Wisit Information Security Policy
11 May 2019
Information Security Policy
The purpose of the Information security policy is to ensure the objectives that have been set in the Information Policy Statement from the board of directors are achieved.
The high-level objectives have been set out by the Board of Directors and documented in the Information Security Policy Statement. The following objectives have been set as follows:
|1||Maintain a level of trust by ensuring customer and supplier information is stored and used securely.|
|2||Maintain staff awareness of information security.|
|3||Introduce change management to manage all changes.|
|4||Manage user registration and de-registration to systems.|
Objectives will be reviewed on an annual basis and reviewed against current performance for assessment purposes.
- Roles and Responsibilities
All managers are directly responsible for implementing the policy and ensuring staff compliance in their respective departments. Compliance with the Information Security Policy is mandatory. This policy forms part of our Information Security Management process and is reviewed annually.
The following roles have been identified:
|Managing Director||The role of the Managing Director is to provide leadership and commitment to the Information Security Management System (ISMS), to set the strategic direction for Global 4, delegate authority to its officers and approve the resource required for effective implementation and maintenance of the ISMS.
The Managing Director is responsible for:
1. Setting the strategic direction of Global 4
2. Delegate authority for ISMS activities
3. Delegate full or partial ownership of information assets as appropriate
4. Ensuring required resources are made available
5. Approval of the ISMS
6. Data Protection Officer to report to the Information Commissioners Office (ICO) any data breaches that may occur.
|Company Directors||Company Directors are responsible for:
1. Ensuring the Information Security Policy and the objectives are established and aligned with the strategic direction of the organisation.
2. Ensure the integration of the ISMS requirements are built into the Global 4’s processes and procedures.
3. Ensure that the resources required for the successful implementation and operation of the ISMS.
4. Supporting the ISMS and promoting continual improvement.
|Director of Operations||The role of the Director of Operations is to co-ordinate the activities of the operational departments for the ISMS, and to identify opportunities for continual improvement.
1. Recording, evaluating and reporting incidents as appropriate.
2. Ensuring a business continuity management plan is in place and regularly tested.
3. Identify and implement opportunities for continuous improvement.
4. Ensure the operational teams adhere to the information security policies to ensure Confidentiality, Integrity and Availability of company held information assets.
|Compliance Officer||The role of the Compliance Officer is to develop and implement the information security system.
1. Develop policies and procedures to ensure CIA of assets is protected.
2. Ensuring an effective risk management process is in place and being maintained.
3. Develop and follow the schedule of internal audits to monitor the compliance of the information security management system.
4. Update the Board of Directors the reviews of audits and findings for continual improvement.
|IT Support||The role of the IT Support group is to provide high levels of CIA to ensure it can be supported by evidence.
1. Ensuring the maintenance and support of Global 4’s systems is conducted in the most secure way.
2. Ensure all practical steps are taken to protect Global 4/s network and systems.
3. Respond to information security incidents that involve IT systems.
|HR Manager||The role of the HR Manager is to provide the screening and selection process for Global 4 recruitment. HR Manager will be responsible for:
1. Ensuring all new staff have satisfied all pre-employment checks.
2 Ensure suitable disciplinary and termination policies and processes are in place.
3. Ensuring job descriptions details information security responsibilities.
4. Ensure all staff undergo an information security induction awareness course.
5. Ensuring all staff are aware and read the Global 4’s Information Security Handbook and Acceptable Use Policy.
|All Staff||All staff are expected to be familiar with and adhere to the policies and principles of the ISMS, by:
1) Being aware of and complying with the relevant information security regulations and policies.
2) Following the processes relevant to their job role.
3) To escalate any information security risk by sending an email to: heroes@Wisit.co.uk which will create a support Ticket. Incident must be reported verbally to Compliance Officer and line manager.
4) Read and comply with all policies that manage Global 4’s
5) Information Security Management System.
- Acceptable Use Policy
4.1 B.Y.O.D Personal mobile devices
- Employees using personal mobile device must first receive approval from their respective manager to receive company email to their respective devices.
- Device must be secure with a pin/password.
- Employee must report to IT Support by emailing heroes@Wisit.co.uk if device is stolen or loss.
- Employees shall view only company emails and documentation and should refrain from copying or downloading content.
4.2 Company mobile devices
- Employees must use a pin/password on their device/s, different to any password used within the organisation.
