Roles and Responsibilities¶
Certus has a clearly defined information security management infrastructure such that all Information Users clearly understand their roles and responsibilities.
All Information Users have a responsibility to make informed decisions to protect confidential and personal information. With regard to information security all Information Users:
- must develop their understanding of data protection and good practice applicable to the performance of their responsibilities and must seek advice and guidance if clarification is required;
- consider the principles of information security and report any actual, suspected or near breach in information security, or working practices which jeopardise Certus’ Information Security.
The following sections itemise the specific roles and responsibilities attributed to the company’s staff.
Managing Director¶
- Senior Information Risk Owner.
- Accountable for the overall information security at Certus.
- Review and endorsement of strategy, policy, procedures and standards.
- Ensure that reporting, control and review processes are in place.
- Ensure that information security risk management systems are in place.
- Promote and support information security and business initiatives.
- Ensure that all commercial and legal agreements in various forms include appropriate information security considerations in line with this policy and the company’s interests.
Information Systems Director¶
- Information Asset Owner.
- Take responsibility for data security as assigned by the SIRO.
- Ensure the Information Users are aware of the need to comply with information security policies and follow applicable procedures.
- Monitor information security policy compliance of users and third parties.
- Take appropriate action against users who breach security policies.
- Ensure that information security policy is applied to all new internal projects, customers projects and to ongoing services.
- Jointly assess and manage any Information Security Incidents.
- Jointly co-ordinate security awareness initiatives and training through Certus’ PDP process.
- Jointly promote awareness of information security.
- Jointly liaise with customers or partners in assessing, managing and mitigating information security risk, especially in respect of customer development projects.
Technical Director¶
- Information Asset Administrator.
- Develop and implement relevant security policies and procedures specific to company IT including internal systems, applications and communications networks.
- Develop and implement relevant security policies and procedures specific to customer systems as appropriate.
- Ensure that only appropriate access levels are granted to Information Users.
- Develop and maintain appropriate Business Continuity Plans.
- Ensure that appropriate technical security measures have been applied to all internal systems.
- Ensure that appropriate technical security measures have been applied to all systems development activities and resulting products.
- Ensure that any technical security weaknesses identified are managed and resolved and considered by the company’s management team.
- Ensure appropriate security testing procedures and techniques are applied to the company’s information systems and to the systems the company develops for its customers.
- Provide a lead role in developing an appropriate information security infrastructure through the adoption of standards and development of policies and procedures.
- Take specific responsibility for the maintenance and security of internal information assets, particularly the Alfresco DMS and the code repositories.
Development Staff¶
- Recognise that as a part of a developer’s role, from time to time, they may have access to information of a valuable or sensitive nature.
- Ensure that only appropriate access levels are granted to Information Users.
- Ensure that as a part of the development team, appropriate technical security measures have been applied to all internal systems.
- Ensure that as a part of the development team, appropriate technical security measures have been applied to all systems development.
- Ensure that any technical security weaknesses identified are reported to a company Director.
- When developing system code security is properly considered and that guidance is sought in the event of any doubt.
- Not to knowingly create exploitable weaknesses within systems under development.
- Jointly to adopt standards and policies in line with industry standards for information security.
All Information Users¶
- Must comply with all company information security policies.
- Use information processing facilities only for the purpose for which they were provided.
- Safeguard passwords and ensure access and use of information is as intended.
- Take all reasonable precautions to prevent unauthorised use of their accounts, programs or data.
- Notify all information security issues to a company Director.
- Take all reasonable steps for the security of equipment, systems and information that is under their control, whether temporarily or otherwise.
- not intentionally or negligently misuse system resources, introduce or spread computer malware or permit the misuse of systems or information by others.