integrity, or other disruptions.
-
This course applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns, and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.
The scope of all information security measures covers the Company’s whole IT infrastructure and includes: -
[As the boundary of scope for protective measures differs for every firm, we are unable to define the scope for you. You will need to specify here the boundary of scope that is covered by the measures and policies you have in place for information security. This means detailing which devices, networks, and systems are covered by measures such as firewalls and malware protections (i.e. personal devices, removable storage, servers, etc). You can also detail anything that is outside of the scope of these measures (i.e. externally managed services, cloud-based, etc)]
The companies IT infrastructure is described here – https://projects.rebsoc.com/projects/ameuri/wiki/Hardware_and_Cloud_Assets_Inventory
The outsourced IT support services are explained here - https://projects.web-translations.co.uk/projects/ameuri/wiki/Outsourced_IT_Support
The information management used by the company is described here - https://projects.web-translations.co.uk/projects/ameuri/wiki/Information_Management
-
The Company has adopted the below set of principles and objectives to outline and underpin this course and any associated information security procedures: -
Information will be protected in line with all our data protection and security policies and the associated regulations and legislation, notably those relating to data protection, human rights, and the Freedom of Information Act
All information assets will be documented on an Information Asset Register (IAR) by the IT Manager and will be assigned a nominated owner who will be responsible for defining the appropriate uses of the asset and ensuring that appropriate security measures are in place to protect it
The Information Asset Registrar can be accessed here - Info_Asset-Register.xlsx
All information will be classified according to an appropriate level of security and will only be made available solely to those who have a legitimate need for access and who are authorised to do so
It is the responsibility of all individuals who have been granted access to any personal or confidential information, to handle it appropriately in accordance with its classification and the data protection principles
Information will be protected against unauthorised access and we will use encryption methods as set out in the above objectives in this course
Compliance with this Information Security and associated courses will be enforced and failure to follow either the policy indicated in this course or its associated procedures will result in disciplinary action
Our information security policies should be read and used in conjunction with our GDPR/DPA18 policy program
The Director has the overall responsibility for the governance and maintenance of this document and its associated procedures and is hereafter referred to as the assigned person and will review this policy at least annually to ensure this it is still fit for purpose and compliant with all legal, statutory and regulatory requirements and rules. It is the sole responsibility of the assigned person to ensure that these reviews take place.
-
Each information asset will be assigned a security classification by the asset owner or Information Security Officer, which will reflect the sensitivity of the asset. Classifications will be listed on the Information Asset Register.
-
Employees at the Company will only be granted access to the information that they need to fulfill their role within the organization. Staff who have been granted access must not pass on information to others unless they have also been granted access through appropriate authorisation. The Company’s Access Management Policy can be accessed here - Access_Control_&_Password_Policy.docx.
The company is using designated user roles across different web applications which are limiting user privileges and access to information that is not relevant to a specific user role.
-
Take care to ensure that information is deleted (or disposed of) safely and securely. Do not print anything confidential. If you receive post: scan the documents using Microsoft Lens, store the file on SharePoint, and securely destroy the document by using a shredder or tearing it into small parts. Use secure paper disposal bins where possible.
Electronic information must be securely erased or otherwise rendered inaccessible prior to leaving the possession of the Company, unless the disposal is undertaken under contract by an approved disposal contractor.
-
Members of staff who handle confidential paper documents should take the appropriate measures to protect against unauthorised disclosure, particularly when they are away from their desks. Confidential documents should be locked away overnight, at weekends, and at other unattended times.
Care should also be taken when printing confidential documents to prevent unauthorised disclosure.
Computer screens on which confidential or sensitive information is processed or viewed should be sited in such a way that they cannot be viewed by unauthorised persons and all computers should be locked while unattended. Please take the companies Clear Desk Course for more protocols and information
-
Encryption methods are always used to protect confidential and personal information within the Company and when transmitted across data networks. We also use encryption methods when accessing the Company network services, which require authentication of valid credentials (usernames and passwords).
Where confidential data is stored on or accessed from mobile devices (for example, laptops, tablets, smartphones, external hard drives, USB sticks, digital recorders) the devices themselves are encrypted (using "disk" encryption), irrespective of ownership. Where strictly confidential data is stored in public, cloud-based storage facilities the data must be encrypted prior to storing to ensure that it is not possible for the cloud service provider to decrypt the data.
Where data is subject to an agreement with an external organisation, the data should be handled (stored, transmitted, or processed) in accordance with the organisation’s specified encryption requirements.
Where there is a requirement to remove or transfer personal information outside of the Company, it is always kept in an encrypted format. Encryption is used whenever appropriate on all remote access connections to the organisation’s network and resources.
All confidential and restricted information transmitted via email is encrypted. Where a secret key is provided to decrypt, this is done so in a separate format from the original email.
-
SSL 256 Encryption is used to secure the communication between the browser and the server where the web Platform is hosted.
Bank details are saved to the database in an encrypted form.
Definitions
Encryption: This is the process of locking up (encrypting) information using cryptography. Such information appears illegible if accessed unless a corresponding key is used to decrypt the data.