- Employees should not load illegal or pirated content/software onto company owned devices.
- No personal email accounts or profiles of applications should be loaded onto company owned devices.
- Devices should automatically lock after no longer than three minutes of inactivity.
- Users must report all lost, stolen or damaged company owned devices to Wisit IT Team immediately.
- User must not install extra hardware or software on the device, unless approved by the IT department.
- Employees shall not visit any un-secure or personal use websites using a Wisit device and should any suspicious downloads, pop-ups and/or content appear, the Wisit IT team shall be immediately informed.
- Extreme care should be taken when opening email attachments from unknown senders which can contain viruses. IT Support must be notified immediately.
- IT will decide on what malware, if any, should be used at the time based on the work risks and that will be reviewed thereafter as part of the regular security monitoring processes.
- All employees must adhere to Wisit’s information security regulations when using company assets that store company and customer data.
- Employees will be given access to business systems. It will be the responsibility of each employee to ensure the information remains secure and is not shared, copied or emailed to parties that should not have access to information.
- All employees that have a user name and password to a business system will only be given access to the information that is required to perform their duties. User profiles will be reviewed and updated if an employee changes role within Wisit.
- Employees may not use a personal computer for company business. The employee will be allocated a computer and equipment to match the role and responsibility.
- Restrictions will apply to the use of removable media devices.
- The employee’s network profile determines whether a removable device can be plugged into a laptop or desktop computer. This is determined and authorised at management discretion.
- Employees must store all company documents and files on the allocated company servers and not on the actual device. Company servers are backed up daily, whereas individual computers are not.
4.4 Clear Desk Policy
- To improve the confidentiality of information, Wisit operates a strict Clean Desk Policy for printer and computer workstations.
- Confidential and sensitive information hard-copy data/paperwork must be removed from the desk and locked in a secure draw/cupboard at the end of each working day.
- Waste documents which may contain sensitive or confidential information must only be placed in the designated confidential waste bins as labelled within the Wisit office.
- Computer workstations, inclusive of laptops and PC’s, must be locked when a desk is unoccupied and completely shut down at the end of a working day.
- An automatic lock has been implemented to all PC’s are a eight-minute interval of inactivity.
- Laptops, tablets and any other devices which may contain sensitive data, must be removed from the work station and locked in a secure location.
- Keys or access codes to a workstation draws or locker must not be left unattended at the desk.
- Staff handling sensitive data daily, must have a monitor privacy screen or film.
- Documents containing commercial in confidence information must be removed from printers immediately. Any printing that is left on the printer and not collected must be disposed of in the ‘confidential bins’ at the end of each day.
- Teleworkers should work within a safe environment where the member of staff is segregated from members of the public, family members or visitors.
Teleworkers should be influenced by the clear desk and screen policy.
- Senior Management or Directors hold the right to assess a teleworkers local environment for the measure of asset security and risk assessment.
- No personal physical equipment, unless authorised by a member of senior management can be used for the access and use of Wisit information.
- Information Classification (Assets)
All company information assets should be classified for protection and identification purposes. Information can be identified, using 3 levels of classification.
|Public||Document can be released outside the organisation.||Marketing material, annual accounts, website, vacancy notices||Public||Unlimited||No restrictions||Recycle/trash|
|Restricted||Controlled via management discretion to share either internally or externally||Training material, operational procedures, policies, customer relating information (contracts, Billing, Accounts, SLA)||Footer display ‘Restricted use only’ Emails content int ended for recipient||management authorisation||Internal: email, business system. External: sealed envelope||Confidential secure disposal Electronic: erasure|
|Confidential||Controlled via management authority, internally or externally||Corporate strategy, customer related information, personnel records||Footer display ‘Confidential’ Emails content int ended for recipient||management authorisation||Internal & external: sealed envelope Emails content intend ed for recipient||Confidential secure disposal Electronic: erasure|
- All confidential, restricted or sensitive information must be protected to ensure that it is not improperly disclosed, modified, deleted or otherwise rendered unavailable.
- Internal or customer facing documents must contain the classification criteria to ensure the document is labelled correctly in line with information security controls.
- Company email must contain the confidentiality disclosure clause. Emails with attachments are encrypted by Microsoft mail centre.
- Email templates generated from a business system must contain the Wisit confidentiality clause.
- Confidential documents must be stored on a company server password protected.
