Introduction

The purpose of this policy document is to set out a framework within which the staff responsible for managing UK Software Ltd’s data, information and records, as well as the customer information in our custody, can develop specific standards, procedures and implementation processes to ensure that information has its confidentiality and integrity protected, whilst ensuring its availability as required. This policy ensures that all members of staff have a clear understanding of Information Security principles and obligations.

Defining Information Security

Information Security means protecting information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction, thus preserving the confidentiality, integrity and availability of information.

Confidentiality – Our information is only available to those with authorisation to access it and is therefore protected from leaks or accidental loss

Integrity – Our information, software and systems are accurate, complete and reliable

Availability – Our information and associated assets are available to authorised users when required

Applicability of Policy

This policy applies to everyone who works for UK Software Ltd, including permanent staff, contractors, consultants, agency temps and third parties that come into contact with information held, generated or distributed by UK Software Ltd.

Responsibilities

Information Security is the responsibility of all employees, temporary or permanent. Any breaches of this policy may result in disciplinary action being taken.

Line managers are responsible for ensuring their direct reports are familiar with the requirements of this policy and for pre-employment reference checking.

The Managing Director is ultimately responsible for ensuring the implementation of this policy.

The Technical Director will act as a focus for all information security issues and risk mitigation, driving the implementation of security across the company.

Generally senior management will ensure that information security awareness is promoted, including training provision and that underlying standards and procedures are developed.

Principles

• All information will be classified according to value to the business and the potential impact of loss or exposure, with appropriate controls put in place for handling, transportation and disposal.

• Information and records retention and disposal policies and procedures will be in place.

• Plans must be in place to ensure that the business continues to operate in case of unexpected events affecting buildings, information systems or people.

• Areas storing physical information will be located in secure premises, with access limited to authorised persons.

• Measures will be in place to secure technical equipment, including physical access controls, protection from fire, flood and power outages.

• A clear desk and clear screen policy is in place.

• Access to information systems must use a secure log-on process.

• Passwords must be at least ten characters and a combination of upper- and lower-case letters, numbers and symbols.

• Users will only have access to the information system services they have been authorised to use.

• Protection against malicious code will be in place, with networks controlled and managed to protect from threats.

• Changes to information processing facilities and systems will be controlled, with acceptance criteria for new or updated services that include security.

• Security incidents and weaknesses are reported through appropriate incident reporting mechanisms.

• Appropriate contract terms covering information security will be put in place for any outsourcing or access to our information by third parties.

• UK Software Ltd will comply with all relevant commercial / contractual obligations, regulation and legislation, including the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

Information Classifications

The following classifications are applied within UK Software Ltd, listed in order of increased protection requirements:

• Unrestricted – This information can be freely shared internally and externally.

• Restricted - This information can be freely shared internally but not externally without permission.

• Confidential - This information is limited to individuals with a business ‘need to know’.

• Secret - This information is highly sensitive and limited to individuals with a strict business ‘need to know’.