Information Security Policy Overview
The West Cloud Contact Solutions Limited Information security policy provides a concise statement of policies and standards related to information security within West Cloud Contact Solutions Limited.
Information Security Policy Document
The Leadership team have approved and authorised an information security policy for West Cloud Contact Solutions Limited . This policy is set out below. A current version of this document is available to all employees on the company intranet. A copy is also available to external parties.
Information is an asset that West Cloud Contact Solutions Limited . ("the organisation") has a duty and responsibility to protect. The availability of complete and accurate information is essential to the organisation functioning in an efficient manner and to providing products and services to customers.
The organisation holds and processes confidential and personal information on private individuals, employees, partners and suppliers and information relating to its own operations. In processing information, the organisation has a responsibility to safeguard information and prevent its misuse.
The purpose and objective of this Information Security Policy is to set out a framework for the protection of the organisation's information assets:
- Delivery of a secure, reliable cloud service for users and other interested parties who need confidence and assurance the platform is fit for their purpose of sharing and working with sensitive information
A key measure of success is the availability of our systems for customers to use. So we have an uptime objective of 99.5% (or SLA with customers) as one of the measures we track each month using our uptime monitoring systems.
We will be measuring the following on a monthly basis;
- System uptime with a target of 99.5% (availability)
- Average Incident resolution time of 8hrs or less
- Number of corrective actions with a target of none (all)
- Change request effectiveness monitoring with a target on no failed change requests
- Measure the ongoing security incidents and non conformities on a monthly basis
In addition our aims are:
- Provide a pragmatic digital paperless ISMS for staff (and other interested parties who need to access it), integrated into their day to day work practices to ensure it becomes a habit for good performance not an inhibitor to getting their work done
- 100% of employees attending awareness training courses at least annually
- Decrease the number of information security incidents by 30% in the next 12 months
The measurements taken to validate that these goals can be found in the document ISMS Effectiveness Measures available on Confluence.
A dedicated resource is available to manage and maintain the ISMS.
This Information Security Policy outlines the framework for management of Information Security within the organisation.
The Information Security Policy is a high level document, and adopts a number of controls to protect information. The controls are delivered by policies, standards, processes, procedures, supported by training and tools.
The Information Security Policy, standards, processes and procedures apply to all staff and employees of the organisation, contractual third parties and agents of the organisation who have access to the organisation's information systems or information.
The Information Security Policy applies to all forms of information including:
- speech, spoken face to face, or communicated by phone or radio,
- hard copy data printed or written on paper,
- information stored in manual filing systems,
- communications sent by post / courier, fax, electronic mail,
- stored and processed via servers, PC's, laptops, mobile phones, PDA's,
- stored on any type of removable media, CD's, DVD's, tape, USB memory sticks, digital cameras.
Terms and Definitions
For the purpose of this document the following terms and definitions apply.
Asset Anything that has value to the organization
Control Means of managing risk, including policies, procedures, guidelines, practices
Guideline A description that clarifies what should be done and how
Information Security Preservation of confidentiality, integrity and availability of information
Policy Overall intention and direction as formally expressed by the Leadership team
Risk Combination of the probability of an event and its consequence
Third Party Person or body that is recognised as being independent
Threat Potential cause of an unwanted incident, which may result in harm to a system
Vulnerability Weakness of an asset that can be exploited by one or more threats
Structure of this Policy
This policy is based upon ISO 27001 and is structured to include the 14 main security category areas within the standard.
This policy is a high level policy which is supplemented by additional security documents which provide detailed policies and guidelines relating to specific security controls according to the ISO27001:2013 standard. As part of West Cloud Contact Solutions Limited 's Information Security Management System, these documents are available to all staff on the West Cloud Contact Solutions Limited Intranet.
Data and information which is collected, analysed, stored, communicated and reported upon may be subject to theft, misuse, loss and corruption.
Data and information may be put at risk by poor education and training, misuse, and the breach of security controls.
Information security incidents can give rise to embarrassment, financial loss, non-compliance with standards and legislation as well as possible judgements being made against the organisation.
The organisation will undertake risk assessments to identify, quantify, and prioritise risks. Controls will be selected and implemented to mitigate the risks identified.
Risk assessments will be undertaken using a systematic approach to identify and estimate the magnitude of the risks.
Information Security Policy Document
The information security policy document sets out the organisations approach to managing information security.
The information security policy is approved by the Leadership Team and is communicated to all staff and employees of the organisation, contractual third parties and agents of the organisation.
The security requirements for the organisation will be reviewed at least annually by the IT Director and Director of Network Operations. Formal requests for changes will be raised for incorporation into the Information Security Policy, processes, and procedures.
Statement of Leadership intent
It is the policy of the organisation to ensure that Information will be protected from a loss of:
- Confidentiality: so that information is accessible only to authorised individuals.
- Integrity: safeguarding the accuracy and completeness of information and processing methods.
- Availability: that authorised users have access to relevant information when required.
The Director of Network Operations will review and make recommendations on the security policy, policy standards, directives, procedures, Incident management and security awareness education in accordance with ISO27001:2013 best practice and advice from 3rd parties where appropriate.
The Director of Network Operations will be responsible for incorporating regulatory, legislative and contractual requirements will be into the Information Security Policy, processes and procedures.
The Director of Network Operations will be responsible for incorporating the requirements of the Information Security Policy, processes, and procedures into the organisation's operational procedures and contractual arrangements.
The organisation will work towards the continuous improvement of the ISO27000 standards, the International Standards for Information Security with the full support of the leadership team Team.
