Storm Technologies Limited
Policy Title:
Information Security Policy
Policy No:
010
Version:
1.03
Effective Date:
06 December 2017
Reviewed:
January 2020
Owner:
Services & Solutions Director
Introduction Information Security is a key component of the company IT Services Ltd.’s overall business management framework and provides the basis and directives for detailed information security documentation including system level security policies, security guidance and protocols or procedures.
I. A.
Policy Objectives, Aim and Scope Objectives
The objectives of this Information Security Policies document are to help preserve the confidentiality, integrity and availability of the company’s business information, based on a business risk assessment, impact analysis and an understanding of our tolerance for risk. B.
Aim
The aim of this policy is to set out the rules governing the secure management of the company’s information assets by ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this and other policies; ensuring an approach to security in which all members of staff fully understand their own responsibilities, creating and maintaining within the organisation a level of awareness of the need for information security as an integral part of the day to day business and protecting information assets under the control of the organisation. C.
Scope
These policies apply to all information, information systems, networks, applications, locations and users of the company systems or supplied under contract to it.
January 2020 ST010v3
II.
Responsibilities
All staff shall comply with these information security policies and procedures including the maintenance of data confidentiality and data integrity. Failure to do so may result in disciplinary action. Each member of staff shall be responsible for the operational security of the information systems they use. Each system user shall comply with the security requirements that are currently in force, and shall also ensure that the confidentiality, integrity and availability of the information they use is maintained to the highest standard.
III. Legislation
The company is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of the company, who may be held personally accountable for any breaches of information security for which they may be held responsible. The company shall comply with the following legislation and other legislation as appropriate: • • • • • • • • •
The Data Protection Act (1998) The Data Protection (Processing of Sensitive Personal Data) Order 2000. The Copyright, Designs and Patents Act (1988) The Computer Misuse Act (1990) The Health and Safety at Work Act (1974) Human Rights Act (1998) Regulation of Investigatory Powers Act 2000 Freedom of Information Act 2000 The GDPR 2016
All of the above documents are stored in the shared s:\XXXXXXXXXXXX
2 172673021v2
IV. Policy Framework Personnel Security Requirements Contracts of Employment •
All staff contracts of employment now refer to this information security policy and that this policy must be adhered to as part of the contract of employment. Training relating to this information security policy is carried out at the recruitment stage, any staff that have not received training must let the Services and Solutions Director know immediately and training will ensue.
•
This policy must be complied by all staff. In addition, and not instead of, any specific information security requirements that relate to job roles will be included as part of the job definitions for that role. Employees must ensure that they have knowledge of the requirements and are compliant whilst undertaking their job role.
Information Security Awareness Training •
The company include Information security awareness training as part of the staff induction process. Existing employees must ensure that they are aware of the procedures applicable to them and the company will provide regular refresh training to maintain awareness.
Security Incidents If any employee suspects that an information security incident has taken place or is about to take place, for any reason, they must report this immediately to the Services and Solutions Director, or the board. Examples of Incidents include; • • •
IT equipment acting abnormally An attempted, suspected or actual electronic of physical breach of company information Attempted or suspected logging into company networks or devices by unauthorised persons or other entities
•
Changes or suspected changes to systems that have not been scheduled or authorised
3 172673021v2
Intellectual Property Rights •
The company ensures that all software is properly licensed and approved by the Services and Solutions Director. Employees must not use non-licensed or illegal software at any time.
•
Employees must not copy, distribute, forward or in any other way provide access to company information to persons, organisations or other entities without authorisation from the Services and Solutions Director or Board. This directive is to protect the company’s Intellectual Property Rights (IPR) and for Data Protection Act compliance. Employees breaching this requirement may be subject to disciplinary action.
Social Media •
Social media may be used for business purposes on condition that no sensitive or potentially sensitive material, Intellectual Property or similar material is disclosed. Users must behave responsibly while using any social media whether for business or personal use, bearing in mind that they directly or indirectly represent the company. If in doubt, consult the Services and Solutions Director. Users breaching this requirement may be subject to disciplinary action.
