Issue Date: July 2017
Next Review: January 2018
INFORMATION SECURITY (DATA PROTECTION) POLICY STATEMENT
Appropriate technical and organisational measures shall be taken to prevent unauthorised or unlawful processing of personal data and commercially sensitive information, and to safeguard against accidental loss or destruction of, or damage to same.
This Company will act to ensure that measures are implemented to protect the integrity of information, such measures shall include:
- Protecting computer networks, all desktop and portable computers and handheld devices with user log-in credentials, passwords and, where appropriate, biometrics
- Protecting networks from any damaging executables or scripts introduced by portable media, not limited to, but such as memory sticks and optical storage.
- Utilisation of Anti-Virus, Anti-Malware and Anti-Adware programs that are updated to the latest database definitions.
- Firewalls to protect against unwanted intrusion into networks, servers, computers and hand held devices.
- Maintaining information to ensure that it is accurate and complete.
- Data centre back-ups shall be protected by 256bit AES encryption which prevents data being read by any unauthorised holder. Copies of back-ups are kept off-site using controlled and secure procedures.
- Adherence to contracts with our clients that contain strict no-publicity clauses and thus photographic media taken on clients’ premises and sites will not be used or displayed without explicit permission to do so.
- Communicating Confidentiality Agreements, and Non Disclosure Agreements to relevant personnel.
- Denial of access by our employees to Social media and networking, and in particular the transmission or posting of site photographs.
- Enacting disciplinary action against any employee who jeopardises the security and confidentiality of information/data entrusted to the company.
- Communication Logs that are only accessible by authorised personnel shall be retained for a period of 2 weeks for the purpose of fault diagnosis and user support, after which time they are securely deleted.
By implementing the above security measures we shall comply with business, contractual, and regulatory requirements, including those of the Data Protection Act. This policy is formulated with reference to International Standards ISO27001 – Information Security management systems requirements and ISO22301 – Business continuity management systems requirements.