Information Technology (IT) Security Policy | Template for FCA Applications

FCA and PRA authorisations and ongoing compliance support. Contact us 7 days a week, 8am-11pm. Free consultations. Phone/Whatsapp: +4478 3368 4449  Email: info@hirett.co.uk

1. Glossary of terms

IT – Information Technologies
HIRETT LTD – The Company

2. Introduction

This Information Security Policy is the foundation of information security program of the Company and ties together all other policies as they relate to information security and data protection.

The Company’s Information Security Policy covers all aspects of how we identify, secure, manage, use and dispose of information and physical assets as well as acceptable use protocols, remote access, password and encryptions. To ensure that the importance of each information security area is not missed or vague, we use separate policies and procedures for each information security area and where applicable, reference these external policies in this document.

3. Policy Statement

Information and physical security is the protection of the information and data that the Company creates, handles and processes in terms of its confidentiality, integrity and availability from an ever-growing number and wider variety of threats, internally and externally. Information security is extremely important as an enabling mechanism for information sharing between other parties.

The Company is committed to preserving Information Security of all physical, electronic and intangible information assets across the business, including, but not limited to all operations and activities.

We aim to provide information and physical security to:

  • Protect customer, 3rd party and client data
  • Preserve the integrity of The Company and our reputation
  • Comply with legal, statutory, regulatory and contractual compliance
  • Ensure business continuity and minimum disruption
  • Minimise and mitigate against business risk

4. Purpose

The purpose of this document is to provide the Company’s statement of intent on how it provides information security and to reassure all parties involved with the Company that their information is protected and secure from risk at all times. The information the Company manages will be appropriately secured to protect against the consequences of breaches of confidentiality, failures of integrity, or interruptions to the availability of that information.

5. Scope

The policy relates to all the Company staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas) within the organisation and has been created to ensure that staff deal with the area that this policy relates to in accordance with legal, regulatory, contractual and business expectations and requirements.

6. Objectives

The Company has adopted the below set of principles and objectives to outline and underpin this policy and any associated information security procedures:

  • Information will be protected in line with all our data protection and security policies and the associated regulations and legislation, notably those relating to data protection, human rights and the Freedom of Information Act
  • All information assets will be documented on an Information Asset Register (IAR) by the IT Director and will be assigned a nominated owner who will be responsible for defining the appropriate uses of the asset and ensuring that appropriate security measures are in place to protect it
  • All information will be classified according to an appropriate level of security and will only be made available solely to those who have a legitimate need for access and who are authorised to do so
  • It is the responsibility of all individuals who have been granted access to any personal or confidential information, to handle it appropriately in accordance with its classification and the data protection principles
  • Information will be protected against unauthorised access and we will use encryption methods as set out in the above objectives in this policy
  • Compliance with this Information Security and associated policies will be enforced and failure to follow either this policy or its associated procedures will result in disciplinary action

The IT Director has the overall responsibility for the governance and maintenance of this document and its associated procedures and will review this policy at least annually to ensure this it is still fit for purpose and compliant with all legal, statutory and regulatory requirements and rules. It is the sole responsibility of the IT Director to ensure that these reviews take place and to ensure that the policy set is and remains internally consistent.

7. Procedures and Guidelines

7.1 Security Classification

Each information asset will be assigned a security classification by the asset owner or Information Security Officer, which will reflect the sensitivity of the asset.

The Company classifies information objectives by:

1. Type

  • processed data;
  • data stored on-line;
  • data archive;
  • data backup;
  • log-files;
  • databases;
  • data transferred through communication channels;
  • data kept in paper format.
  • software documentation;
  • system documentation;
  • network documentation;
  • internal instructions and procedures.

2. Level of confidentiality:

  • personal data
  • commercial confidentiality
  • business secrets
  • public information

Each piece of information, or an “object” has an “owner” which is responsible for its functionality and security as well as for performing following actions:

  • identifies authorised persons and their access rights to the certain piece of information;
  • conducts risk analysis (new objects, amendments to existing objects);
  • develops object usage rights;
  • outlines requirements for object recovery in case if it has been changed without authorisation or it has been lost;
  • ensures cooperation with the manager of the technological resource in regard to security and functionality of the object.

7.2 Access to Information

Staff at the Company will only be granted access to the information that they need to fulfil their role within the organisation. Staff who have been granted access must not pass on information to others unless they have also been granted access through appropriate authorisation.

The Company classifies staff by the level of access to information:

  • users of information systems who have read-only access to the information;
  • data input operators who, according to their job-specific duties, have rights to read, add, edit and amend existing information;
  • information system administrators who possess full access rights to the information system which they administrate;
  • system administrators who possess full access rights to all of the network resources;
  • system testers who possess the right to modify system software within the test server;
  • auditors and security employees who are being granted full access to any information system for the purpose of its inspection.

