Information Security Policy

1. Scope

This policy applies to all employees and sub-contractors of Orcare Limited, and is based on the Information Security Forum Standard of Good Practice 2007.  The policy is supported by the Director.

- legal and regulatory obligations
- roles and responsibilities
- strategic approach and principles
- approach to risk management
- action in the event of a policy breach.

2. Legal and regulatory obligations

The company is bound by a number statutes, within the context of which this policy has been formed, specifically Computer Misuse Act 1990, Data Protection Act 1998.

3. Roles and responsibilities

The Director has responsibility for the implementation of Information Security Policy.

4. Strategic approach and principles

4.1 High Level Direction

The company's direction on information security will be established, and commitment demonstrated, through an appropriate set of security controls that are implemented across the organisation.

A comprehensive, documented information security policy will be produced and communicated to all individuals with access to the organisation's information and systems.

Information security responsibilities, will be incorporated into staff contracts, and will be taken into account when screening applicants for employment.

4.2 Security Organisation

Safeguarding information and systems requires effective organisation, however in a small organisation high level working groups and committees are not appropriate.

Control over information security will be provided by the Director.  Where appropriate a specialist Information Security function will procured to provide expert advice to the Director who will have responsibility for promoting Information Security across the company.

Specific activities and training will be undertaken to promote awareness and ensure that all staff have the necessary skills to run systems correctly.

4.3 Security Requirements

An information classification will be established that applies across the organisation, based on the confidentiality of the data we process.

Ownership of critical information and systems should be assigned to capable individuals, with responsibilities clearly defined and accepted.

Critical business applications, computer installations, networks and systems under development will be subject to information risk analysis on a regular basis.

To the greatest extent pracical, information risk analysis conducted on applications, computer installations, networks and systems under development should be undertaken using structured methodologies.

A process will be established to identify and interpret the information security implications of relevant laws and regulations.

4.4 Ensuring a Secure Environment

 

A security architecture will be established, which provides a framework for the application of standard security controls throughout the organisation.

 

Responsibility for managing information privacy will be established and security controls for handling personally identifiable information applied.

 

Proven, reliable and approved hardware / software will be used that meet security requirements and are recorded in an inventory.

 

Identity and access management arrangements will be established to provide effective and consistent user administration, identification, authentication and access mechanisms across the organisation.

 

All locations that house critical IT facilities, sensitive material and other important assets will be physically protected against accident or attack.

 

Information security incidents will be identified, responded to, recovered from, and followed up using an information security incident management process.

 

Documented standards / procedures will be established for developing business continuity plans and for maintaining business continuity arrangements enterprise-wide.

4.5 Preventing Malicious Attack

 

All individuals who have access to information and systems of the organisation will be made aware of the risks from malware, and the actions required to minimise those risks.

 

Effective malware protection software will be installed, configured, and maintained enterprise-wide.

Intrusion detection mechanisms will be applied to critical systems and networks.

An emergency response process should be established, supported by an emergency response team, which outlines actions to be taken in the event of a serious attack.

A process should be established for dealing with information security incidents that require forensic investigation.

A process will be established for the deployment of system and software patches.

4.6 Special Topics

E-mail systems will be protected by a combination of policy, awareness, procedural and technical security controls.

Connections from third parties (eg customers, clients and suppliers) will be uniquely identified, subjected to an information risk analysis, approved, and supported by contracts.

A process will be established to ensure that information security requirements are taken into account in electronic commerce initiatives across the organisation.

A process should be established to govern the selection and management of outsource providers, supported by documented agreements that specify the security requirements to be met.

4.7 Management Review

The information security status of critical IT environments will be subject to thorough, independent and regular security audits / reviews.















 

 

Newsletter Signup

Sign up for our newsletter to receive the latest news and event postings.


Technical Support

Got a problem? You can get hold of us on 01252 302379 or Skype, Twitter or email.