Decryption: The process of unlocking encrypted information via a key.
The Company utilise both asymmetric and symmetric key encryption algorithms, depending on the systems, purpose, and information. The type of encryption is decided by the IT Manager after assessing the requirements of the information and transfer.
Asymmetric Key Encryption Algorithms: A type of encryption algorithm whereby two different keys are used. One key is for encrypting the information and the other is for decrypting. This type is also known as public-key encryption.
Symmetric Algorithms: These are also referred to as “secret key encryption” and use the same key for both encryption and decryption.
-
The Company uses a variety of encryption methods depending on the nature of the information being stored or transferred, its location, and its use. Below are the standard and acceptable forms of encryption used by The Company.
Symmetric Key Encryption Algorithms
Advanced Encryption Standard (AES)- Minimum encryption key length of 256 bits
Asymmetric Key Encryption Algorithms
Digital Signature Standard (DSS)
Elliptic Curve Digital Signature Algorithm (ECDSA)
RSA
Encryption Protocols
IPSec (IP Security)
SSH (Secure Shell)
TLS (Transport Layer Security)
S/MIME (Secure Multipurpose Internet Extension)
-
Encryption key management is fully automated, and all private keys are kept secure, restricted, and confidential. Whilst keys are in transit and/or storage, they are always encrypted.
Due to their nature, when the Company uses symmetric encryption key algorithms, there is a requirement to share the secret key with the recipient. Protecting and securing the key for sharing is paramount to protecting the information the key encrypts, so encrypting the key itself is a mandatory requirement. During distribution and transfer, the symmetric encryption keys are always encrypted using a stronger algorithm with a key of the longest key length for that algorithm.
The Company’s aim when encrypting secret keys is to afford them a higher, more stringent level of protection than the encryption used to protect the data. When keys are at rest, they are again secured with encryption methods, equal to or higher than the existing encryption level.
Where asymmetric algorithms are used, the public key is passed to the certificate authority to be included in the digital certificate that will be issued to the end user. Once the digital certificate is issued, it is then made available to all relevant parties. The corresponding private key is only made available to the end user who is in receipt of the corresponding digital certificate.
-
It is the responsibility of all the Company employees with remote access privileges to the company network, to ensure that their remote access connection is given the same consideration as the user's on-site connection to the Company. The Companies Remote Access & BYOD course for protocols and more information can be accessed through one of the courses.
Secure remote access must be strictly controlled
Control will be enforced via one-time password authentication or public/private keys with strong passphrases
At no time, should any of the Company employees provide their login or email password to anyone else
The Company employees with remote access privileges must ensure that their company-owned or personal computer or workstation, which is remotely connected to the company network, is not connected to any other network at the same time, except for personal networks that are under complete control of the user.
All hosts that are connected to the Company's internal network via remote access must use the most up-to-date anti-virus and malware software and approved firewalls
-
The Company defines a security incident as any unauthorised access to or disclosure of information systems relating to the business. Such incidents include but are not limited to:
Personal data breaches
Unauthorized system access or use (including access to computers, servers, firewalls & routers)
Viruses and/or malware
Cyber attacks
Non-compliance with security and/or data protection rules or protocols
-
The Company has robust objectives and controls in place for preventing security incidents and for managing them if they do occur. The Company utilises systems, personal data, and technology in the course of its business and as such is at risk of security incidents. We recognise that whilst we take every care with our systems, security, and information, risks still exist when using technology and being reliant on human intervention, necessitating defined measures and protocols for handling any incidents or breaches.
We carry out frequent risk assessments and gap analysis reports to ensure that our compliance processes, functions, and procedures are fit for purpose and that mitigating actions are in place where necessary, however, should there be any security incidents, we are fully prepared to identify, investigate manage and mitigate with immediate effect and to reduce risks and impact.
The Company has the below objectives with regard to Security Incident Management: -
To implement Security Incident Procedures for handling any type of security issue
Appointing an Incident Project Manager to handle any security incidents
To maintain a robust set of compliance procedures that aim to mitigate risks and provide a compliant environment for trading and business activities
To develop and implement strict compliance breach and risk assessment procedures that all staff are aware of and can follow
To ensure that any data breaches are reported to the correct regulatory bodies within the timeframes as set out in their code of practice or handbooks
To use breach investigations and logs to assess the root cause of any breaches and to implement a full review to prevent further incidents from occurring
To use the Compliance Breach Incident Form for all data breaches, regardless of severity so that any patterns in causes can be identified and corrected
To comply with regulating bodies and laws on compliance breach methods, procedures, and controls
To protect consumers, clients, and staff – including their data, information, and identity
The Companies Security Incident Procedures and Data Breach Course can be taken as part of this group of courses.
-
All information users within the Company are responsible for protecting and ensuring the security of the information to which they have access. Managers and staff are responsible for ensuring that all information in their direct work area is managed in conformance with this policy and any subsequent procedures or documents. Staff who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures.
The Company will ensure that staff does not attempt to gain access to information that is not necessary to hold, know, or process and that restrictions and/or encryptions are in place for specific roles within the organisation relating to personal and/or sensitive information.