When the employee is being hired, he or she is being familiarised with The Company’s internal policies and procedures, as well as guidance on the use of information systems. Job contract contains a confidentiality agreement and new employees are allowed to access information resources only after job application has been filed and the training process has been completed.

Should the job duties of an employee be amended, all access rights to The Company’s information resources are being terminated. New access rights are being later assigned on the basis of the new application and in accordance to the functions, performed by the employee. In case the job contract has been terminated, all access rights to The Company’s information resources are also being terminated along with related account.

If an information system administrator, computer network administrator, internal auditor or an IT Security Officer is being dismissed, all passwords are being changed for systems which a dismissed employee had access to, along with the standard procedure of access right termination.

7.3 Secure Disposal of Information

Care needs to be taken to ensure that information assets are disposed of safety and securely and confidential paper waste must be disposed of in accordance with relevant procedures on secure waste disposal.

The Company does not allow disposal of electronic storage devices without prior destruction.

Devices have to be destroyed in the way which would prevent further data restoration.

Paper-based information is being destroyed by shredding it to the level not less than P-5 by the standard DIN-66399. Disposal takes place on the daily basis in the office of the Company.

Electronic information must be securely erased or otherwise rendered inaccessible prior to leaving the possession of the Company. Information has to be erased in the way so it would not be later recovered, such as by low-level formatting or wiping.

7.4 Information on Desks, Screens and Printers

Members of staff who handle confidential paper documents should take the appropriate measures to protect against unauthorised disclosure, particularly when they are away from their desks. Confidential documents should be locked away overnight, at weekends and at other unattended times. Care should also be taken when printing confidential documents to prevent unauthorised disclosure.

Computer screens on which confidential or sensitive information is processed or viewed should be sited in such a way that they cannot be viewed by unauthorised persons and all computers should be locked while unattended.

7.5 Data Encryption

Encryption methods are always used to protect confidential and personal information within the Company and when transmitted across data networks. We also use encryption methods when accessing the Company network services, which requires authentication of valid credentials (usernames and passwords).

The Company is not using any mobile devices in its work (for example, laptops, tablets, smartphones, external hard drives, USB sticks, digital recorders) to store confidential data. Confidential data is stored in the corporate networks placed in securely stored servers.

Where data is subject to an agreement with an external organisation, the data should be handled (stored, transmitted or processed) in accordance with the organisation’s specified encryption requirements.

Where there is a requirement to remove or transfer personal information outside of the Company, it is always being kept in an encrypted format with the use of passwords, described in the procedure “password requirements”. Encryption is used whenever appropriate on all remote access connections to the organisation’s network and resources. The Company also has documented protocols for the management and use of electronic keys, with a view to controlling both the encryption and decryption of confidential and sensitive information.

All confidential and restricted information transmitted via email is encrypted. Where a secret key is provided to decrypt, this is done so in a separate format to the original email.

Encryption Keys

Definitions

  • Encryption: this is the process of locking up (encrypting) information using cryptography. Such information appears illegible if access, unless a corresponding key is used to decrypt the data.
  • Decryption: the process of unlocking the encrypted information via a key.
  • The Company utilise both asymmetric and symmetric key encryption algorithms, dependant on the systems, purpose and information. The type of encryption is decided by the IT Director after assessing the requirements of the information and transfer.
  • Asymmetric Key Encryption Algorithms: A type of encryption algorithm whereby two different keys are used. One key is for encrypting the information and the other for decrypting. This type is also known as public-key encryption.
  • Symmetric Algorithms: These are also referred to as “secret key encryption” and use the same key for both encryption and decryption.

Approved Key Encryption Algorithms and Protocols

The Company uses various encryption methods for protection of sensitive information. These methods depend on the type of stored or transmitted information, its location and use. All algorithms are certified by ICSA labs.

Symmetric Key Encryption Algorithms

  • Triple Data Encryption Standard (3DES)- Minimum encryption key length of 168 bits
  • Advanced Encryption Standard (AES)- Minimum encryption key length of 256 bits

Asymmetric Key Encryption Algorithms

  • Digital Signature Standard (DSS)
  • Elliptic Curve Digital Signature Algorithm (ECDSA)

Encryption Protocols

  • IPSec (IP Security)
  • SSL (Secure Socket Layer)
  • SSH (Secure Shell)
  • TLS (Transport Layer Security)
  • S/MIME (Secure Multipurpose Internet Extension)

Key Use & Protocols

Encryption key management is fully automated and all private keys are kept secure, restricted and confidential. Whilst keys are in transit and/or storage, they are always encrypted. Due to their nature, when the Company uses symmetric encryption key algorithms, there is a requirement to share the secret key with the recipient. Protecting and securing the key for sharing is paramount to protecting the information the key encrypts, and so encrypting the key itself is a mandatory requirement. During distribution and transfer, the symmetric encryption keys are always encrypted using a stronger algorithm with a key of the longest key length for that algorithm.