Asset Ownership •
Each company information asset, (hardware, software, application or data) has a named custodian who is responsible for the information security of that asset. Employees are responsible for their Laptop and phone and must ensure that they operate these assets in compliance with this policy and the attached appendices.
Removable media •
The company policy is that removable media shall not be used for business purposes unless approved by the Services and Solutions Director and/or Service Desk Manager.
Removable media from external sources •
Removable media of all types that contain software or data from external sources, or that have been used on external equipment, require the approval of the Services and Solutions Director and/or Service Desk Manager before they may be used on the company business systems. Such media must also be fully virus checked before being used on the organisation’s equipment. Users breaching this requirement may be subject to disciplinary action.
4 172673021v2
Privately Owned Mobile devices (e.g. phones, tablets, laptops, etc.) •
Use of privately owned mobile devices for business purposes require the approval of the Services and Solutions Director and/or Service Desk Manager before they may be used. Such devices must at a minimum have anti-malware software installed (Apple phones do not require anti malware) and updated daily, have pin, password or other authentication installed, be encrypted wherever possible and be capable of being remotely tracked and wiped. Users must inform the Services and Solutions Director immediately if the device is lost or stolen and the device must be completely wiped. In any and all cases, privately owned devices must not hold or be used to store any company information.
Sensitive Information Assets •
Based on a risk assessment and legal requirements, the company classifies personal, valuable and sensitive information assets as ‘Confidential’. The classification ‘Confidential’ is marked on all such material (in document and electronic form) and is managed securely by those staff that have responsibility for that data.
•
Confidential information must not be left unattended at any time in any place where unauthorised persons might gain access to them.
•
Confidential information must be transported securely in sealed packaging or locked containers.
•
Confidential Data in electronic form shall be encrypted in transit.
•
Confidential Information covers information that the disclosure of which is likely to: • adversely affect the reputation of the business or its staff or cause substantial distress to individuals; • make it more difficult to maintain the operational effectiveness of the business; • cause financial loss or loss of earning potential, or facilitate improper gain or disadvantage for individuals or organisations; • prejudice the investigation, or facilitate the commission of crime or other illegal activity; • breach proper undertakings to maintain the confidence of information provided by third parties or impede the effective development or operation of policies; • breach statutory restrictions on disclosure of information; • disadvantage the business in commercial or policy negotiations with others or undermine the proper management of the organisation and its operations.
5 172673021v2
User Access •
Access to information is restricted to authorised users who have a bona-fide business need to access the information.
•
The business reserves the right to monitor any systems or communications activity where it suspects that there has been a breach of policy in accordance with the Regulation of Investigatory Powers Act (2000). For reference, copies of pertinent regulations are on the corporate Intranet.
Physical and Environmental Management In order to minimise loss of, or damage to, all assets, equipment shall be physically protected from threats and environmental hazards.
Protection from Malicious Software •
The business operates software countermeasures and management procedures to protect itself against the threat of malicious software. All staff must co-operate fully with this policy. Users shall not install software or other active code on the organisation’s property without permission from the Solutions and Services Director and/or Service Desk Manager. Users breaching this requirement may be subject to disciplinary action.
Information security incidents and weaknesses •
All breaches of this Policy and other information security incidents or suspected weaknesses are to be reported to the Services and Solutions Director.
Directives & Controls Information Security Responsibilities • • •
Information Security Policies and Directives – The Board Chief Information Security Officer – Services & Solutions Director IT Security Manager & Administrator – Service Desk Manager
Remote Working Policy •
Any connection into the company network must be secured via an encrypted Remote Desktop Services Connection. 6
172673021v2
•
Employees and contractors must not copy or store company, supplier, partner or customer information to any destination except on the company network in the appropriate customer or company folder.