The Director of Network Operations will provide guidance on what constitutes an Information Security Incident including but not restricted to:
- Loss of service, functionality, equipment or other facilities
- System, software or hardware malfunctions, unscheduled shut downs, unexpected system errors or overloads
- Human errors
- Non-compliances with requirements of the ISMS (including uncontrolled system changes)
- Breaches of physical security arrangements
- Access violations
Guidance will also be sought from the West Information Security team and Legal Counsel if required.
All breaches of information security, actual or suspected, must be immediately reported by staff to the NetOps Team and escalated to the Director of Network Operations for immediate investigation.
Business continuity plans will be produced, maintained and tested by the Director of Network Operations.
Information security education and training will be made available to all staff and employees by the Director of Network Operations.
Department Heads are responsible for ensuring that information stored by the organisation will be appropriate to business requirements.
Information Security Coordination
The security of information will be managed within an approved framework (currently ISO27001:2013 ) through assigning roles and co-ordinating implementation of this security policy across the organisation and in its dealings with third parties. The Executive Team shall appoint an Information Security Manager (Director of Network Operations) who will co-ordinate and implement this security framework.
The Director of Network Operations shall act on specialist external advice drawn upon where necessary so as to maintain the Information Security Policy, processes and procedures to address new and emerging threats and standards.
Information Security Responsibilities
The Director of Network Operations is the designated owner of the Information Security Policy and is responsible for the maintenance and review of the Information Security Policy, processes and procedures.
Heads of Department are responsible for ensuring that all staff and employees, contractual third parties and agents of the organisation are made aware of and comply with the Information Security Policy, processes and procedures.
The organisation's auditors will review the adequacy of the controls that are implemented to protect the organisation's information and recommend improvements where deficiencies are found.
All staff and employees of the organisation, contractual third parties and agents of the organisation accessing the organisation's information are required to adhere to the Information Security Policy, processes and procedures.
Failure to comply with the Information Security Policy, processes and procedures will lead to disciplinary or remedial action.
Policies and procedures according to ISO27001:2013 will be put in place by the Director of Network Operations to ensure that the organisation's assets will be appropriately protected.
Department Heads, the Administration Assistant and Finance are responsible for assuring that all assets (data, information, software, computer and communications equipment, service utilities and people) will be accounted for and have an owner.
Owners will be identified for all assets and they will be responsible for the maintenance and protection of their assets.
Human Resources Security
The HR Team will communicate the organisation's security policies to all employees, contractors and third parties to ensure that they understand their responsibilities via induction training and the Staff Handbook.
The HR Team will ensure that security responsibilities will be included in job descriptions and in terms and conditions of employment.
The HR Team is responsible for appropriate verification checks to be carried out on all new employees, contractors and third parties in accordance with relevant laws, regulations and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risks.
Physical and Environmental Security
The Director of Network Operations is responsible for ensuring that critical or sensitive information processing facilities will be housed in secure areas.
The Director of Network Operations shall ensure that secure areas are protected by defined security perimeters with appropriate security barriers and entry controls.
The Director of Network Operations shall ensure that critical and sensitive information will be physically protected from unauthorised access, damage and interference.
Communications Management and Operations Management
The Director of Network Operations is responsible for ensuring that the organisation will operate its information processing facilities securely.
Responsibilities and procedures for the management, operation and ongoing security and availability of all data and information processing facilities will be established by the Director of Network Operations with the support of the Leadership Team.
The Director of Network Operations will ensure that the appropriate operating procedures are put in place.
The Director of Network Operations will ensure segregation of duties, where appropriate, to reduce the risk of negligent or deliberate system misuse.
The Director of Network Operations shall ensure that access to all information will be controlled according to rules documented and defined in the West Cloud Contact Solutions Limited ISO27001:2013 ISMS.
Access to information and information systems will be driven by business requirements. The Director of Network Operations shall ensure that access will be granted or arrangements made for employees, partners, suppliers according to their role, only to a level that will allow them to carry out their duties.
A formal user registration and de-registration procedure will be implemented for access to all information systems and services by the Director of Network Operations.
Information Systems Acquisition, Development, Maintenance
The information security requirements will be defined during the development of business requirements for new information systems or changes to existing information systems by the Director of Network Operations.
The Director of Network Operations will implement controls to mitigate any identified risks where appropriate.
Information Security Incident Management
All employees and contractors shall report information security incidents and vulnerabilities associated with information systems to the NetOps Team who shall escalate in a timely manner to the Director of Network Operations. The Director of Network Operations will ensure that appropriate corrective action will be taken.
Formal incident reporting and escalation will be implemented by the Director of Network Operations.
All employees, contractors and third party users will be made aware of the procedures for reporting the different types of security incident, or vulnerability that might have an impact on the security of the organisation's assets through HR induction training and regular refresher and awareness training sessions held by the Director of Network Operations.
Business Continuity Management
The Director of Network Operations shall put in place arrangements to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
The Director of Network Operations will implement business continuity management process to minimise the impact on the organisation and recover from loss of information assets. Critical business processes will be identified by Heads of Department to the Director of Network Operations.
Business impact analysis will be undertaken by the Leadership Team of the consequences of disasters, security failures, loss of service, and lack of service availability.
The Executive Team will endeavour to ensure that the organisation will abide by any law, statutory, regulatory or contractual obligations affecting its information systems.
The Leadership Team will endeavour to ensure that the design, operation, use and management of information systems will comply with all statutory, regulatory and contractual security requirements.
A current version of this document is available to all members of staff on MNConfluence. It does not contain confidential information and can be released to relevant external parties.
This information security policy was approved by the board on 16 May 2011 and is issued on a version controlled basis.