The Company ensures encryption of all data received through the corporate network. All electronic confidential information has to be encrypted. When confidential information is being transferred with the help of the corporate network to external financial networks (SWIFT, MasterCard, banks), encryption is being performed in accordance with the rules of the network owner.

The level of encryption and certain algorithms is specific to the service and is being defined and assessed if necessary. Expiry date of encryption keys is being identified separately for each service according to level of risk. Recommended expiry date is 6 months.

If encryption is being used by some kind of service, the administrator of the mentioned service is considered to be an owner of the encryption key. The owner is directly responsible for the use and safety of the key. The owner is also obliged to renew the key if it is expired or if it becomes available to someone else.

Public encryption key exchange procedure is being identified separately for each service and has to include the following:

  • check of the key characteristics – date of production, number, date of expiry and digital stamp;
  • key exchange protocol which has been signed by the owner of the key.

Copies of up-to-date encryption keys are being kept in the vault which is accessible to the the Company’s IT Security Officer. IT Security Officer creates systematic backups of encryption keys. Backups have to be created at least once a week.

The Company employees may use encryption tools for the purpose of security of stored and transmitted data. In order to do that, employee has to obtain a permission to do so from the Company’s Information Security Service and to install relevant software. Installation and testing of the encryption software is being performed by the Company’s Information Security Service together with the System Administrator. Employees are not allowed to install and use any encryption tools.

7.6 Remote Access

It is the responsibility of all the Company employees with remote access privileges to the Company network, to ensure that their remote access connection is given the same consideration as the user’s on-site connection to the Company.

  • Connection is being established with the help of the Virtual Private Network
  • Secure remote access must be strictly controlled
  • Control will be enforced via one-time password authentication or public/private keys with strong pass-phrases
  • At no time, should any the Company employee provide their login or email password to anyone else
  • The Company employees with remote access privileges must ensure that their The Company owned or personal computer or workstation, which is remotely connected the Company network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.
  • All hosts that are connected to the Company internal networks via remote access must use the most up-to-date anti-virus software

8. Security Breach Management
8.1 Introduction

The Company’s definition of a breach for the purposes of this and related documents, is a divergence from any standard operating mode, which causes a failure to meet the required compliance standards as laid out by our own compliance program objectives and/or those of any regulatory body.

Compliance in this document means any area of business that is subject to rules, laws or guidelines set out by a third party which are to be followed and which, when breached, could cause emotional, reputational or financial damage to a third party.

8.2 Breach Management Approach

The Company has robust objectives and controls in place for preventing security breaches and for managing them if they do occur. Due to the nature of our business, the Company processes and stores a vast amount of personal information and confidential client data and as such, require a structured and documented breach incident program to mitigate the impact of any breaches. Whilst we take every care with our systems, security and information, risks still exist when using technology and being reliant on human intervention, necessitating defined measures and protocols for handling any breaches.

We carry out frequent risk assessments and gap analysis reports to ensure that our compliance processes, functions and procedures are fit for purpose and that mitigating actions are in place where necessary, however should there be any compliance breaches, we are fully prepared to identify, investigate manage and mitigate with immediate effect and to reduce risks and impact.

The Company has the below objectives with regards to Breach Management:

  • To maintain a robust set of compliance procedures which aim to mitigate against any risk and provide a compliant environment for trading and business activities
  • To develop and implement strict compliance breach and risk assessment procedures that all staff are aware of and can follow
  • To ensure that any compliance breaches are reported to the correct regulatory bodies within the timeframes as set out in their code of practice or handbooks
  • To use breach investigations and logs to assess the root cause of any breaches and to implement a full review to prevent further incidents from occurring
  • To use the Compliance Breach Incident Form for all breaches, regardless of severity so that any patterns in causes can be identified and corrected
  • To comply with regulating bodies and laws on compliance breach methods, procedures and controls
  • To protect consumers, clients and staff – including their data, information and identity.

8.3 Breach Monitoring & Reporting

The incident owner provides as much information as possible to the IT Director who decides if the incident is material and therefore needs to be reported also to the Risk and Compliance Officer. The Risk and Compliance Officer notifies the Authority as soon as possible The Company has appointed Risk and Compliance Officer who is responsible for the review and investigation of any compliance breach, regardless of the severity, impact or containment. All breaches must be reported to this person with immediate effect.

All breaches will be investigated in full and a report given to the Board of Directors once containment has been achieved. Risk assessment procedures will then be utilised to review and amend any areas highlighted by a gap analysis.