•
External users and contractors must not store company, supplier, partner or customer information locally to any personally owned devices, and must utilise company cloud storage for all data.
•
All and any information that is categorised by customers and or suppliers as confidential must be encrypted and password protected before it is sent over the Internet. Any passwords must be shared out of band. Please note; the company Information Assets categorised as ‘Confidential’ must not be distributed, copied or in any other way made available external to the organisation without express authorisation from the Solutions and Services Director and/or Service Desk Manager.
•
Connections into and out of 3rd party offices and locations including clients, suppliers, partners and others, must be made using those companies security policies and directives and where possible secured via an encrypted connection.
•
Company, client, supplier or other information or data relating to the company must not be copied or distributed in any way via email, USB devices or printing unless it is expressly approved by the Services and Solutions Director and/or Service Desk Manager.
•
Employees are instructed that company equipment must not be used by family members or any other person who is not an employee of the company.
•
Company equipment must not be left logged in and unattended at any time.
•
Company equipment must not be operated in an unsecure or inappropriate environment and must be protected from water, fire or other contamination and physically secured at all times.
A.
Desktop Working Policy •
Employees who have been allocated a PC or Laptop to be used for business purposes are the custodians of that device and have responsibility for operating that device in line with company policies and directives included in the Information Security Policy.
•
Company Desktop devices (Laptops and PCs) must only be used for business purposes. Unauthorised software (Games, for example) must not be downloaded or operated on business devices. 7
172673021v2
B. 1.
•
Employees and contractors must not copy or store company, supplier, partner or customer information to any destination except on the company network in the appropriate customer or company folder. Information must not be stored locally on PC or Laptop devices.
•
All and any information that is categorised by customers and or suppliers as ‘confidential’ must be encrypted and password protected before it is sent over the Internet. Any passwords should be communicated out of band. Please note; The company Information Assets categorised as ‘Confidential’ must not be distributed, copied or in any other way made available external to the organisation without express authorisation from the Chief Information Security Officer.
•
Company, client, supplier or other information or data relating to the company must not be copied or distributed in any way via email, USB devices or printing unless it is expressly approved by the Services and Solutions Director and/or Service Desk Manager.
•
Company equipment must not be left logged in and unattended at any time.
•
Company equipment must not be operated in an unsecure or inappropriate environment and must be protected from water, fire or other contamination and physically secured at all times. Patch Management Windows Updates Control
•
Windows updates are rolled out after patch Tuesday (second Tuesday of the month) but with a staggered delay to prevent faulty updates which may cause a business impact being deployed.
C.
Systems Protection from the Internet
1.
Office Firewalls Policy
•
All new firewall and router equipment must have their default passwords changed before they are installed into a production environment.
•
All firewall passwords must be strong (upper and lowercase and include a number and symbol and not be a password used before).
•
All firewall passwords must be changed at least once every 60 calendar days.
8 172673021v2
•
A Helpdesk call must be raised to alert and schedule Firewall password changes for internal firewall devices unless this can be automatically forced via the device.
•
A vulnerability scan of every Firewall deployed must be conducted at first time installation and thereafter at least every 12 months.
•
All services passed through the Firewall that are not required must be disabled and highrisk services also need to be blocked. These include services such as Server Message Block (SMB), NetBIOS, TFTP, RPC, rlogin, rsh or rexec. Some IT systems will need one or more of these to operate and it will be a business decision about whether to block that service or not.
•
Any services that are enabled to pass through the firewall must have a business justification associated with them.
•
Connection into any Firewall must be initiated using an encrypted connection.
