Information Security Policy
This Information Security Policy is a key component of Yours Clothing Limited’s overall information security management framework.
Data and information systems are vital to the business. Incidents involving loss of confidentiality, integrity or availability of information can be costly. Serious incidents, which may include failure to comply with information legislation, can also be damaging to the business reputation.
1. Objective, Aim and Scope
The objectives of the Yours Clothing Limited Information Security Policy are:
Confidentiality - Access to Data shall be confined to those with appropriate authority, and protected from unauthorised access.
Integrity – Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.
Risk Management - Appropriate measures are taken to manage risks to the availability and disclosure of information.
Compliance – Ensured compliance with laws, regulations, and the terms of contracts.
*Failure to comply with the Yours Clothing Limited Information Security Policy may lead to disciplinary action.
1.2. Policy Aim
The aim of this policy is to establish and maintain the security of individuals’ information, information systems, applications and networks owned or held by Yours Clothing Limited by:
Ensuring all members of staff are aware of, and fully comply with the relevant legislation as described in this and other policies.
Explaining the principals of security and how they shall be implemented in the organisation.
Ensuring all members of staff fully understand their own responsibilities towards a consistent approach to security.
Creating and maintaining a level of awareness of the need for Information Security as an integral part of the day to day business.
Protecting information assets.
- This policy applies to all information, information systems, networks, applications, locations and users of Yours Clothing Limited, or supplied under contract to them.
2. Responsibilities for Information Security
2.1. Ultimate responsibility for information security rests with the Yours Clothing Board of Directors, and they shall be responsible for managing and overseeing implementing the policy and related procedures
2.2. Line Managers are responsible for ensuring that their permanent and temporary staff, and contractors are aware of:
The areas of the Information Security Policy that is applicable in their department
Personal responsibilities for information security
Where to find, and how to access advice on information security matters
2.3. All staff shall have to comply with information security procedures including the maintenance of data confidentiality and integrity.
2.4. The Information Security Policy shall be maintained, reviewed, and updated accordingly on an annual basis.
2.5. Line managers shall be responsible for the security of their department physical environments where information is accessed, processed or stored.
2.6. Each member of staff shall be responsible for the operational security of the information systems they use.
2.7. Each system user shall comply with the security requirements that are currently in force, and shall also ensure that the confidentiality, integrity and availability of the information they use is maintained to the highest standard.
2.8. Contracts with external contractors that allow access to the organisation’s information systems shall be in operation before access is allowed. These contracts shall ensure that the staff or sub-contractors of the external organisation shall comply with all appropriate security policies.
3.1. Yours Clothing Limited is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents, who may be held personally accountable for any breaches of information security for which they may be held responsible.
4. Policy Framework
4.1. Management of Security
Responsibility for Information Security shall reside with the Board of Directors.
Department Managers are responsible for implementing, monitoring, documenting and communicating security requirements within their teams for the organisation.
4.2. Information Security Awareness Training
Information security awareness training shall be included in the staff induction process.
Staff awareness will be reviewed, refreshed, and updated as necessary.
4.3. Contracts of Employment
All contracts of employment shall contain a confidentiality clause.
Information security expectations of staff shall be included within the employee handbook, and on induction.
4.4. Security Control of Assets
- Each IT asset, (i.e. hardware, software, application) shall have a named person who shall be responsible for the information security of that asset.
4.5. Access Controls
- Only authorised personnel who have a justified business need shall be given authorisation to access restricted areas containing information systems or stored data.
4.6. Computer Access Control
- Access to computer facilities shall be restricted to authorised users who have business need to use the facilities.
4.7. Application Access Control
- Access to data, system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. systems or database administrators.
4.8. Equipment Security
- In order to minimise loss of, or damage to, all assets, equipment shall be physically protected from threats and environmental hazards.
4.9. Computer and Network Procedures
- Management of computers and networks shall be controlled through standard documented procedures that have been authorised by the board.
4.10. Information Risk Assessment
Risk assessment and management requires the identification and quantification of information security risks in terms of their perceived value of asset, severity of impact and the likelihood of occurrence.
Once identified, information security risks will be recorded on a central business risk register and action plans devised to effectively manage those risks. The risk register and all associated actions shall be reviewed regularly. Any implemented information security arrangements shall also be a regularly reviewed. These reviews shall help identify areas of continuing best practice and possible weakness, as well as potential risks that may have arisen since the last review was completed.
4.11. Information Security Events and Weakness
- All information security events and suspected weaknesses will be reported. These shall be investigated to establish their cause and impacts with a view to avoiding similar or future events.
4.12. Protection from Malicious Software
- Yours Clothing shall use management procedures and countermeasures relating to any software used to protect itself against the threat of malicious software. Users shall not install software on the organisation’s property without permission from the IT Manager, or a Director.
4.13. User Media
- Removable media of all types that contain software or data from external sources, or that have been used on external equipment, require the approval of the IT Manager or a Director before they may be used on Yours Clothing systems. Such media must also be fully virus checked before being used on the organisation’s equipment.
4.14. Monitoring System Access and Use
An audit trail of system access and data use by all staff shall be maintained.
Yours Clothing regularly audits compliance with this and other policies. In addition it reserves the right monitor activity where it suspects that there has been a breach of policy. The Regulation of Investigatory Powers Act (2000) permits monitoring and recording of employees’ electronic communications (including telephone communications) for the following reasons:
To establish the existence of facts
Detection and investigation of any unauthorised use of the system
Prevention and detection of crime
To ascertain or demonstrate standards which are achieved or ought to be achieved by persons using the system (quality control and training)
National Security Interests
Compliance with regulatory practices or procedures
Ensuring the effective systems operation.
Any monitoring will be undertaken in accordance with the above act and the Human Rights Act
4.15. Accreditation of Information Systems
- Yours Clothing will ensure that all new information systems, applications and networks include a security plan and are approved by the Board before they commence operation.
4.16. System Change Control
- Changes to information systems, applications or networks shall be reviewed and approved by the IT Manager and the Board.
4.17. Intellectual Property Rights
- Yours Clothing will ensure that all information products are properly licensed and approved. Users shall not install software on the organisation’s property without permission from the IT Manager or a Director.
4.18. Business Continuity and Disaster Recovery Plans
- The organisation shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks.
- The IT Manager shall keep the Board informed of the information security status of the organisation by means of regular reports.