- Sensitive electronic information must be encrypted.
- Confidential, restricted and sensitive information should be disposed in the recycling bins.
- Unless it has specifically been designated as “Public”, all Wisit internal information shall be assumed to be confidential and shall be protected from disclosure to unauthorised third parties.
- No confidential information of Wisit or of any third party shall be disclosed to the public or any unauthorised third party without the prior approval from management.
5.1 Courier Services
- Authorised couriers shall be used to transport physical media.
- Authorised couriers are approved suppliers in the purchase order system.
- Media must be labelled in accordance with its sensitivity in a secure, tamper proof file or envelope or package.
- A courier receipt and tracking number must be obtained for tracking purposes.
5.2 Physical media
- Media must be supplied in robust packaging using a delivery method that requires a signature of the intended party.
- Use a recorded delivery method. Ensure the recipient is aware that a package is being sent.
- Data held on hard drive media must be compressed, encrypted and password protected.
- Information transfer
Wisit’s core business is the transfer of files to and from the Wisit infrastructure. Files are used for data processing activities, as well as the transfer of data using internet services.
- Only data required for specific business purposes is to be transferred.
- Wisit will use one of its preferred transfer methods unless specifically requested to use another method by a customer.
- Customer requirements for the transfer will generally be complied with, unless deemed to be an information security risk.
- Any transfer of personal data must be covered by a transfer agreement either as a separate document or as part of a contractual agreement.
6.1 Transfer Methods
Secure file transfer protocol (SFTP)
This method allows data to be uploaded to or downloaded from a site, accessing it via a user name and password. This method ensures that data is transferred over an encrypted tunnel limiting the risk of a data breach. This method allows timely data transfer without the need for physical media and transport.
All emails and attachments sent from Wisit are encrypted using the Microsoft email hosted centre.
Hyper text transfer protocol secure (HTTPS)
A secure encrypted connection between browser and website to safe guard information exchange.
- Access Control Policy
The purpose of the Access Control policy is to ensure the logical and physical access to information and systems is controlled and procedures are in place to ensure the security of Wisit information systems and data.
7.1 Access Management
- New employee access to network and systems shall be triggered by HR and tracked in a Wisit starter task.
- Leaver access from network and systems shall be triggered by HR and tracked in a Wisit leaver task.
- Change to user access must be authorised by management and tracked in a mover task.
- Employees in possession of a company door fob, laptop or mobile device must return as part of the HR exit process.
- Network and system access shall be revoked immediately for suspended employees and tracked in a task.
7.2 Access Rights Review
User access rights will be reviewed on a quarterly basis. The purpose of the review is to ensure user profiles have been correctly assigned, revoked or updated through change of roles.
The table below provides details of the systems to be reviewed.
|Office 365 account||Set up user’s office 365||HR/IT support||On request||WISIT Starter & Leaver task|
|account & Revoke users office 365|
|Microsoft mail account||Set up users email account||HR/IT support||On request||WISIT Starter & Leaver|
|& Disable account||task|
|Network access||Set up user network domain||HR/IT support||On request||WISIT Starter & Leaver task|
|& Revoke user network domain|
|Network access review||Sampling of WISIT leaver tasks to ensure user access has been revoked from office||Compliance Officer||Quarterly||Task|
|system||User profile set up to access modules on the system as per job description. Revoke user profile.||IT support/Team lead/Manager||On request||WISIT Starter & Leaver task|
|system||Review of current profiles to||Operations Manager||Quarterly||task with attached|
|ensure correct access has been provided against||profile report generated from|
|Carrier Portals||User access to carrier||Team lead /Manager||On request||WISIT Starter & Leaver task|
|portals & revoking of access|
|Carrier Portals||Employee change to duties||Team lead/Manager||On request||WISIT Mover task|
|Carrier Portals||Review of users who have access to the portals||Compliance Officer||Quarterly||task to demonstrate review has been co to show that employee has been|
|Paxton door tag||Tag to allow entry and exit||HR||On request||WISIT Starter & Leaver|
|into the building||task|
|Paxton door tag||Review of user tags||Compliance Officer||Quarterly||Spreadsheet showing tags|
|linked to employes.|
|Departmental asset logbook||Department asset logbooks detailing classification of information||Compliance Officer||Quarterly||Internal audit schedule for|
|ISO 9001/27001. Review and sampe of items listed in asset logbooks|
|Information inventory assets||Company assets detailed on the information asset||Compliance Officer||Quarterly||task to review current list and highlight any assets that have not been|
|inventory list||updated or included.|
7.3 Building Access and visitors
- Door access key fobs shall always be used to enter or exit the building.