9 172673021v2
Device Firewall Policy
All device firewalls must be enabled for all users working remotely. Access Control Policy Secure Configuration Policy
This directive applies to all devices including: Servers, Internet facing network devices, PCs, Workstations, Laptops, Smartphones and Tablets. • • • • • • •
All passwords must be strong. Any and all devices must have unneeded software removed prior to them being connected to the network and going into production. All auto run programs must be disabled on all devices removed prior to them being connected to the network and going into production. All devices must have up to date and auto update anti-virus / malware software installed and configured prior to them being connected to the network and going into production. The anti-malware software on all devices must be set to scan files automatically upon access (including when downloading and opening files, accessing files on removable storage media or a network folder). A web anti malware solution needs to be implemented and maintained. Any user accounts that are no longer required for business purposes must be disabled immediately.
10 172673021v2
2.
Strong Password Policy
All system and user passwords must be at least 8 characters long and must contain characters from three of the four following categories: •
Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
•
Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
•
Base 10 digits (0 through 9)
•
Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/
•
Technical department employees, who have been given administrative access by the Service Desk Manager must have two accounts provisioned. The administrative account must only be used for administrative duties. A different account, with basic user privileges, must be used on a day-to day basis and for business as usual tasks and Internet access.
•
Administrator accounts must be named accounts, not one generic account for all users.
•
Administrator passwords must be changed at least every 60 days. Password changes will be alerted to the individual owner of the accounts.
•
All users, not only administrators, must use strong passwords.
•
Employees and contractors that no longer require access or have left the company will require password changes to be implemented within 1 business hour of the Service Desk being notified. Leavers’ accounts should be deleted within 3 calendar months.
•
Access control reviews need to be conducted at least once every 6 months. An alert to conduct the review must be implemented by raising a call in the Helpdesk Management System.
•
User account reviews must be conducted once every 6 months to ensure unwanted accounts are deleted.
11 172673021v2
1. Administrator Policy •
The Service Desk Manager will review who still requires administrator access on annual basis. These reviews will be scheduled by raising tasks in the Helpdesk Management system.
•
Senior management issue an administrator approval for each approved administrator. 2. Data Categorisation
The company must categorise data and information. Categories are dependent on each organisation and are relevant within the context of each organisation. The company’s classifications for data are Shared, Restricted and Confidential. •
‘Shared’ information is that data that is available to everyone working for the company.
•
‘Restricted’ data is company information that maybe commercially, technically or otherwise sensitive and therefore constrained to certain groups or individuals within the company.
•
‘Confidential’ Information includes any data that contains Personally Identifiable Information (PII) and any other company information that the directors wish to remain private. Examples are salaries, addresses, etc.
Handling Classified Data •
‘Shared’ data is still deemed to be a company information asset and therefore must not be copied, distributed or accessed by any person, organisation or other entity external to The company unless authorised by the Chief Information Security Officer.
•
‘Restricted’ Data must be electronically stored with restricted access rights and physical copies must stored in the locked filing cabinet and not be left unattended at any time in any place where unauthorised persons might gain access to them.
•
‘Confidential’ data must be electronically stored with restricted access rights and physically stored in the locked filing cabinet ‘Confidential’ data must be transported securely in sealed packaging or locked containers. Data in electronic form shall be encrypted in transit. ‘Confidential’ shall cover information that the disclosure of which is likely to: o adversely affect the reputation of the business or its staff or cause substantial distress to individuals; o make it more difficult to maintain the operational effectiveness of the business;
12 172673021v2
o cause financial loss or loss of earning potential, or facilitate improper gain or disadvantage for individuals or organisations; o prejudice the investigation, or facilitate the commission of crime or other illegal activity; o breach proper undertakings to maintain the confidence of information provided by third parties or impede the effective development or operation of policies; o breach statutory restrictions on disclosure of information; o Disadvantage the business in commercial or policy negotiations with others or undermine the proper management of the organisation and its operations. o Each data category must have defined storage, access and distribution policies to provide the appropriate level of security controls, based on the sensitivity and confidentiality of that data. Data Categorisation Controls Client Data Client data that maybe stored by the company includes passwords for administrative access to client IT systems. This information must be stored in an encrypted format, password protected and restricted to those who need access only. This information must not be copied, printed or distributed. Personally Identifiable Information (PII) The only PII Information that the company hold relates to its employees. This Information is categorised as â&#x20AC;&#x2DC;Confidentialâ&#x20AC;&#x2122; and is therefore controlled by the companyâ&#x20AC;&#x2122;s Confidential Information Policies and Controls.
