Information Security Policy

Find out your responsibilities for ensuring the security of information systems at the Alloc8tor and your place within the security framework.

1 Introduction

The continued confidentiality, integrity and availability of information systems underpin the operations of Alloc8tor. A failure to secure information systems would have long-term impact through the consequential risk of financial or reputational loss.

This Information Security policy provides the guiding principles and responsibilities of all members of the Alloc8tor team required to safeguard its information systems. Other supporting policies, procedures and guidelines will give greater detail on specific subject areas.

1.1 Purpose of Policy

The intention of this policy is to:

  • Ensure that the information systems that Alloc8tor manages are protected from security threats and to mitigate risks that cannot be directly countered
  • Ensure that all members of the Alloc8tor team are aware of and able to comply with relevant UK and EU legislation
  • Ensure that all users are aware of and understand their personal responsibilities to protect the confidentiality and integrity of the data that they access
  • Ensure that all users are aware of and are able to comply with this policy and other supporting policies
  • Safeguard the reputation and business of Alloc8tor by ensuring its ability to meets its legal obligations and to protect it from liability or damage through misuse of its IT facilities
  • Ensure timely review of policy and procedure in response to feedback, legislation and other factors so as to improve ongoing security.

1.2 Scope

This Information Security Policy applies to all members of Alloc8tor, all third parties who interact with Alloc8tor information, and all of the systems used to store or process it.

2 Policy

2.1 Awareness and communication

All authorised users will be informed of the policy and of supporting policies and guidelines when their account is issued. Updates to guidance will be publicised through the Alloc8tor website and highlighted at major points of interaction with Alloc8tor systems as appropriate for the change.

2.2 Definitions

Alloc8tor Data includes all data elements that are owned or licenced by Alloc8tor or any information processed by Alooc8tor on behalf of a third party.

Information systems - This includes but is not limited to all information systems owned, held, utilised or present on the Alloc8tor network and anyone making use of them.

Data Stewards - The person within Alloc8tor responsible for data management. 

Data Custodian - Data Custodians are responsible for the safe custody, transport, storage of the data and implementation of business rules.

2.3 Information Security Principles

The following principles provide a framework for the security and management of Alloc8tor's information and information systems.

  1. Information should be classified in line with any legislative, regulatory or contractual requirements that might increase the sensitivity of the information and security requirements.
  2. Data Stewards are responsible for ensuring that their data are classified and that in partnership with Data Custodians the information is treated in line with its classification level with appropriate procedures and systems in place to cater for this. Where personal data are stored, appropriate consent for storage and processing must be gathered and recorded.
  3. All individuals covered by the scope of this policy must handle information appropriately in accordance with its classification level.
  4. Information should be only available to those with a legitimate need for access.
  5. Information will be protected against unauthorised access and processing.
  6. Information will be protected against loss and corruption.
  7. Information will be disposed of securely and in a timely manner with measures appropriate for its classification.
  8. Breaches of policy must be reported by anyone aware of the breach in a timely manner.

2.4. Legal and regulatory obligations

The Alloc8tor team must adhere to all current UK and EU legislation as well as regulatory and contractual requirements.

2.5 Information Classification

The following provides a summary of the Information Classification levels which are part of the Information Security Principles.

Category - Highly Restricted

Description

Highly confidential information whose inappropriate disclosure would be likely to cause serious damage or distress to individuals and/or constitute unfair/unlawful processing of “sensitive personal data” under the Data Protection Act; and/or seriously damage Alloc8tor's interests and reputation; and/or significantly threaten the security/safety of Alloc8tor and its staff.

Examples

  • Sensitive personal data relating to identifiable living individuals
  • Individual’s bank details
  • Large aggregates (>1000 records) of personal data such as personal contact details
  • Non-public information that facilitates protection of individuals’ safety or security of key functions and assets e.g. network passwords and access codes for higher risk areas

Category - Restricted

Description

Confidential information whose inappropriate disclosure would be likely to cause a negative impact on individuals and/or constitute unfair/unlawful processing of “personal data” under the Data Protection Act; and/or damage Alloc8tor's commercial interests, and/or have some negative impact on Alloc8tor's reputation.

Examples

  • Personal data relating to identifiable living individuals
  • Staff contact details
  • Information or IP with commercial value/obligation

Category - Internal Use

Description

Information not considered being public which should be shared only internally but would not cause substantive damage to Alloc8tor's and/or individuals if disclosed.

Examples

  • Non-confidential internal correspondence
  • Internal policies and procedures

2.6 Compliance and Incident notification

It is vital that all users of information systems at Alloc8tor comply with the information security policy. Any breach of information security is a serious matter and could lead to the possible loss of confidentiality, integrity or availability of personal or other confidential data. Such a loss may result in criminal or civil action against Alloc8tor and also the loss of business and financial penalties.

Any actual or suspected breach of this policy must be notified at the earliest possible opportunity. All security incidents will be investigated and consequent actions may follow in line with this policy; the Acceptable Use Policy and relevant laws.

The Data Protection team will be informed of any breach found to affect personal data in keeping with Alloc8tor's Privacy Policy. Compliance with this policy should form part of any contract with a third party that may involve access to Alloc8tor systems or data.

3. Responsibilities

3.1 Individuals

Individuals must adhere to the Acceptable Use Policy and follow relevant supporting procedures and guidance. An individual should only access systems and information they have a legitimate right to and not knowingly attempt to gain illegitimate access to other information. Individuals must not aid or allow access for other individuals in attempts to gain illegitimate access to data. In particular, individuals should adhere to the information security ‘dos and don'ts’ outlined in the table below:

PermittedNot permitted
Do use a strong password and change it if you think it may have been compromised.Don't give your password to anyone
Do report any loss or suspected loss of dataDon't reuse your Alloc8tor passwords for any other account
Do be on your guard for fake emails or phone calls requesting confidential information - report anything suspiciousDon't open suspicious documents or links
Do keep software up to dateDon't undermine the security of Alloc8tor systems
Do ensure Alloc8tor data is stored on Alloc8tor systemsDon't copy confidential Alloc8tor information without permission
Do password protect and encrypt your personally owned devicesDon't leave your computers or phones unlocked

3.2 Data Stewards

The responsibilities of a Data Steward

Ensure that data custodians who maintain information systems holding or processing their data are aware of any additional requirements that may be required to safeguard data above and beyond normal user data.

3.3 Data Custodians

Data custodians are responsible for the information systems that hold data and are typically systems administrators. In addition to their individual responsibilities 3.1 they must:

  • Ensure that the physical and network security of systems is maintained.
  • Ensure that the systems they maintain are suitably configured, maintained and developed.
  • Ensure that the data are appropriately stored and backed up.
  • Ensure that appropriate access controls are in place to meet the requirements of Data Stewards.
  • Understand and document risks, take suitable steps to mitigate and ensure that these are understood by data owners.
  • Document operational procedures and responsibilities of staff.
  • Publish procedures for users of the systems to allow secure access and usage.
  • Ensure that systems are compliant with legal and other contractual requirements.

4. Supporting regulations, policies and guidelines

Other policies issued by Alloc8tor support and reinforce this policy statement. These include but are not limited to:

Policy review

Alloc8tor will review this policy when required to ensure that it remains appropriate and up to date.

Get in touch

To contact us via our contact form (http://www.alloc8tor.co.uk).

This policy was updated on the 21st May 2018