INFORMATION SECURITY POLICY SEPTEMBER 2020
This policy provides a framework for the management of information security in Hertfordshire Equality Council (HEC) It applies to all employees, freelance contractors and office visitors.
These are defined as any systems attached to the HEC server, network or cloud backup. This includes computers, telephones and table/other handheld devices
All information (data) processed by the HEC pursuant to its operational activities, regardless of whether it is processed electronically or in paper (hard copy) form, any communications sent to or from us.
HEC is committed to protecting the security of its information and information systems in order to ensure that:
- the integrity of information is maintained, so that it is accurate, up to date and ‘fit for purpose’;
- confidentiality is not breached, so that information is accessed only by those authorised to do so;
- we meet our legal requirements, including those applicable to personal data under the Data Protection Act / GDPR; and our reputation is safeguarded
The following access controls exist in HEC:
- Access to the internet and e-mail is via our office router which has a static IP address assigned to HEC.
- We have taken external professional advice in respect of password strength. The highest levels of password strength apply to all HEC I.T. assets. This includes all HEC office computers and laptops.
- Antivirus software – including e-mail sweeping is fitted to all HEC devices.
- External access to our server is NOT permitted.
- Unique ID and logon is required to access all HEC computers
- Data keys are not permitted on any HEC computer
Breaches of information security must be recorded and reported to HEC Company Secretary who will take appropriate action
Risk assessment of information held
The degree of security control required depends on the sensitivity or criticality of the information. The first step in determining the appropriate level of security therefore is a process of risk assessment, in order to identify and classify the nature of the information held, the adverse consequences of security breaches and the likelihood of those consequences occurring.
Given the nature of our structure, the risk assessment should be carried out in the first instance by company secretary. The risk assessment should identify the information assets; define the ownership of those assets; and classify them, according to their sensitivity and/or criticality.
In assessing risk, HEC will consider the value of the asset, the threats to that asset and its vulnerability. Information security risk assessments should be repeated periodically and carried out as required during the operational delivery and maintenance of the HEC infrastructure, systems and processes.
Personal data must be handled in accordance with the GDRP and in accordance with HEC policy and guidance on personal data.
The GDPR requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
A higher level of security should be provided for ‘sensitive personal data’, which is defined in the GDPR as data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
Confidential information should be kept secure, using, where practicable, dedicated storage (e.g. file servers) rather than local hard disks, and an appropriate level of physical security.
File or disk encryption should be considered as an additional layer of defence, where physical security is considered insufficient.
Confidential information must be stored in such a way as to ensure that only authorised persons can access it.
All users must be authenticated. Authentication should be appropriate, and where passwords are used, clearly defined policies should be in place and implemented. Users must follow good security practices in the selection and use of passwords.
Where necessary, additional forms of authentication should be considered
Policies and procedures must be in place for the secure disposal/destruction of confidential information.
The permission of the information owner should be sought before confidential information is taken off site. The owner must be satisfied that the removal is necessary and that appropriate safeguards are in place e.g. encryption.
In the case of personal data, the ICO recommends that all portable devices and media should be encrypted where the loss of the data could cause damage or distress to individuals.
The passphrase of an encrypted device must not be stored with the device
Exchange of Information and use of Email
Controls should be implemented to ensure that electronic messaging is suitably protected.
Email should be appropriately protected from unauthorised use and access
Emails should only be used to send confidential information where the recipient is trusted, the information owner has given their permission, and appropriate safeguards have been taken e.g. encryption
Documents containing confidential information should be marked as ‘Confidential’ or with another appropriate designation e.g. ‘sensitive’, etc,