1. Security Policy Overview
1.1 Information Security Policy
The West Cloud Contact Services, Ltd. Information security policy is to provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
1.2 Information Security Policy Document
The management team and the board of directors have approved and authorized an information security policy for West Cloud Contact Services, Ltd.. This policy is set out below. A current version of this document is available to all employees on the company intranet. A copy is also available to external parties.
2. Information Security Policy Overview
Information is an asset that West Cloud Contact Services, Ltd. Software Ltd. (“the organization”) has a duty and responsibility to protect. The availability of complete and accurate information is essential to the organization functioning in an efficient manner and to providing products and services to customers.
The organization holds and processes confidential and personal information on private individuals, employees, partners and suppliers and information relating to its own operations. In processing information the organization has a responsibility to safeguard information and prevent its misuse.
The purpose and objective of this Information Security Policy is to set out a framework for the protection of the organization’s information assets:
- to protect the organization’s information from all threats, whether internal or external, deliberate or accidental
- to enable secure information sharing
- to encourage consistent and professional use of information
- to ensure that everyone is clear about their roles in using and protecting information
- to ensure business continuity and minimize business damage
- to protect the organization from legal liability and the inappropriate use of information.
The measurements taken to validate that these goals have been achieved can be found in document ISMS Effectiveness Measures available on the WEST CLOUD CONTACT SERVICES, LTD. Intranet.
The Information Security Policy is a high level document, and adopts a number of controls to protect information. The controls are delivered by policies, standards,
processes, procedures, supported by training and tools.
This Information Security Policy outlines the framework for management of Information Security within the organization.
The Information Security Policy, standards, processes and procedures apply to all staff and employees of the organization, contractual third parties and agents of the organization who have access to the organization’s information systems or information.
The Information Security Policy applies to all forms of information including:
- speech, spoken face to face, or communicated by phone or radio
- hard copy data printed or written on paper
- information stored in manual filing systems
- communications sent by post / courier, fax, electronic mail
- stored and processed via servers, PC’s, laptops, mobile phones, PDA’s,
- stored on any type of removable media, CD’s, DVD’s, tape, USB memory sticks, digital cameras.
The Information Security Policy addresses the needs of all interested parties as detailed below
- Customers – they require their product to work effectively with minimum downtime. They expect their information and data to be secure
- Resellers - they require the product to work effectively with minimum downtime. They expect their customer’s information and data to be secure. They expect accurate and timely billing information and detail to be able to bill their customers.
- Legislative parties – HMRC / TAX / Financial Auditors
2.3 Terms and Definitions
For the purpose of this document the following terms and definitions apply.
Anything that has value to the organization
Means of managing risk, including policies, procedures, guidelines, practices
A description that clarifies what should be done and how
Preservation of confidentiality, integrity and availability of information
Overall intention and direction as formally expressed by management
Combination of the probability of an event and its consequence
Person or body that is recognized as being independent
Potential cause of an unwanted incident, which may result in harm to a system
Weakness of an asset that can be exploited by one or more threats
2.4 Structure of this Policy
This policy is based upon ISO 27001 and is structured to include the 11 main security category areas within the standard.
This policy is a high level policy which is supplemented by additional security documents which provide detailed policies and guidelines relating to specific security controls according to the ISO27001:2013 standard. As part of West Cloud Contact Services, Ltd.’s Information Security Management System, these documents are available to all staff on the West Cloud Contact Services, Ltd. Intranet.
Data and information which is collected, analyzed, stored, communicated and reported upon may be subject to theft, misuse, loss and corruption.
Data and information may be put at risk by poor education and training, misuse, and the breach of security controls.
Information security incidents can give rise to embarrassment, financial loss, non-compliance with standards and legislation as well as possible judgments being made against the organization.
The organization will undertake risk assessments to identify, quantify, and priorities risks. Controls will be selected and implemented to mitigate the risks identified.
Risk assessments will be undertaken using a systematic approach to identify and estimate the magnitude of the risks.
3. Security Policy
3.1 Information Security Policy Document
3.1.1 The information security policy document sets out the organizations approach to managing information security.
3.1.2 The information security policy is approved by management and is communicated to all staff and employees of the organization, contractual third parties and agents of the organization.
3.2.1 The security requirements for the organization will be reviewed at least annually by the Information Security Manager and approved by the Board. Formal requests for changes will be raised for incorporation into the Information Security Policy, processes, and procedures.
3.3 Statement of Management intent
3.3.1 It is the policy of the organization to ensure that information will be protected from a loss of:
·Confidentiality: so that information is accessible only to authorized individuals.
·Integrity: safeguarding the accuracy and completeness of information and processing methods.
·Availability: that authorized users have access to relevant information when required.
3.3.2 The Information Security Manager will review and make recommendations on the security policy, policy standards, directives, procedures, Incident management and security awareness education in accordance with ISO27001:2013 best practice and advice from 3rd parties where appropriate.
3.3.3 The Information Security Manager will be responsible for incorporating regulatory, legislative and contractual requirements into the Information Security Policy, processes and procedures.
3.3.4 The Information Security Manager will be responsible for incorporating the requirements of the Information Security Policy, processes, and procedures into the
organization’s operational procedures and contractual arrangements.
3.3.5 The organization will work towards the ISO27000 standards, the International Standards for Information Security with the full support of the Board of Directors.
on what constitutes an Information Security Incident including but not restricted to:
3.3.6 The Information Security Manager will provide guidance on what constitutes an Information Security incident including but not restricted to:
- Loss of service, functionality, equipment or other facilities
- System, software or hardware malfunctions, unscheduled shut downs, unexpected system errors or overloads
- Human errors
- Non-compliances with requirements of the ISMS (including uncontrolled system changes)
- Breaches of physical security arrangements
- Access violations
3.3.7 All breaches of information security, actual or suspected, must be immediately reported by staff to the Support Team and escalated to the Information Security Manager for immediate investigation.