13 172673021v2
Patching Policy •
A valid software license must be provided for every / all devices for all software products installed including operating system licenses.
•
Software versions must be kept current and supported by the manufacturer.
•
All devices must only run operating software that is supported and updated by the vendor.
•
All devices must only run application software products that are supported and updated by the vendor and the company.
•
All software must be configured to provide alerts when new patches are available.
•
Critical and security patches released by the software vendor must be implemented within 1 month of release.
•
Other patches will be reviewed and selected for deployment once per month. Patches will be deployed after they have been released for one calendar month to avoid software bugs.
System Security Vulnerability Scans of the entire IT systems must be run on an annual basis.
Roles & Responsibilities Service Desk Any user accounts that are no longer required for business purposes must be disabled immediately. The Service Desk must provide a list of live user accounts, every 3 months and liaise with the Finance Controller to ensure that all accounts should remain enabled.
14 172673021v2
Department Managers are responsible for informing the Service Desk of staff changes (starters and leaver’s) and role changes. Any user accounts that are no longer required for business purposes must be disabled immediately by the systems manager.
V. Internal Systems Administrator Policy
A.
IT Administrator Policy
Administrators are chosen based on their technical ability to conduct the role as defined in the appropriate ‘role and responsibilities’ section of the administrators’ job description. Administrators are required to sign an enhanced NDA which contracts them to protect the confidential information that they have access to and knowledge of. The Service Desk Manager conducts administrator training for each administrator to ensure that they are fully aware and conversant with the company’s information security and operating policies. At each board review the directors and board members will review the systems administrator roles and personnel to ensure that both the role and personnel are aligned with the current business strategy and security requirements. Alternatively, the Services and Solutions Director will conduct the review and send a report to the board.
15 172673021v2
B.
IT Administrator Controls
The administrator is responsible for ensuring that the information being held by the company is current and accurate. Any changes to the information must be reported by the administrator to the Services and Solutions Director or board. When administrator personnel leave or change role, the appropriate passwords will be reset immediately. Administrator passwords must be changed every 60 days, unless advised otherwise by the board. A password change schedule should be implemented for all administrator and password changes. The changes must be implemented by automatic alerts; service desk scheduled tasks, or diarised to alert the appropriate administrator. Administrators must not use administrative accounts for daily non-administrative tasks. All administrator accounts must be named accounts
VI. Information Security Incident Response Procedure The following is a list of steps that need to be taken when dealing with a potential Information Security incident. 1. Identifying a suspected security incident (e.g. monitoring evidence of unusual occurrences and assessing one or more trigger points) 2. Analysing all available information related to the potential security incident 3. Determining what has actually happened (e.g. a DDOS, malware attack, system hack, session hijack, data corruption etc.) 4. Identifying what systems, networks and information (assets) have been compromised 5. Determining what information has been disclosed to unauthorised parties, stolen, deleted or corrupted 6. Establishing the objectives of any investigation and clean-up operation 7. Finding out who did it (i.e. which threat agent or agents); and why (e.g. financial gain, hacktivism, espionage, revenge, challenge or just for fun) 8. Working out how it happened (e.g. how did the attacker gain entry to the system) 9. Determining the potential business impact of the cyber security incident 16 172673021v2
10. Conducting sufficient investigation (e.g. using deep dive forensic capabilities) to identify (and prosecute, if appropriate) the perpetrator(s). 11. Provide mitigation options to prevent a similar event occurring again.
Signed……………………………………………………………………… Date………………………………………………………….. On behalf of Storm Group
17 172673021v2