8.4 Breach Incident Procedures

Identification of Incident

As soon as a breach has been identified, it should be reported to both a line manager and the reporting officer (Compliance Officer/Senior Management) immediately so that breach procedures can be initiated and followed without delay.

Reporting incidents is essential to the compliant functioning of the Company and is not about apportioning blame. These procedures are for the protection of the Company, it’s staff, customers, clients and third parties and are of the utmost importance for legal regulatory compliance.

As soon as an incident has been reported, measures must be taken to contain the breach. Such measures are not in the scope of this document due to the vast nature of breaches and the variety of measures to be taken; however, the aim of any such measure should be to stop any further risk/breach to the organisation, customer, client, third-party, system or data prior to investigation and reporting.

Breach Recording & Notification

The Company utilises the Breach Incident Form (Appendix A) for all incidents and is completed after every instance of a breach, regardless of severity or outcome. Completed forms are to be logged in the Breach Incident Folder (electronic or hard-copy) and to be logged on a Risk Assessment Record so that any subsequent breach can be cross-referenced.

The completing of the Breach Incident Form is only to be actioned after containment has been achieved and is only to be completed and signed off by the Compliance Officer or a member of the Senior Management Team.

A full investigation is to be conducted and recorded on the incident form, the outcome of which is to be communicated to all staff involved in the breach in addition to upper management. A copy of the completed incident form is to be filed for audit and record purposes. Where the breach relates to a Data Protection issue, the Supervisory Authority and where applicable, the data subject is to be notified in accordance with their protocols and their ‘Security Breach Notification Form’ is to be completed and submitted. In addition, any client whose data or personal information has been compromised should be notified as soon as possible and kept informed throughout the investigation, with a full report being provided of all outcomes and actions.

8.5 Breach Risk Assessment

Human Error

Where the compliance breach is the result of human error, an investigation into the root cause is to be conducted and a formal interview with the employee is to be held. A review of the procedure/s associated with the breach is to be conducted and a full risk assessment completed in accordance with the Company’s existing Risk Assessment Procedures. Any identified gaps that are found to have caused/contributed to the breach are to be revised and risk assessed to mitigate any future occurrence of the same root cause.

Consequent outcomes of such investigation for an employee may include, but are not limited to:

  • Re-training in specific/all compliance areas
  • Re-assessment of compliance knowledge and understanding
  • Suspension from compliance related tasks
  • Formal warning (in-line with The Company’s disciplinary procedures)

System Error

Where the compliance breach is the result of a system error/failure, the IT team are to work in conjunction with the Risk and Compliance Officer to assess the risk and investigation the root cause of the breach. A gap analysis is to be completed on the system/s involved, formal interview with the employee is to be held and a full review and report to be added to the Incident Reporting Form.

Any identified gaps that are found to have caused/contributed to the breach are to be revised and risk assessed to mitigate and prevent any future occurrence of the same root cause.

Full details of the incident should be determined and mitigating action such as the following should be taken to limit the impact of the incident:

  • Attempting to recover any lost equipment or personal information
  • Shutting down an IT system
  • Removing an employee from their tasks
  • The use of back-ups to restore lost, damaged or stolen information
  • Making the building secure
  • If the incident involves any entry codes or passwords, then these codes must be changed immediately and members of staff informed

Assessment of Risk and Investigation

The Risk and Compliance Officer should ascertain what information was involved in the compliance breach and what subsequent steps are required to remedy the situation and mitigate any further breaches.

The lead investigator should look at:

  • The type of information involved
  • It’s sensitivity or personal content
  • What protections are in place (e.g. encryption)?
  • What happened to the information/Where is it now?
  • Whether there are any wider consequences/implications to the incident

The appointed lead should keep an ongoing log and clear report detailing the nature of the incident, steps taken to preserve any evidence, notes of any interviews or statements, the assessment of risk/investigation and any recommendations for future work/actions.

Reporting & Notification

Where a breach concerns client and/or customer information, the Company ensures that they are notified of the initial breach and kept informed throughout the investigation process and outcomes. Mitigating actions are relayed to the client and a full report is provided after the investigation is complete.

The Risk and Compliance Officer notifies the Authority about any material cyber incident in such form and manner as the Authority may direct. All changes in reporting standards should be followed up by the Risk and Compliance Director at https://www.fca.org.uk/firms/cyber-resilience .

9. Responsibilities

All information users within the Company are responsible for protecting and ensuring the security of the information to which they have access. Managers and staff are responsible for ensuring that all information in their direct work area is managed in conformance with this policy and any subsequent procedures or documents.

Staff who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures. The Company will ensure that staff do not attempt to gain access to information that is not necessary to hold, know or process and that restrictions and/or encryptions are in place for specific roles within the organisation relating to personal and/or sensitive information.

2019-10-26T20:05:17+00:00