Information Security Policy
17th May 2018
Table of Contents
Policy Statement 3
Applying the Policy. 4
Policy Compliance. 4
Policy Governance. 4
Review and Revision. 4
Key Messages. 5
Appendix 1. 6
A1 Applying the Policy. 6
A1.1 Information Asset Management 6
A1.1.1 Identifying Information Assets. 6
A1.1.2 Classifying Information. 6
Personal Information. 6
A1.1.3 Assigning Asset Owners. 6
A1.1.4 Unclassified Information Assets. 6
A1.1.5 Information Assets with Short Term or Localised Use. 7
A1.1.6 Corporate Information Assets. 7
A1.2 Information Storage. 7
IVFsynergy Ltd. will ensure the protection of all information assets within the custody of the Business.
High standards of confidentiality, integrity and availability of information will be maintained at all times.
Information is a major asset that IVFsynergy Ltd. has a responsibility and requirement to protect.
Protecting information assets is not simply limited to covering the stocks of information (electronic data or paper records) that the Organisation maintains. It also addresses the people that use them, the processes they follow and the physical computer equipment used to access them.
This Information Protection Policy addresses all these areas to ensure that high confidentiality, quality and availability standards of information are maintained.
The following policy details the basic requirements and responsibilities for the proper management of information assets at IVFsynergy Ltd. The policy specifies the means of information handling and transfer within the Business.
This Information Protection Policy applies to all the systems, people and business processes that make up the Business's information systems. This includes all Executives, Committees, Departments, Partners, Employees, contractual third parties and agents of the Organisation who have access to Information Systems or information used for IVFsynergy Ltd. purposes.
This policy should be applied whenever Business Information Systems or information is used. Information can take many forms and includes, but is not limited to, the following:
- Hard copy data printed or written on paper.
- Data stored electronically.
- Communications sent by post / courier or using electronic means.
- Stored tape or video.
IVFsynergy Ltd. recognises that there are risks associated with users accessing and handling information in order to conduct official business.
This policy aims to mitigate the following risks:
- [List appropriate risks relevant to the policy - e.g. the non-reporting of information security incidents, inadequate destruction of data, the loss of direct control of user access to information systems and facilities etc.].
Non-compliance with this policy could have a significant effect on the efficient operation of the organisation and may result in financial loss and an inability to provide necessary services to our customers.
Applying the Policy
For information on how to apply this policy, readers are advised to refer to Appendix 1.
If any user is found to have breached this policy, they may be subject to IVFsynergy’s disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).
If you do not understand the implications of this policy or how it may apply to you, seek advice from Rob Watkins.
The following table identifies who within IVFsynergy Ltd. is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:
Responsible – the person(s) responsible for developing and implementing the policy.
Accountable – the person who has ultimate accountability and authority for the policy.
Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
Informed – the person(s) or groups to be informed after policy implementation or amendment.
Rob Watkins – Managing Director
Rob Watkins – Managing Director
All Directors, Staff, & Consultants
Review and Revision
This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.
Policy review will be undertaken by Rob Watkins.
The following IVFsynergy Ltd. policy documents are directly relevant to this policy, and are referenced within this document:
- The Business must draw up and maintain inventories of all important information assets.
- All information assets, where appropriate, must be assessed and classified by the owner.
- Information up to RESTRICTED sent via the Government Connect Secure Extranet (GCSx) must be labelled appropriately using the SPF guidance.
- Access to information assets, systems and services must be conditional on acceptance of the appropriate Acceptable Usage Policy.
- Users should not be allowed to access information until [name or title of the Information Security Officer] are satisfied that they understand and agree the legislated responsibilities for the information that they will be handling.
- PROTECT and RESTRICTED information must not be disclosed to any other person or organisation via any insecure methods including paper based methods, fax and telephone.
- Disclosing PROTECT or RESTRICTED classified information to any external organisation is also prohibited, unless via the GCSx email.
- Where GCSx email is available to connect the sender and receiver of the email message, this must be used for all external email use and must be used for communicating PROTECT or RESTRICTED material.
- The disclosure of PROTECT or RESTRICTED classified information in any way other than via GCSx email is a disciplinary offence.
A1 Applying the Policy
A1.1 Information Asset Management
A1.1.1 Identifying Information Assets
The process of identifying important information assets should be sensible and pragmatic.
Important information assets will include, but are not limited to, the following:
- Filing cabinets and stores containing paper records.
- Computer databases.
- Data files and folders.
- Software licenses.
- Physical assets (computer equipment and accessories, PDAs, cell phones).
- Key services.
- Key people.
- Intangible assets such as reputation and brand.
IVFsynergy Ltd. must draw up and maintain inventories of all important information assets that it relies upon. These should identify each asset and all associated data required for risk assessment, information/records management and disaster recovery. At minimum it must include the following:
A1.1.2 Personal Information
Personal information is any information about any living, identifiable individual. The business is legally responsible for it. Its storage, protection and use are governed by the Data Protection Act 1998.
A1.1.3 Assigning Asset Owners
All important information assets must have a nominated owner and should be accounted for. An owner must be a member of staff whose seniority is appropriate for the value of the asset they own. The owner’s responsibility for the asset and the requirement for them to maintain it should be formalised and agreed.
A1.1.4 Unclassified Information Assets
Items of information that are of limited or no practical value should not be assigned a formal owner or inventoried. Information should be destroyed if there is no legal or operational need to keep it and temporary owners should be assigned within each department to ensure that this is done.
A1.1.5 Information Assets with Short Term or Localised Use
For new documents that have a specific, short term localised use, the creator of the document will be the originator. This includes letters, spread sheets and reports created by staff. All staff must be informed of their responsibility for the documents they create.
A1.1.6 Corporate Information Assets
For information assets whose use throughout the organisation is widespread and whose origination is as a result of a group or strategic decision, a corporate owner must be designated and the responsibility clearly documented. This should be the person who has the most control over the information.
A1.2 Information Storage
All electronic information will be stored on centralised facilities to allow regular backups to take place.
Staff should not be allowed to access information until Rob Watkins is satisfied that they understand and agree the legislated responsibilities for the information that they will be handling