- Employees not in possession of key fob must report to HR and use a ‘temporary fob’.
Visitor access to the building is controlled by ground floor employees opening the front entrance for visitors to the building.
- Allow visitor entry to the building, and request they remain in the reception area.
- Contact the internal person and inform them that a visitor is in reception.
- Physically go into the reception area and greet the visitor. Inform them that the internal person will be with them shortly.
- On no occasion allow a visitor to wander into the office area.
Process for letting postman or couriers into the building.
- Ground floor personnel can see who is at the front door,
- If it is the postman or courier, do not open the door from the phone system.
- Please go to the reception area and open the door for the postman or courier with your fob and escort him to the location to Pick up post or parcel.
- Escort the postman/courier back to the front door to allow exit.
7.4 Delivery and loading areas
- Deliveries and collections are located within the reception/waiting area.
- Deliveries shall be checked and inspected for any irregularities/threats. If any irregularities are noticed, these should be noted and reported to senior management immediately.
- Incoming and outgoing shipments should be segregated and labelled.
- Incoming materials should be inspected for evidence of tampering. If such tampering is discovered, it should be immediately reported to senior management.
- Physical security of premises
All windows and doors with access to information processing facilities shall be closed and locked when the facility is unattended or out of working hours by a duty manager.
Servers for Wisit are separated from any third-party involvement in a segmented room secured via key-code access.
8.2 Fire Alarm
The fire alarm is not linked to the local fire station and is not programmed to notify management.
- Network and System Access
- Employees are given a secure login and password to access to the network domain.
- Business system access is defined by user profiles according to job role and function.
- Employees must change the network password once successfully logged in.
- Passwords require a minimum of 8 characters including a capital and number.
- Access rights will be monitored and regularly reviewed by team managers, preferably on a six-monthly basis.
- An employee change in role/responsibilities/termination shall be tracked in a task and submitted to IT Support to review system/information privileges.
9.1 Remote Access
- A task will be raised to IT support to ensure all Laptops shall be loaded with the relevant software for secure access to the network and systems.
- Employee domain username and password shall be used to access network and business systems.
9.2 Password Management
- Users shall change their passwords every 90 days.
- Passwords shall not be re-used within a 12-month period and/or within the next 10 password changes.
- All passwords shall be kept confidential and be stored appropriately.
- Passwords and sensitive information should not be kept as a soft copy form unless stored within a specific password vault.
- Should users indicate any form of compromise to their information processing facility, secret authentication data should be changed immediately.
- Users should always keep secret authentication data confidential and not share with any other parties inclusive of internal authoritative figures.
- When creating a password, users should not influence the data on personal information, such as DOB, name, of generic passwords. The password should consist of 8 characters including upper and numeric values.
- Passwords should be free of consecutive identical, all-numerical or all-alphabetical characters.
- If a temporary password is given, the password should be changed at the first available opportunity.
- Users should not use the same passwords for use in both business and non-business purposes.
- Information Security Incident Management Policy
The ISMS policy provides a mechanism for Wisit employees to report and log breaches to the IT Support team.
- Information security awareness sessions shall be conducted for all employees.
- All employees must report a security breach to their line manager and IT Support.
- For actual data breaches of personal/customer information, the line manager must notify the appointed DPO to start the investigation process.
10.2 Incident Investigation
- The DPO will be notified once an incident has been reported.
- The IT Support team will start the investigation and keep management updated.
- The IT Support team will follow the ‘Incident Response process
- An investigation shall be performed within a 72-hour period of being reported.
- Upon an initial investigation if it is suspected that a customer’s data has been compromised,
notification will be submitted to all customers affected by the breach.
10.3 Evidence Handling
Evidence must be gathered from various sources to understand the data sets that have been breached. The IT Support team will be responsible for performing the analysis and gathering of evidence.
- The incident response process must be followed to ensure that the evidence collected is reliable and trustworthy.
- All evidence must then be protected from modification or damage.
- Evidence must be collected from reliable sources (log files, data files, email) in a chronological order.
- Upon evidence being gathered, review and correct any errors before submitting for approval.