APT Ltd Information Security Policy
Information takes a number of forms. It can be stored on computer systems, transmitted across networks, printed out, captured with a camera, written down on paper as well as spoken in conversations.
Information held and maintained within computer systems, together with any networks that support it, is a particularly important asset. Without it and the computer system on which it is maintained, an organisation may not be able to operate effectively if at all.
Security risks to computer systems are increasing from an ever widening and increasingly sophisticated range of sources. Systems may be the target of a number of threats, including fraud, sabotage, vandalism and other sources of failures as well as natural disasters such as fire and flood.
In additional, new sources of potentially damaging threats continue to emerge as well as those already posed by computer viruses and hackers. All information needs protection from both accidental and deliberate damage and using appropriate security controls and procedures can reduce these risks.
The security of data combines and covers four main areas:
|Confidentiality||Protecting information from unauthorised disclosure or interception|
|Integrity||Protecting and ensuring the accuracy and completeness of information and computer systems|
|Availability||Ensuring that information, resources and services, including computer systems, are available when required.|
|Compliance||Ensuring that formalised data procedures are followed at all times in order to reduce risks and comply with any responsibilities under the Data Protection Act and other relevant legislations or regulations imposed by the UK government or regulatory bodies.|
It is the policy of APT to maintain an information management system designed to meet the requirements of ISO 27001 in pursuit of its primary objectives, the purpose and the context of the organisation.
1.1. Aims and Objectives
The aim for APT in information security is to adopt best practices for the handling, processing and storage of data, ensuring all areas of confidentiality, integrity, availability and compliance are adhered to in accordance with the ISO27001 standard and other standards and requirements as set by government legislation and regulatory bodies at all levels of the business.
The broad aims of this policy and any associated policies are:
- To prevent security breaches
- To detect a breach if it occurs
- To limit any damage caused by a breach
- To recover from the effects of a breach
APT intend to achieve these objectives by communicating clear guidance to all employees, contractors and third parties that have direct access to data stored on APT’s networks and information technology systems.
This Policy and all associated policies aim to include all aspects of APT’s business practices and apply to all employees, contractors, third parties or any other individuals that have direct access, at any or for any period of time, to any networks and systems under APT’s control.
2.1. Information Security Policies
2.1.1 A set of lower level controls, processes, internal policies and procedures for information security will be defined to support this policy and its objectives.
2.1.2 Internal policies will meet all of the requirements set out throughout this policy and will define how APT meets each point.
2.1.3 All internal policies will on a regular basis:
2.1.4 The internal Information Security Policies shall include controls for all applicable Annex A clauses of ISO27001
2.1.5 Customers may request information on the details and controls in place for each of the sections below. In some cases, APT will not provide the actual policies themselves as they may contain confidential information and trade secrets. If this is the case, APT will compile relevant information from the policies and provide those to the customer.
The following sections describe the actions APT will take to ensure the security of data.
2.2. Organisation of information Security
2.2.1 Roles shall be defined to outline individual’s responsibilities for information security within the organisation.
2.2.2 Ensure that segregation of duties are implemented wherever possible to prevent conflicting areas of interest/responsibility.
2.2.3 Develop and maintain contact with special groups and other security specialists and professional organisations.
2.2.4 Address information security requirements for any projects APT undertake.
2.2.5 Create a set of suitable security controls for any mobile devices and teleworking requirements that have access to APT’s systems or data.
2.3. Human Resource Security
2.3.1 Carry out regular screening and background checks on any prospective and current employees, proportionate to their level of access to data and the roles they perform within the organisation.
2.3.2 Ensure that all contracts and agreements with employees and contractors shall state their individual and collective responsibilities for information security.
2.3.3 Implement an effective management structure with suitable supervision and direct lines of reporting, to ensure all policies and procedures are followed effectively.
2.3.4 Develop and maintain an Information Security awareness, education and training program to ensure that all employees are aware of their responsibilities and the best ways to maintain security in their roles against existing, current and future threats.
2.3.5 Communicate a formal disciplinary process to all employees that acts against employees who have committed an information security breach.
2.3.6 Create and regularly review joiners, movers and leavers policies, procedures, access control lists and other controls to ensure access to data and systems accurately reflects the employee’s current role within the organisation.
2.4. Asset Management
2.4.1 Maintain a full inventory of assets, including unique identifying information, current locations and status and asset owners who are responsible for maintaining the security of that asset.
2.4.2 Document and communicate policies outlining the acceptable use of assets and any information stored on those assets.
2.4.3 Classify and label all information in terms of legal and regulatory requirements, value and sensitivity. Proportionate security and handling requirements shall be defined for each classification.
2.4.4 Ensure that any media that is no longer required is disposed of in a way where the information stored on it is no longer recoverable by any know methods.
2.4.5 Develop policies, procedures and controls to protect portable assets and media.
2.5. Access Control
2.5.1 Ensure that users shall only have access to networks, systems, resources and data that they are authorised to.
2.5.2 Authorisation must be approved by upper management and the security team prior to access being provided.
2.5.3 Formal policies shall be in place to ensure all access is logged and tracked, allowing any access granted to be fully revoked upon user de-registration across multiple networks and systems.
