Last Reviewed 30/01/2024
Introduction
Andy Gardner Web Design (the organisation) is committed to protecting the confidentiality, integrity, and availability of its information assets. This policy outlines the guiding principles and procedures for maintaining the security of our information.
Scope
This policy applies to all the organisation employees, contractors, consultants, temporary workers, interns, and other personnel (personnel) who have access to our information systems and data. It also applies to all information systems, networks, and data owned, operated, or managed by the organisation.
Policy
Security Officer
Andrew Gardner acts as the Security Officer.
Access Control
- Access to information systems and data must be granted based on the principle of least privilege, meaning that users must have only the minimum permissions necessary to perform their job functions.
- Access requests must be approved by the relevant manager and documented.
- User accounts must be assigned to individuals and not shared among multiple people.
- Passwords must be strong, unique, and kept confidential.
Data Security
- All sensitive data must be encrypted at rest and in transit.
- Data backups must be performed regularly and stored securely offsite.
- Data must be classified into different categories based on its sensitivity, and appropriate security controls must be applied to each category.
Incident Management
- All security incidents must be reported to the Security Officer immediately.
- The Security Officer must investigate and respond to security incidents promptly and effectively.
- The incident response procedure must include steps for containment, eradication, recovery, and post-incident activities.
Malware Protection
- Anti-virus software must be installed and updated on all devices.
- Malware scans must be performed regularly.
- Suspicious emails and attachments must be avoided, and employees must not open files from unknown sources.
Bring Your Own Device (BYOD)
- Personnel are allowed to use their personal devices for work purposes, but they must adhere to the organization’s security policies and procedures.
- Personal devices must meet the organization’s security standards, including up-to-date anti-virus software and strong passwords.
Remote Working
- Remote working must be approved on an as needed basis and must comply with the organization’s security policies and procedures.
- Remote access to the organization’s information systems must be secured using VPN or other approved remote access tools.
Compliance
- The organization must comply with all relevant laws and regulations related to information security.
- The organization must maintain best practice aligned with industry-standard certifications and compliance frameworks, such as ISO 27001 or NIST Cybersecurity Framework.
Training and Awareness
- The organization must provide regular training and awareness programs for personnel on information security best practices.
- Personnel must understand their roles and responsibilities in maintaining information security.
Third-Party Suppliers
- The organization must evaluate the information security risks associated with third-party suppliers before engaging in business with them.
- The organization must ensure that third-party suppliers comply with its information security policies and procedures.
Monitoring and Review
- The organization must continuously monitor and review its information security policies and procedures to ensure they remain effective and relevant.
- The organization must conduct regular security audits and penetration testing to identify vulnerabilities and weaknesses.
Conclusion
Information security is everyone’s responsibility, and we must work together to protect our information assets. Adherence to this policy is mandatory, and failure to comply may result in disciplinary action. This policy will be reviewed annually or whenever there is a significant change in our information systems or business operations.