Guidance On Implementing This Policy¶
The following sections outline the currently available guidance within the company’s Information Security Framework and reference detailed guidance documentation where available. To aid development the sections below are broadly aligned to the ISO27002 standard and are applicable to the company’s business and scale, as is indicated on the right hand side. This section is developed within the management process and therefore the latest copy of this and the referenced documents should always be retrieved from the ISMS website.
Risk Assessment¶
As a software development and consultancy company, Certus undertakes customer assignments. Each customer and each project is different. Risk assessments are to be applied to all new projects and as a part of the management process for the ISMS.
Further guidance on completing risk assessments is contained in the Risk Management Procedure.
See ISO/IEC 27005
Asset Management and Control¶
All company equipment is to be recorded in the Asset Register. All IT equipment purchases are to be approved by a company Director. The purpose and location of the equipment is to be logged and the company accountant must be informed of which office the equipment was purchased for.
To date no formal guidance has been necessary with regard to Asset Management and Control. All staff are reminded of the need to discuss issues relating to IT assets and of their duty to the company when managing such assets. Certus holds a range of Information Assets. Such assets provided by customers are to be normally held in the Alfresco DMS or in our code repositories (CVS etc.).
All company documents, e.g. proposals, contracts, procedures and policies are to be stored in the Alfresco DMS or the company code repository. Document versioning is to be normally enabled. Electronic versions of documents sent outside the company are to be in PDF, unless specifically sent to allow editing. All code assets in any form, with the possible exception of large binaries, are to be stored in the company’s code repositories.
Further guidance on their use can be found in the company wiki.
Human Resource Security¶
During recruitment appropriate checks are to be made as to each candidate’s suitability. It is important to recognise that Certus handles sensitive and personal information and systems developers are in a position of trust and should they choose can expose the company to serious risk.
All new employees are to sign the company’s contract of employment. All employees are reviewed and managed through the PDPs. Information security policy and procedure is to be accounted for during this process. All company Associates are to sign a Heads of Agreement.
When an employee departs the company all access rights are to be revoked and any information in the possession of the individual is to be retrieved. Further guidance is contained in the Human Resource Security Management procedures.
See ISO/IEC 27002 Section 8
Physical and Environmental Security¶
To prevent unauthorised access, damage, or interference to Certus premises, equipment and information systems, all staff are to ensure Certus offices remain secure.
Before leaving an office, if it is unmanned, staff shall ensure all windows are shut and locked, lights are switched off and blinds are closed. If unattended, the offices must be locked. If an office cannot be secured a company Director must be contacted immediately.
Precautions should be taken to ensure that access to all PCs, laptops and any other communications devices is restricted at all times to authorised personnel. Equipment should be sited to reduce the risk of damage and be security marked.
Where portable IT equipment is used, staff must not leave the equipment open to theft or damage, whether in company or customer offices, during transit or at home. Portable equipment should be marked with the company contact details.
Communications and Operations Management¶
This section covers technical and operational processes and procedures relating to the information security of systems used in the company’s operation and in communication between offices, data centres and customers. Overall responsibility for this lies with the Technical Director. Further guidance is set out in the Communication and Operations Management procedures.
See ISO/IEC 27002 Section 10
Information Access Control¶
Security procedures are to be implemented to prevent unauthorised access to hardware, software, networked resources and information. All users should be aware of their access rights and should not attempt to access those facilities for which they have no approval or business need. Further guidance and procedures are provided in the Information Access Control Management procedure.
See ISO/IEC 27002 Section 11
Information Security Incident Management¶
Security Incidents are concerned with intrusions, compromise and misuse of information and information systems, and their management. It also includes responding to vulnerabilities. Further guidance is contained in the Information Security Incidents Management procedure.
See ISO/IEC 27002 Section 13
Business Continuity Management¶
Business Continuity is concerned with maintaining critical customer and business systems in the event of a disaster. Certus’ overall policy is to use replication redundancy to ensure that access to information and vital services can be efficiently restored to users in the event of catastrophic loss. More information on disaster recovery can be found in the Communication and Operations Management procedures.
Information System Security Management¶
Information Systems Security is concerned with maintaining the quality and security of information managed by Certus either on behalf of its customers or in order to support its business processes. More information on disaster recovery can be found in the Information Systems Security Management procedures.
See ISO/IEC 27002 Section 12
Personal Identifiable Information Management¶
The proper handling of PII is critical to the company’s operation as a service provider to public and private organisations. It is essential to maintaining the confidence of the organisations and individuals with whom we engage. Details on PII are set out in Personal Identifiable Information Management policy and procedure
Compliance¶
Certus must abide with all UK regulations and legislation affecting information and information processing facilities and all users are to ensure adequate measures are taken to ensure compliance. All users must comply with statutory requirements and will be held responsible for any breach of current legislation and any future legislation that may be enacted, including:
- Freedom of Information Act 2000
- Regulation of Investigatory Powers Act 2000
- Data Protection Act 1998
- Computer Misuse Act 1990
- Copyright, Designs and Patents Act 1988