Privacy & Data Policy
Information Security Policy Statement - CONCISE - Revision Date: 04/12/2020 - Version: 1.2
CONCISE (hereinafter referred to as the "Firm") has an extensive and robust Information Security Program that consists of a vast array of policies, procedures, controls and measures. This Information Security Policy is the foundation of this program and ties together all other policies as they relate to information security and data protection.
The Information Security Policy covers all aspects of how we identify, secure, manage, use and dispose of information and physical assets as well as acceptable use protocols, remote access, password and encryptions. To ensure that the importance of each information security area is not missed or vague, we use separate policies and procedures for each information security area and where applicable, reference these external policies in this document. All information security policies and procedures should be read and referred to in conjunction with each other, as their meaning, controls and measures often overlap. The internal policies and documents that form part of the Firm’s Information Security Program are:
- Information Security Policy
- Risk Assessment Policy & Procedures
- Business Continuity Plan
- Remote Access & Bring Your Own Device (BYOD) Policy
- Access Control & Password Policy
- Clear Desk & Screen Policy
- Third Party/Outsourcing Policy & Procedure
- Supplier Due Diligence Policy & Questionnaire
- Data Retention & Erasure Policy
- Data Protection Policy & Procedure
- Asset Management Policy
2 Policy Statement
Information and physical security is the protection of the information and data that the Firm creates, handles and processes in terms of its confidentiality, integrity and availability from an ever-growing number and wider variety of threats, internally and externally. Information security is extremely important as an enabling mechanism for information sharing between other parties.
The Firm is committed to preserving Information Security of all physical, electronic and intangible information assets across the business, including, but not limited to all operations and activities. We aim to provide information and physical security to:
- Protect customer, 3rd party and client data
- Preserve the integrity of the Firm and our reputation
- Comply with legal, statutory, regulatory and contractual compliance
- Ensure business continuity and minimum disruption
- Minimise and mitigate against business risk
The purpose of this document is to provide the Firm’s statement of intent on how it provides information security and to reassure all parties involved with the Firm that their information is protected and secure from risk at all times. The information the Firm manages will be appropriately secured to protect against the consequences of breaches of confidentiality, failures of integrity, or interruptions to the availability of that information.
This policy applies to all staff within the Firm (meaning: permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Firm in the UK or overseas). Adherence to this policy is mandatory and non-compliance would lead to disciplinary action.
The Firm has adopted the below set of principles and objectives to outline and underpin this policy and any associated information security procedures:
- Information will be protected in line with all our data protection and security policies and the associated regulations and legislation, notably those relating to data protection, human rights and the Freedom of Information Act
- All information assets will be documented on an Information Asset Register (IAR) by the IT Senior and will be assigned a nominated owner who will be responsible for defining the appropriate uses of the asset and ensuring that appropriate security measures are in place to protect it
- All information will be classified according to an appropriate level of security and will only be made available solely to those who have a legitimate need for access and who are authorised to do so
- It is the responsibility of all individuals who have been granted access to any personal or confidential information, to handle it appropriately in accordance with its classification and the data protection principles
- Information will be protected against unauthorised access and we will use encryption methods as set out in the above objectives in this policy
- Compliance with this Information Security and associated policies will be enforced and failure to follow either this policy or its associated procedures will result in disciplinary action
The IT Senior has the overall responsibility for the governance and maintenance of this document and its associated procedures and will review this policy at least annually to ensure this it is still fit for purpose and compliant with all legal, statutory and regulatory requirements and rules. It is the sole responsibility of the IT Senior to ensure that these reviews take place and to ensure that the policy set is and remains internally consistent.
6 Procedures & Guidelines
6.1 Security Classification
Each information asset will be assigned a security classification by the asset owner or an Information Security Officer, which will reflect the sensitivity of the asset. Classifications will be listed on the Information Asset Register.
6.2 Access to Information
Staff at the Firm will only be granted access to the information that they need to fulfil their role within the organisation. Staff who have been granted access must not pass on information to others unless they have also been granted access through appropriate authorisation. Please refer to the Firm’s Access Management Policy for protocols and more information.
6.3 Secure Disposal of Information
Care needs to be taken to ensure that information assets are disposed of safety and securely and confidential paper waste must be disposed of in accordance with relevant procedures on secure waste disposal. Where an external shredding service provider is employed, secure paper disposal bins are in each office and used in all instances of confidential paper disposal.
