Information Security Policy

Introduction

This information security policy is a key component of Turtlestack Automation Ltd. ’s management framework. It sets the requirements and responsibilities for maintaining the security of information within the business. This policy may be supported by other policies and by guidance documents to assist putting the policy into practice day-to-day.

This document and the processes described will grow with the company.

Aim and Scope of this policy

The aims of this policy are to set out the rules governing the secure management of our information assets by:

• preserving the confidentiality, integrity and availability of our business information
• ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this and other policies
• ensuring an approach to security in which all members of staff fully understand their own responsibilities
• creating and maintaining within the organisation a level of awareness of the need for information
• detailing how to protect the information assets under our control

This policy applies to all information/data, information systems, networks, applications, locations and staff of Turtlestack Automation or supplied under contract to it.

Responsibilities

Ultimate responsibility for information security rests with the Director of Turtlestack Automation Ltd., but on a day-to-day basis the security lead shall be responsible for managing and implementing the policy and related procedures.

Responsibility for maintaining this Policy, the business Information Risk Register and for recommending appropriate risk management measures is held by the security lead. Both the Policy and the Risk Register shall be reviewed by the security lead at least annually.

Line Managers are responsible for ensuring that their permanent staff, temporary staff and contractors are aware of:

• The information security policies applicable in their work areas
• Their personal responsibilities for information security
• How to access advice on information security matters

All staff shall comply with the information security policy and must understand their responsibilities to protect the company’s data. Failure to do so may result in disciplinary action.

Line managers shall be individually responsible for the security of information within their business area.

Each member of staff shall be responsible for the operational security of the information systems they use.

Each system user shall comply with the security requirements that are currently in force, and shall also ensure that the confidentiality, integrity and availability of the information they use is maintained to the highest standard.

Access to the organisation’s information systems by external parties shall only be allowed where a contract that requires compliance with this information security policy is in place. Such a contracts shall require that the staff or sub-contractors of the external organisation comply with all appropriate security policies.

Legislation

Turtlestack Automation Ltd. is required abide by certain UK, European Union and international legislation. It also may be required to comply to certain industry rules and regulations. The requirement to comply with legislation shall be devolved to employees and agents of the Turtlestack Automation Ltd. , who may be held personally accountable for any breaches of information security for which they are responsible.

In particular

• GDPR (General Data Protection Regulation) and the Data Protection Act (2018)
• The Copyright, Designs and Patents Act (1988)
• The Computer Misuse Act (1990)
• The Health and Safety at Work Act (1974)
• Freedom of Information Act (2000)

Personnel Security

Contracts of Employment

• Staff security requirements shall be addressed at the recruitment stage and all contracts of employment shall contain a security and confidentiality clause.
• References for new staff shall be verified and a passport, driving license or other document shall be provided to confirm identity.
• Information security expectations of staff shall be included within appropriate job definitions.
• Whenever a staff member leaves the company their accounts will be disabled the same day they leave.

Information Security Awareness and Training

• Thve aim of the training and awareness programmes are to ensure that the risks presented to information by staff errors and by bad practice are reduced.
• Information security awareness training shall be included in the staff induction process and shall be carried out annually for all staff
• An on-going awareness programme shall be established and maintained in order to ensure that staff awareness of information security is maintained and updated as necessary.

Intellectual Property Rights

• The organisation shall ensure that all software is properly licensed and approved by the company Director. Individual and Turtlestack Automation Ltd. intellectual property rights shall be protected at all times.
• Users breaching this requirement may be subject to disciplinary action.

Access Management

Physical Access

Only authorised personnel who have a valid and approved business need shall be given access to areas containing information systems or stored data.

Identity and passwords

• Passwords must offer an adequate level of security to protect systems and data
• All passwords shall be ten characters or longer and contain at least two of the following: uppercase letters, lowercase letters and numbers
• All administrator-level passwords shall be changed at least every 180 days
• Where available, two-factor authentication shall be used to provide additional security
• All users shall use uniquely named user accounts
• Generic user accounts for automated processes must have only limited access

User Access

Access to information shall be based on the principle of “least privilege” and restricted to authorised users who have a business need to access the information.

Administrator-level access

• Administrator-level access shall only be provided to individuals with a business need who have been authorised by .
• A list of individuals with administrator-level access shall be held by the security lead and shall be reviewed every 6 months
• Administrator-level accounts shall not be used for day-to-day activity. Such accounts shall only be used for specific tasks requiring administrator privileges. Application Access
• Access to data, system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. systems or database administrators.
• Authorisation to use an application shall depend on a current licence from the supplier.

Hardware Access

• Where indicated by a risk assessment, access to the network shall be restricted to authorised devices only.

System Perimeter access (firewalls)

• The boundary between business systems and the Internet shall be protected by firewalls, which shall be configured to meet the threat and continuously monitored.