3.3.8 Business continuity plans will be produced maintained and tested by the Operations Manager.
3.3.9 Information security education and training will be made available to all staff and employees by the Information Security Manager.
3.3.10 Department Heads are responsible for ensuring that information stored by the organization will be appropriate to business requirements.
3.4 Information Security Coordination
3.4.1 The security of information will be managed within an approved framework (currently ISO27001:2013 ) through assigning roles and coordinating implementation of this security policy across the organization and in its dealings with third parties. The Board of Directors shall appoint an Information Security Manager who will co-ordinate and implement this security framework.
3.4.2 The Information Security Manager shall act on specialist external advice drawn upon where necessary so as to maintain the Information Security Policy, processes and procedures to address new and emerging threats and standards.
3.5 Information Security Responsibilities
3.5.1 The Information Security Manager is the designated owner of the Information Security Policy and is responsible for the maintenance and review of the Information Security Policy, processes and procedures.
3.5.2 Heads of department are responsible for ensuring that all staff and employees, contractual third parties and agents of the organization are made aware of and comply with the Information Security Policy, processes and procedures.
3.5.3 The organization’s auditors will review the adequacy of the controls that are implemented to protect the organization’s information and recommend improvements where deficiencies are found.
3.5.4 All staff and employees of the organization, contractual third parties and agents of the organization accessing the organization’s information are required to adhere to the Information Security Policy, processes and procedures.
3.5.5 Failure to comply with the Information Security Policy, processes and procedures will lead to disciplinary or remedial action.
3.6 Asset Management
3.6.1 Policies and procedures according to ISO27001:2013 will be put in place by the Information Security Manager to ensure that the organization’s assets will be appropriately protected.
3.6.2 Department Heads are responsible for ensuring that all assets (data, information, software, computer and communications
equipment, service utilities and people) will be accounted for and have an owner.
3.6.3 Owners will be identified for all assets and they will be responsible for the maintenance and protection of their assets.
3.7 Human Resources Security
3.7.1 The Human Resources Manager will communicate the organization’s security policies to all employees, contractors and third parties to ensure that they understand their responsibilities via induction training and the Staff Handbook.
3.7.2 The Human Resources Manager will ensure that security responsibilities will be included in job descriptions and in terms and conditions of employment.
3.7.3 The Human Resources Manager is responsible for appropriate verification checks to be carried out on all new employees, contractors and third parties in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.
3.8 Physical and Environmental Security
3.8.1 The Operations Manager is responsible for ensuring that critical or sensitive information processing facilities will be housed in secure areas.
3.8.2 The Operations Manager shall ensure that secure areas are protected by defined security perimeters with appropriate security barriers and entry controls.
3.8.3 The Operations Manager shall ensure that critical and sensitive information will be physically protected from unauthorized access, damage and interference.
3.9 Communications and Operations Management
3.9.1 The Operations Manager is responsible for ensuring that the organization will operate its information processing facilities securely.
3.9.2 Responsibilities and procedures for the management, operation and ongoing security and availability of all data and information processing facilities will be established by the Information Security Manager with the support of the Board of Directors.
3.9.3 The Operations Manager will ensure that the appropriate operating procedures are put in place.
3.9.4 The Operations Manager will ensure segregation of duties, where appropriate, to reduce the risk of negligent or deliberate system misuse.
3.10 Access Control
3.10.1 The Operations Manager shall ensure that access to all information will be controlled according to rules documented and defined in the West Cloud Contact Services, Ltd. ISO27001:2013 ISMS.
3.10.2 Access to information and information systems will be driven by business requirements. The Operations Manager shall ensure that access will be granted or arrangements made for employees, partners, suppliers according to their role, only to a level that will allow them to carry out their duties.
3.10.3 A formal user registration and de-registration procedure will be implemented for access to all information systems and services by the Operations Manager.
3.11 Information Systems Acquisition, Development, Maintenance
3.11.1 The information security requirements will be defined during the development of business requirements for new information systems or changes to existing information systems by the Operations Manager.
3.11.2 The Operations Manager will implement controls to mitigate any identified risks where appropriate.
3.12 Information Security Incident Management
3.12.1 All employees and contractors shall report security incidents and vulnerabilities associated with information systems to the Support Team who shall escalate in a timely manner to the Information Security Manager. The Information Security Manager will ensure that appropriate corrective action will be taken.
3.12.2 Formal incident reporting and escalation will be implemented by the Information Security Manager.
3.12.3 All employees, contractors and third party users will be made aware of the procedures for reporting the different types of security incident, or vulnerability that might have an impact on the security of the organization’s assets through HR induction training and regular refresher and awareness training sessions held by the Information Security Manager.
3.13 Business Continuity Management
3.13.1 The Operations Manager shall put in place arrangements to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
3.13.2 The Operations Manager will implement business continuity management process to minimize the impact on the organization and recover from loss of information assets. Critical business processes will be identified by Heads of Department to the Operations Manager.
3.13.3 Business impact analysis will be undertaken by the Management Team of the consequences of disasters, security failures, loss of service, and lack of service availability.
3.14.1 The Board of Directors will endeavor to ensure that the organization will abide by any law, statutory, regulatory or contractual obligations affecting its information systems.
3.14.2 The Board of Directors will endeavor to ensure that the design, operation, use and management of information systems will comply with all statutory, regulatory and contractual security requirements.
A current version of this document is available to all members of staff on the company intranet. It does not contain confidential information and can be released to relevant external parties.
This information security policy was approved by the board on 16 May 2011 and is issued on a version controlled basis under the signature of the Managing Director.