Electronic information must be securely erased or otherwise rendered inaccessible prior to leaving the possession of the Firm, unless the disposal is undertaken under contract by an approved disposal contractor. In cases where a storage system (for example a computer disc) is required to be returned to a supplier it should be securely erased before being returned unless contractual arrangements are in place with the supplier which guarantee the secure handling of the returned equipment. You may refer to the Firm’s Data Retention Policy for detailed protocols and more information.
6.4 Information on Desks, Screens and Printers
Members of staff who handle confidential paper documents should take the appropriate measures to protect against unauthorised disclosure, particularly when they are away from their desks. Confidential documents should be locked away overnight, at weekends and at other unattended times.
Care should also be taken when printing confidential documents to prevent unauthorised disclosure.
Computer screens on which confidential or sensitive information is processed or viewed should be sited in such a way that they cannot be viewed by unauthorised persons and all computers should be locked while unattended.
Refer to our Clear Desk Policy for protocols and more information.
6.5 Remote Access
It is the responsibility of all the Firm’s staff with remote access privileges to the company network, to ensure that their remote access connection is given the same consideration as the user’s on-site connection to the Firm. Refer to our Remote Access & BYOD Policy for protocols and more information.
- Secure remote access must be strictly controlled
- Control will be enforced via one-time password authentication or public/private keys with strong pass-phrases
- At no time, should any of the Firm’s staff provide their login or email password to anyone else
- The Firm’s staff with remote access privileges must ensure that their Firm-owned or personal computer or workstation, which is remotely connected the company network, is not connected to any other network at the same time, except for personal networks that are under the complete control of the user
- All hosts that are connected to the Firm’s internal networks via remote access must use the most up-to-date, approved anti-virus software
6.6 Firewalls & Malware
The Firm understands that adequate and effective firewalls, malware and protected gateways are one of the main and first lines of defence against breaches via the internet and our networks.
We utilise configured firewalls and have daily anti-virus applications running on all computers, networks and servers. The IT manager is responsible for checking the log of all scans and for keeping these applications updated and compliant.
Systems are to be regularly scanned and assessed for unused and outdated software with the aim of reducing potential vulnerabilities and we routinely remove such software and services from our devices where applicable.
The IT manager also has full responsibility for ensuring that the latest application and software updates and/or patches are downloaded and installed, keeping our security tools current and effective. Security software is reviewed and updated monthly, or sooner where updates or patches have been released.
7 Security Breach Management
The Firm’s definition of a breach for the purposes of this and related documents, is a divergence from any standard operating procedure (SOP), which causes a failure to meet the required compliance standards herein, as laid out by our own compliance program objectives and/or those of any applicable regulatory body.
‘Compliance’ in this statement means any area of business that is subject to rules, laws or guidelines set out by a third party which are to be followed by law and which, when breached, could cause emotional, reputational or financial damage to a third party.
7.2 Breach Management Approach
The Firm has robust objectives and controls in place for preventing security breaches and for managing them if they do occur. Due to the nature of our business, the Firm processes and stores an amount of personal information and confidential client data and as such, requires a structured and documented breach incident program to mitigate the impact of any breaches. Whilst we take every care with our systems, security and information, risks still exist when using technology and being reliant on human intervention, necessitating defined measures and protocols for handling any breaches.
We carry out frequent risk assessments and gap analysis reports to ensure that our compliance processes, functions and procedures are fit for purpose and that mitigating actions are in place where necessary, however should there be any compliance breaches, we are fully prepared to identify, investigate manage and mitigate with immediate effect and to reduce risks and impact.
The Firm has the below objectives with regards to Breach Management:
- To maintain a robust set of compliance procedures which aim to mitigate against any risk and provide a compliant environment for trading and business activities
- To develop and implement strict compliance breach and risk assessment procedures that all staff are aware of and can follow
- To ensure that any compliance breaches are reported to the correct regulatory bodies within the timeframes as set out in their code of practice or handbooks
- To use breach investigations and logs to assess the root cause of any breaches and to implement a full review to prevent further incidents from occurring
- To use the Compliance Breach Incident Form for all breaches, regardless of severity so that any patterns in causes can be identified and corrected
- To comply with regulating bodies and laws on compliance breach methods, procedures and controls
- To protect consumers, clients and staff - including their data, information and identity
All information users within the Firm are responsible for protecting and ensuring the security of the information to which they have access. Managers and staff are responsible for ensuring that all information in their direct work area is managed in conformance with this policy and any subsequent procedures or documents. Staff who act in breach of this policy, or who do not act to implement it, will be subject to disciplinary procedures. The Firm will ensure that staff do not attempt to gain access to information that is not necessary to hold, know or process and that restrictions and/or encryptions are in place for specific roles within the organisation relating to personal and/or sensitive information.