Information Security Policy
This Policy Document encompasses all aspects of security surrounding confidential company information and must be distributed to all company employees. All company employees must read this document in its entirety and sign the form confirming they have read and understand this policy fully.
This document will be reviewed and updated by Management on an annual basis or when relevant to include newly developed security standards into the policy and distribute it all employees and contracts as applicable.
The Firm is committed to providing a secure environment for its information and infrastructure for itself and its customers. This policy describes the roles and responsibilities for all levels of staff in the organisation. The objective of this Policy is to protect the Firm and its customer’s information assets from all threats, whether internal or external, deliberate or accidental and to minimise business damage by preventing and reducing the impact of security incidents and to ensure business continuity.
To achieve compliance with this policy we have set the following objectives:
- To ensure that access to all information assets is controlled
- To ensure that access to all information systems is controlled
- To ensure that the confidentiality of information is protected from unauthorised disclosure
- To ensure the integrity of information is protected from unauthorised modification
- To ensure regulatory and legislative requirements are met
- To ensure that disaster recovery plans for vital IT systems and services are produced, maintained and tested
- To ensure that all incidents impacting information security, actual or suspected, are reported and investigated
- To communicate this policy to all staff
- To ensure staff receive appropriate awareness and training for their roles in regard to this policy
2 INFORMATION SECURITY POLICY
The Firm handles sensitive customer information daily. Sensitive Information must have adequate safeguards in place to protect them, to protect customer privacy, to ensure compliance with various regulations and to guard the future of the organisation.
The Firm commits to respecting the privacy of all its customers and to protecting any data about customers from outside parties. To this end management are committed to maintaining a secure environment in which to process customer information so that we can meet these promises.
Employees handling Sensitive customer data should ensure:
- Handle Company and customer information in a manner that fits with their sensitivity;
- Limit personal use of the Firms information and telecommunication systems and ensure it doesn’t interfere with your job performance;
- The Firm reserves the right to monitor, access, review, audit, copy, store, or delete any electronic communications, equipment, systems and network traffic for any purpose;
- Do not use e‐mail, internet and other Company resources to engage in any action that is offensive, threatening, discriminatory, defamatory, slanderous, pornographic, obscene, harassing or illegal;
- Do not disclose personnel information unless authorised;
- Protect sensitive customer information;
- Keep passwords and accounts secure;
- Request approval from management prior to establishing any new software or hardware, third
- party connections, etc.;
- Do not install unauthorised software or hardware, including modems and wireless access unless
- you have explicit management approval;
- Always leave desks clear of sensitive customer data and lock computer screens when
- Information security incidents must be reported, without delay
We each have a responsibility for ensuring our company’s systems and data are protected from unauthorised access and improper use. If you are unclear about any of the policies detailed herein you should seek advice and guidance from your line manager.
3 PHYSICAL SECURITY
Access to sensitive information in both hard and soft media format must be physically restricted to prevent unauthorised individuals from obtaining sensitive data.
- Employees are responsible for exercising good judgment regarding the reasonableness of personal use.
- Employees should ensure that they have appropriate credentials and are authenticated for the use of technologies
- Employees should take all necessary steps to prevent unauthorized access to confidential data
- Employees should ensure that technologies should be used and setup in acceptable network locations
- Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts.
- Media is defined as any printed or handwritten paper, received faxes, floppy disks, back‐up tapes, computer hard drive, etc.
- Media containing sensitive customer information must be handled and distributed in a secure manner by trusted individuals.
- Visitors must always be escorted by a trusted employee when in areas that hold sensitive customer information.
- Network Jacks located in public and areas accessible to visitors must be disabled and enabled when network access is explicitly authorised.
4 DISPOSAL OF STORED DATA
- All data must be securely disposed of when no longer required by the Firm, regardless of the media or application type on which it is stored.
- An automatic process must exist to permanently delete on‐line data, when no longer required.
- All hard copies of customer data must be manually destroyed as when no longer required for valid and justified business reasons. A quarterly process must be in place to confirm that all non‐electronic customer data has been appropriately disposed of in a timely manner.
- The Firm will have procedures for the destruction of hardcopy (paper) materials. These will require that all hardcopy materials are crosscut shredded, incinerated or pulped so they cannot be reconstructed.
- The Firm will have documented procedures for the destruction of electronic media. These will require: All customer data on electronic media must be rendered unrecoverable when deleted e.g. through degaussing or electronically wiped using military grade secure deletion processes or the physical destruction of the media; If secure wipe programs are used, the process must define the industry accepted standards followed for secure deletion.
- All customer information awaiting destruction must be held in lockable storage containers clearly marked “To Be Shredded” ‐ access to these containers must be restricted.
APPENDIX A – AGREEMENT TO COMPLY FORM – AGREEMENT TO COMPLY WITH INFORMATION SECURITY POLICIES
I agree to take all reasonable precautions to assure that company internal information, or information that has been entrusted to the Company by third parties such as customers, will not be disclosed to unauthorised persons. At the end of my employment or contract with the Company, I agree to return all information to which I have had access as a result of my position. I understand that I am not authorised to use sensitive information for my own purposes, nor am I at liberty to provide this information to third parties without the express written consent of the internal manager who is the designated information owner.
I have access to a copy of the Information Security Policy, I have read and understand this Policy, and I understand how it impacts my job. As a condition of continued employment, I agree to abide by the policies and other requirements found in the Company security policy. I understand that non‐compliance will be cause for disciplinary action up to and including dismissal, and perhaps criminal and/or civil penalties.
I also agree to promptly report all violations or suspected violations of information security policies to the designated security officer.