2.5.4 Privileged access shall be restricted to a select few trusted and competent individuals
2.5.5 All access shall be regularly reviewed at regular intervals defined by management to ensure compliance with 2.5.1
2.5.6 Password requirements shall be enforced, confirming to the NCSC’s latest advise and best practices from the wider information security community.
2.6.1 Any cryptographic algorithms and methods used will be uncompromised and selected and used in accordance with current industry best practices.
2.6.1 Cryptographic keys shall be protected using suitable methods for the lifetime that they are in use.
2.7. Physical and Environmental Security
2.7.1 A security perimeter shall be defined to protect areas that contain sensitive and critical information.
2.7.2 Entry to secure areas shall be protected by appropriate controls.
2.7.3 APT’s services and data shall be protected from natural disasters, malicious attacks, accidents or any other damage outside of APT’s direct control.
2.7.4 Access points shall be monitored and controlled to prevent unauthorised access to data and facilities.
2.7.5 All equipment shall be maintained to ensure its working efficiently and able to maintain the availability and integrity of data.
2.7.6 No equipment, information or software shall be taken off-site without authorisation from senior management and the security team. Any assets taken offsite shall have appropriate controls put into place to protect them.
2.7.7 Once any asset reaches end of life of is no longer required, any information shall be removed using industry standards to ensure that the data is not recoverable in any capacity.
2.7.8 A clear desk policy shall be developed and implemented to ensure that physical information assets are not visible when unsupervised or in use from inside or outside the office, appropriate controls will be put into place to physically secure them.
2.8. Operational Security
2.8.1 Standard Operating Procedures shall be created by each department and maintained to ensure availability of business functions.
2.8.2 Change management policies and procedures shall be documented to ensure they security of any system is maintained and that any capacity and demand on said systems can be handled effectively.
2.8.3 Development, Testing and Operational/Production environments shall be segregated and isolated from each other.
2.8.4 Technical and organisational controls shall be implemented raise awareness of, detect and protect against malware.
2.8.5 Backups of data shall be taken at regular intervals and tested to ensure their integrity and their availability in a disaster scenario.
2.8.6 Full auditing and logs shall be implemented on systems to enable information gathering to take place during investigations.
2.8.7 Any logs shall be protected from tampering and accidental alteration to preserve their integrity.
2.8.8 Clocks across all systems shall be synchronised against a single source.
2.8.9 All software shall be vetted and approved prior to being installed on systems.
2.8.10 All systems shall be tested regularly to detect security vulnerabilities and ensure controls in place are effective.
2.9. Communications Security
2.9.1 All networks, network services and infrastructure shall be secure and segregated from each other.
2.9.2 All transferring of sensitive information between systems and parties shall be done in a secure and confidential manner.
2.9.3 Requirements for non-disclosure agreements shall be established and maintained.
2.10. System Acquisition, Development and Maintenance
2.10.1 All new products, systems and projects will be acquired, developed and maintained with information security at the core of the decision-making process.
2.10.2 Any changes to projects shall be fully tested to ensure security is not compromised.
2.10.3 Any products and services provided over public networks shall be protected and secure.
2.10.4 Test data shall be carefully selected, created, protected and controlled.
2.11. Supplier Relationships
2.11.1 All relevant information security requirements shall be established and agreed with each supplier.
2.11.2 Suppliers will only be engaged with if they meet or exceed APT’s high standards for security.
2.11.3 Customers shall be notified prior to the engagement of a new supplier, giving time for the customer to object.
2.11.4 All suppliers and their services shall be monitored and reviewed regularly.
2.11.5 Any changes of terms or workflows with the supplier shall be re-examined and subject to an approval process before being approved.
2.12. Information Security Incident Management
2.12.1 Specific responsibilities and procedures shall be established in terms of information security incidents.
2.12.2 All information security events shall be reported through management channels without delay. Events will then be assessed by the security team.
2.12.3 All investigations shall be carried out by competent security personnel, taking care to preserve and collect any evidence.
2.12.4 Information security incident responses shall be documented and maintained up-to-date with all current contractual, regulatory and legislative requirements.
2.13. Information Security Aspects of Business Continuity Management
2.13.1 APT shall have extensive and fit-for-purpose business continuity plans in place to cover most foreseeable disaster scenarios.
2.13.2 All plans will be tested frequently to the capacity where the do not impact on the day-to-day running of the business but can be reviewed to ensure their effectiveness and identify areas for improvement.
2.14.1 APT have a responsibility to adhere to all current UK legislation as well as regulatory and contractual requirements.
2.14.2 A list of applicable legislative requirements will be maintained titled “Legal Compliance Register”.
2.14.3 APT will employ the services of and consult legal advisors to review APT’s Legal Compliance Register at least once a year to ensure that all legislative requirements are identified.
2.14.4 The Legal Compliance Register as well as regulatory requirements will be taken into account when designing and writing all policies.
2.14.5 APT’s information security practices and policies shall be reviewed independently at regular intervals or when significant changes occur.
2.14.6 All business functions, procedures, staff, assets and systems shall be reviewed frequently to ensure compliance with internal policies, regulatory and legislative requirements and contractual agreements.