The security and integrity of their IT Systems is a priority for The Innovation Beehive (the “Company”). All employees of the Company and any authorised third parties, including without limitation, sub-contractors, consultants and contractors (together “Users”) are expected to comply with this Policy, which is effective from the date above, but subject to being updated from time to time.
2. Intended purpose
The purpose of this Policy is to establish a framework for managing risks and protecting the Company’s IT infrastructure, computing environment, hardware, software and any and all other relevant equipment (“IT Systems”) against all types of threats, internal or external, intentional or unintentional.
3. Stakeholder Responsibilities
3.1 Joe Nagle and the IT Department shall be responsible for carrying out the installation, ongoing maintenance (including without limitation, any upgrades or repairs) and ensuring the security and integrity of the IT Systems, either directly or, via an authorised third party. Accordingly, the IT Department is responsible for data stored on the IT Systems, unless otherwise stated.
- In furtherance of section 3.1 above, the IT Department shall be responsible for:
- investigating any security breaches and / or misconduct, and shall escalate to firstname.lastname@example.org as appropriate;
- regularly reviewing IT security standards within the Company and ensuring the effective implementation of such standards, by way of periodic audits and risk assessments, with regular reports being made to the Company’s internal senior management shall be responsible on the condition of the Company’s information security and compliance with this Policy;
- ensuring organisational management and dedicated staff responsible for the development, implementation and maintenance of this Policy;
- providing assistance as necessary to Users to help them in their understanding and compliance with this Policy, as well as keeping all Users aware and up to date with all applicable laws including, without limitation, the GDPR and the Computer Misuse Act 1990.
- providing adequate training and support in relation to IT security matters and use of the IT Systems, to all Users
- ensuring that the access to IT Systems granted to all Users takes into account their job role, responsibilities and any additional security requirements, so that only necessary access is granted for each User
- dealing with all reports, whether from Users or otherwise, relating to IT security matters and carrying out a suitable response for the situation
- implementing appropriate password controls, as further detailed in section 5.
- ensuring that daily backups of all data stored within the IT Systems are taken, and that all such backups are stored off the Company premises at a suitably secure location (the Cloud).
The Users shall be responsible for:
- informing the IT Department immediately of any actual or potential security breaches or concerns relating to the IT Systems;
- informing the IT Department immediately in respect of any technical or functional errors experienced relating to the IT Systems; and
- complying with this Policy and all laws applicable to the Users relating to their use of the IT Systems.
3.2 Users must not attempt to resolve an IT security breach on their own without consulting the IT Department first.
4. Access to IT Systems
There shall be logical access controls designed to manage electronic access to data and IT System functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all Users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
- All IT Systems shall only be accessible by a secure log-in system as deemed suitable by the IT Department. Such suitable systems may include, without limitation, secure passwords, fingerprint identification and facial recognition.
- The IT Department shall conduct regular system audits or event logging and related monitoring procedures to proactively record User access and activity on the IT Systems for routine review.
IT Systems that are not intended to be part of everyday use by most Users (including without limitation, servers, networking equipment and infrastructure) and any other areas where personal data may be stored (eg. data centre or server room facilities) shall be designed to:
- protect information and physical assets from unauthorised physical access;
- manage, monitor and log movement of persons into and out of the relevant facilities; and
- guard against environmental hazards such as heat, fire and water damage.
The IT Department shall implement password controls designed to manage and control password strength, expiration and usage including prohibiting Users from sharing passwords and requiring that the Company passwords that are assigned to Users meet the requirements defined by the systems used by the company.
- Users must keep passwords confidential and not share it with anyone else.
- All Company mobile devices (including, without limitation, laptops, tablets and mobile telephones) should be kept securely by Users using secure cases where appropriate. Users should not leave such mobile devices unattended other than at their homes or Company premises.
- Users are permitted to connect their personal hardware to the IT Systems with the express approval of the IT Department in writing and using secure passwords to protect these devices. In such cases, users agree that, on termination of their employment, all data associated with the company, customers and employees will be removed from their personal devices in the presence of an authorised representative of the IT department. This includes the removal of all apps and accounts associated with The Innovation Beehive.
7.1 All software installation on to the IT Systems shall be the responsibility of the IT Department. Users are not permitted to install any software on to the IT Systems unless expressly approved in writing by the IT Department.
7.2 All software installed on to the IT Systems shall be kept sufficiently up to date in order to ensure that the security and integrity of the IT Systems is not compromised.
8. Vulnerability Assessment and Anti-Virus
- The IT Department shall carry out regular vulnerability assessments, and utilise patch management, threat protection technologies and scheduled monitoring to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
- Users may download files from any cloud storage systems, subject to prior approval from the IT Department; and Users shall permit any such files to be scanned for viruses as part of the download process.
9. Data Protection
9.1 The collection, holding and processing of all personal data (as defined in the General Data Protection Regulation 2016(“GDPR”)) by the Company will be carried out in compliance with (i) the GDPR and (ii) the Company’s own Data Protection Policy.
9.2 The IT Department shall ensure there are data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for personal data that is:
(a) transmitted over public networks (i.e. the Internet) or when transmitted wirelessly; or
(b) at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
9.3 If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it.
9.4 The IT Department shall ensure operational procedures and controls to provide for the secure disposal of any part of the IT Systems or any media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from the Company’s possession.
9.5 Where any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. Hardcopies should be shredded, and electronic copies should be deleted securely.
9.6 The IT Department shall ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
9.7 All personal data stored electronically should be backed up daily in the cloud.
9.8 All electronic copies of personal data should be stored securely using passwords.
9.9 Only Users that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Company.
9.10 All Users that have access to, and handle personal data on the Company’s behalf, shall adhere to the Company’s Data Protection Policy.
10. Business Continuity
The Company shall have in place adequate business resiliency/continuity and disaster recovery procedures designed to maintain any information and the supply of any service and/or recovery from foreseeable emergency situations or disasters.
11. Email and Internet
Please refer to the Company’s policy on Email and Internet usage in respect of email and internet use on the IT Systems.
Security awareness training for Users shall be provided by the IT Department. Training will be provided at different levels for different Users based on their role. Users may request retraining after 6 months.