• All servers, computers, laptops, mobile phones and tablets shall have a firewall enabled, if such a firewall is available and accessible to the device’s operating system.

• The default password on all firewalls shall be changed to a new password that complies to the password requirements in this policy, and shall be changed regularly

• All firewalls shall be configured to block all incoming connections.

• If a port is required to be opened for a valid business reason, the change shall be authorised following the System Change Control Process.

• The port shall be closed when there is no longer a business reason for it to remain open.

Monitoring System Access and Use

• An audit trail of system access and data use by staff shall be maintained wherever practical and reviewed as required.
• The business reserves the right to monitor and systems or communications activity where it suspects that there has been a breach of policy in accordance with the Regulation of Investigatory Powers Act (2000).

Asset Management

Asset Ownership

Each information asset, (hardware, software, application or data) shall have a named custodian who shall be responsible for the information security of that asset.

Asset Records and Management

An accurate record of business information assets, including source, ownership, modification and disposal shall be maintained.

All data shall be securely wiped from all hardware before disposal.

Asset Handling

Turtlestack Automation Ltd. shall identify particularly valuable or sensitive information assets through the use of data classification.

All staff are responsible for handling information assets in accordance with this security policy. Where possible the data classification shall be marked upon the asset itself.

All company information shall be categorised into one of the two categories in the table below based on the description and examples provided:

Public Information Examples

• Details of products and services on the website
• Published company information
• Blog posts and open code snippets
• Press releases

Secure Information Examples

• Client intellectual property
• Data in e-commerce systems
• Employee salary details
• “sensitive personal data”

Removable media

Removal media should be avoided if possible. Only company provided removable media (such as USB memory sticks and recordable CDs/DVDs) shall be used to store business data.

Removable media of all types that contain software or data from external sources, or that has been used on external equipment, require the approval of the security lead before they may be used on business systems. Such media must be scanned by anti-virus before use.

Personal Devices

Staff may use personal mobile phones to access business email. The device must be registered in the asset records and must be configured to comply with the mobile working section and other relevant sections of this policy.

Social Media

Staff should in general refrain from mentioning clients or any business operations on social media.

Physical and Environmental Management

• In order to minimise loss of, or damage to, all assets, equipment shall be physically protected from threats and environmental hazards.
• Systems shall be protected from power loss by UPS if indicated by the risk assessment.
• Any systems requiring particular environmental operating conditions shall be maintained within optimum requirements.

Computer and Network Management

Operations Management

Management of computers and networks shall be controlled through standard documented procedures that have been authorised by the security lead.

System Change Control

Changes to information systems, applications or networks shall be reviewed and approved by the security lead. All system changes shall be recorded in accordance with the System Change Control Process.

Accreditation

The organisation shall ensure that all new and modified information systems, applications and networks include security provisions.

They must be correctly sized, identify the security requirements, be compatible with existing systems according to an established systems architecture (as required) and be approved by the security lead before they commence operation.

Software Management

• All application software, operating systems shall be updated on a regular basis to reduce the risk presented by security vulnerabilities. (with the exception of VM boxed legacy version managed applications)
• Only software which has a valid business reason or has demonstrable utility shall be installed on devices used for business purposes.
• As a technology company all staff are to be assessed as competent to manage their own IT infrastructure and resource with support from the security lead.
• Data stored on the business premises shall be backed up regularly and restores tested at appropriate intervals (three monthly interval).
• A backup copy shall be held in a different physical location to the business premises
• Backup copies of data shall be protected and comply with the requirements of this security policy and be afforded the same level of protection as live data.

External Cloud Services

Where data storage, applications or other services are provided by another business (e.g. a ‘cloud provider’) there must be independently audited, written confirmation that the provider uses data confidentiality, integrity and availability procedures which are the same as, or more comprehensive than those set out in this policy.

Protection from Malicious Software

• The business shall use software countermeasures, including anti-malware, and management procedures to protect itself against the threat of malicious software.
• All computers, servers, laptops, mobile phones and tablets shall have anti-malware software installed, where such anti-malware is available for the device’s operating system
• All anti-malware software shall be set to:
  • scan files and data on the device on a daily basis
  • scan files on-access
  • automatically check for, and install, virus definitions and updates
  • block access to malicious websites

Response

Information security incidents

All breaches of this policy and all other information security incidents shall be reported to the security lead.

If required as a result of an incident, data will be isolated to facilitate forensic examination. This decision shall be made by the security lead.

Information security incidents shall be recorded in the Security Incident Log and investigated to establish their cause and impact with a view to avoiding similar events. The risk assessment and this policy shall be updated if required to reduce the risk of a similar incident re-occurring.

Business Continuity and Disaster Recovery Plans

The organisation shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks.