IT Security Policy
This IT policy outlines the procedures and guidelines for securing and efficiently using the company’s information technology systems and resources. It reflects our commitment to providing a secure and efficient IT environment and aims to ensure that all employees, contractors, and third parties act responsibly and in accordance with legal and regulatory requirements, as well as company standards when accessing and using company IT resources.
This policy applies to all employees, contractors, and third-party vendors who have access to the company’s IT systems, including but not limited to email, cloud storage, communication platforms, shared drives, and any devices used for business purposes. It covers all company-provided devices and personal devices used to access company systems remotely.
By adhering to this policy, employees and contractors help safeguard the company’s information and ensure the integrity and availability of systems used in the day-to-day running of the business. Non-compliance with the policy may result in disciplinary action, including termination of employment or contract, and may also lead to legal consequences.
2. Roles and Responsibilities
To ensure the secure and effective use of the company’s IT resources, all employees, contractors, and third-party vendors must understand their roles and responsibilities in maintaining IT security and following the established policies.
2.1 Employees and Contractors
- Compliance: All employees and contractors must comply with the company's IT policy and related procedures. This includes understanding and adhering to all security measures and acceptable use guidelines.
- Device Security: Employees and contractors must ensure that all work-related devices are secured with strong passwords, updated with antivirus software, and regularly updated with the latest security patches.
- Reporting Incidents: Employees and contractors are responsible for reporting any IT or cybersecurity incidents, such as suspected phishing emails, data breaches, or unauthorised access, immediately to the designated IT point of contact or the IT team.
- Confidentiality: Employees and contractors must maintain the confidentiality of all sensitive company information, ensuring that it is only accessed and shared through approved and secure methods.
- Personal Device Usage: If personal devices are used for work purposes, they must comply with company security standards, including antivirus software and proper password protection.
2.2 IT Administrator (or designated IT support)
- System Management: The IT administrators are responsible for managing and maintaining the company’s IT systems, including Microsoft Office 365, SharePoint, and other cloud services. This includes account creation, access management, software updates, and backups.
- Access Control: The IT administrators oversee granting, revoking, and managing access to company IT resources, ensuring that only authorised personnel have access to specific systems and data.
- Security Enforcement: The IT administrators ensure that all security measures, including antivirus software, firewalls, and password management tools, are properly implemented and maintained across the organisation.
- Incident Response: The IT administrators are responsible for responding to IT security incidents, investigating issues, and ensuring appropriate actions are taken to mitigate risks.
2.3 Senior Management
- Policy Oversight: Senior management oversees and approves the IT policy. They ensure the policy is regularly reviewed, updated, and aligned with business needs and legal requirements.
- Decision-Making: Senior management will make decisions regarding changes to IT policies, including access rights, data protection strategies, and investment in new IT resources.
3. Access Control
To protect company data and systems, strict access control measures must ensure that only authorised personnel can access specific resources. This section outlines the guidelines for managing user accounts, passwords, and access to company IT resources.
3.1 User Accounts
- Creation and Deletion of Accounts: All user accounts for accessing company systems, including Microsoft Office 365, Teams, and SharePoint, must be created and managed by the IT administrators. New accounts will only be created for authorised employees, contractors, or third-party vendors, following approval by senior management or the relevant department head. When an individual’s role within the company changes, or upon termination of employment or contract, IT administrators will immediately disable or delete the account to prevent unauthorised access.
- Unique Accounts: All individuals must have unique user accounts and are strictly prohibited from sharing login details with others. Shared accounts are not permitted unless explicitly authorised by IT administrators for specific operational needs.
3.2 Authentication and Passwords
- Strong Passwords: Employees and contractors must use strong, complex passwords in accordance with the company’s password policy. A strong password must be at least eight characters long and contain a mix of uppercase and lowercase letters, numbers, and special characters.
- Password Sharing Software: All passwords used to access company systems must be securely stored using the company-approved password management tool. Passwords should never be written down, shared over email, or stored in unapproved methods.
- Multi-Factor Authentication (MFA): Wherever available, multi-factor authentication (MFA) will be enabled for all users. This requires users to verify their identity with a second factor (e.g., mobile app, text message) in addition to their password.
- Password Expiry and Change: Passwords must be changed every 180 days. IT administrators may enforce more frequent password changes for systems that handle sensitive or high-risk data. Users will be prompted to update their passwords before they expire.
3.3 Access to Shared Resources
- SharePoint and Teams Access: Access to shared resources, including SharePoint and Teams, will be granted based on the principle of least privilege, meaning employees will only be given access to the data and systems necessary to fulfil their job responsibilities.
- Requesting Access: Requests for access to new systems or shared drives must be made through the IT administrators and approved by the employee’s manager or senior management. Access will only be granted once the request is approved and properly documented.
- Offboarding and Revocation: IT administrators are responsible for revoking access immediately when an employee or contractor leaves the company or no longer requires access to certain systems. In the case of urgent or sensitive terminations, access may be revoked before the individual’s final working day.
4. Data Management and Protection
The company is committed to protecting its data's confidentiality, integrity, and availability. This section outlines the policies and procedures related to data storage, backup, classification, and encryption to ensure that all data is managed securely.
4.1 Data Storage
- Approved Storage Systems: All company data must be stored using approved systems, including Microsoft SharePoint, OneDrive, and other cloud-based services, as IT administrators determine. Employees and contractors are prohibited from storing company data on unauthorised platforms, external storage devices, or personal cloud accounts.
- Cloud Storage Usage: Employees must use the company’s SharePoint and OneDrive services for storing and sharing files. Local storage on personal devices should only be used temporarily, and files must be moved to the appropriate cloud storage as soon as possible.
4.2 Data Backup
- Automated Backups: IT administrators automatically back up the company’s SharePoint and other critical systems to ensure data is recoverable in case of accidental deletion, hardware failure, or security incidents. The company’s data retention policy will determine the frequency and scope of backups, but all critical data must be backed up at least daily.
- Data Recovery: In the event of data loss, employees must immediately notify IT administrators to initiate data recovery procedures. IT administrators are responsible for ensuring the timely data recovery from backups and assessing any potential risks.
4.3 Data Classification
- Data Sensitivity Levels: Company data will be classified into the following sensitivity levels:
o Public: Data that can be shared freely without risk to the company.
o Internal: Data intended for use within the company but not critical in nature.
o Confidential: Sensitive data that must only be accessed by authorised personnel (e.g., financial records, personal data, proprietary information).
o Highly Confidential: Data critical to business operations would have severe consequences if disclosed (e.g., trade secrets, legal documents).
- Handling Sensitive Data: Employees and contractors must ensure that sensitive and highly confidential data is only shared with authorised personnel and via approved secure channels. Such data must not be stored on personal devices without encryption and prior approval from IT administrators.
4.4 Data Encryption
- Encryption Standards: All company data, particularly confidential and highly confidential information, must be encrypted both at rest and in transit. IT administrators will ensure that encryption standards are in place for cloud storage services, email communications, and any data transmitted over the Internet.
- Email Encryption: Employees must use email encryption tools when sending sensitive information via email. This is particularly important for transmitting personal data or any other information classified as confidential or highly confidential.
5. Cybersecurity and Device Management
All employees and contractors must follow established cybersecurity protocols to protect the company’s IT systems from cyber threats and ensure the secure use of devices. This section details the requirements for antivirus software, patch management, device security, and using personal devices for work.
5.1 Antivirus and Anti-malware
- Antivirus Software: All devices used for company work, whether company-issued or personal, must have up-to-date antivirus and anti-malware software installed. IT administrators are responsible for ensuring that company-issued devices are pre-installed with the appropriate software and that regular scans are performed.
- Software Updates: Employees and contractors are responsible for ensuring their personal devices used for work are kept up-to-date with antivirus software and security patches. IT administrators will manage updates for company-issued devices.
5.2 Patch Management
- Operating System and Application Updates: Regular updates and patches for all software, including operating systems and applications, must be applied as soon as they are available. IT administrators are responsible for ensuring that company-issued devices receive updates promptly, while employees must ensure the same for their personal devices.
- Critical Vulnerability Patching: In the event of a critical security vulnerability, IT administrators will apply emergency patches or updates immediately. Employees and contractors may be required to reboot devices or suspend work to ensure the system's security.
5.3 Remote Device Access
- Security of Personal Devices: Employees and contractors using personal devices for work must ensure that these devices meet company security standards. This includes having up-to-date antivirus software, secure passwords, and any other software required by the company.
- Access to Company Systems: Personal devices used to access company systems, such as Office 365, SharePoint, or Teams, must comply with company security requirements. IT administrators may conduct regular audits to ensure compliance with security standards.
5.4 Virtual Private Network (VPN)
- VPN Usage: Where required, employees must use a company-approved Virtual Private Network (VPN) when accessing sensitive company systems remotely. VPNs provide an additional layer of security by encrypting internet traffic, especially when connecting from public or unsecured networks.
- Enforcement of VPN Use: IT administrators will enforce VPN usage for employees and contractors accessing certain systems and may block access to sensitive systems if a VPN is not in use.
5.5 Device Security
- Locking Devices: Employees must lock their devices when not in use, whether in the office or home. Devices should be set to lock automatically after a short period of inactivity (e.g., five minutes).
- Lost or Stolen Devices: If a company-issued or personal device used for work is lost or stolen, it must be reported immediately to IT administrators. IT administrators will remotely lock or wipe the device if necessary to prevent unauthorised access to company data.
6. Acceptable Use Policy (AUP)
The Acceptable Use Policy (AUP) defines the rules and expectations for the appropriate use of the company’s IT resources, including devices, networks, software, and internet access. All employees and contractors must adhere to these guidelines to ensure the responsible use of IT resources and to protect the company from security risks.
6.1 General Guidelines
- Business Use: All company IT resources, including email, cloud storage, and collaboration tools, are provided for business purposes. Limited personal use is permitted, provided it does not interfere with work responsibilities, does not consume excessive resources, and complies with the rest of this policy.
- Compliance with Laws and Regulations: Employees and contractors must use the company’s IT resources in compliance with all relevant laws, including data protection and privacy laws, intellectual property laws, and cybersecurity regulations. Unlawful activities, including the downloading or sharing illegal content, are strictly prohibited.
6.2 Prohibited Activities
- Unauthorised Software: Employees are prohibited from downloading or installing unauthorised software or applications on company devices or systems. All software installations must be approved and managed by the IT administrators.
- Malicious or Unethical Use: Employees must not use company IT resources to engage in any malicious or unethical activities, including:
- Accessing, creating, or sharing inappropriate or offensive content.
- Attempting to gain unauthorised access to systems or data (hacking).
- Sending spam, phishing emails, or engaging in other fraudulent activities.
- Use of Insecure Networks: Employees must avoid accessing company systems or sharing sensitive data over insecure networks (e.g., public Wi-Fi) without using a Virtual Private Network (VPN) or other security measures as defined in section 5.4.
6.3 Internet and Email Use
- Professional Use of Email: All company email accounts will be used for professional communication. Employees should avoid using company email for personal purposes or signing up for non-work-related services. Additionally, emails must be written professionally, reflecting the company’s communication standards.
- Internet Usage: Employees are prohibited from visiting websites that contain inappropriate, offensive, or illegal content. Internet use should be work-related, though limited personal use is allowed if it does not conflict with this policy or impact work performance.
6.4 Monitoring and Enforcement
- System Monitoring: The company reserves the right to monitor the use of its IT resources, including email and internet usage, to ensure compliance with the Acceptable Use Policy. Employees and contractors should be aware that their usage may be subject to review by IT administrators.
- Disciplinary Action: Violations of the Acceptable Use Policy may result in disciplinary action, including termination of employment or contract. Serious violations may also lead to legal consequences.
7. Incident Response and Reporting
The company is committed to responding quickly and effectively to any IT or cybersecurity incidents to minimise potential damage and ensure a timely resolution. This section outlines the procedures for reporting and responding to incidents, including data breaches, unauthorised access, and other IT security issues.
7.1 Incident Reporting
- Immediate Reporting: All employees, contractors, and third-party vendors must report any suspicious activity, security breaches, or potential IT incidents immediately to the IT administrators. This includes but is not limited to:
- Suspicious emails or phishing attempts.
- Malware infections or system anomalies.
- Malware infections or system anomalies.
- Loss or theft of devices containing company data.
- Reporting Channels: Incidents can be reported via email, phone or the company's Microsoft Teams account. In a critical security issue, employees are encouraged to notify IT administrators immediately by phone to ensure prompt action.
7.2 Incident Response Procedure
- Initial Assessment: Upon receiving an incident report, the IT administrators will perform an initial assessment to determine the severity of the issue. This includes identifying the affected systems, the scope of the incident, and any immediate risks to the company’s data and operations.
- Containment and Mitigation: IT administrators will take immediate action to contain the incident and prevent further damage. This may include:
- Disconnecting affected systems from the network.
- Blocking unauthorised access.
- Resetting compromised user accounts or passwords.
- Isolating malware-infected devices.
- Communication: IT administrators will inform senior management and relevant parties about the incident, providing regular updates and any actions to mitigate the risks.
7.3 Investigation and Recovery
- Root Cause Analysis: After containment, the IT administrators will conduct a thorough investigation to determine the incident's root cause. This may involve analysing system logs, reviewing access controls, and consulting with external cybersecurity experts if necessary.
- Data Recovery: IT administrators will initiate data recovery procedures if any data has been lost or compromised. This includes restoring data from backups, if available, and verifying the integrity of recovered data.
- Post-Incident Review: Once the incident is resolved, IT administrators will conduct a post-incident review to identify any gaps in security or areas for improvement. The findings of this review will be documented, and recommendations will be provided to prevent similar incidents in the future.
7.4 Notification of Affected Parties
- Internal Notification: If an incident significantly impacts business operations or affects multiple departments, the IT administrators will notify senior management and department heads with a detailed report of the incident.
- External Notification: If an incident involves exposing personal data or other sensitive information, the company will notify affected individuals and regulatory authorities, as required by data protection laws (e.g., the GDPR). Notifications will be made promptly and include information on the nature of the breach and the steps taken to mitigate risks.
8. Email and Communication Security
The company’s email and communication tools, including Microsoft Teams and other messaging platforms, are critical to daily operations. To maintain security and confidentiality, all employees and contractors must follow the guidelines outlined below to ensure the safe use of these communication channels.
8.1 Email Use
- Professional Communication: Company email accounts should be used for professional purposes only. Emails must be written clearly and professionally, reflecting the company’s communication standards. Personal use of company email accounts is discouraged and should be limited to non-sensitive activities.
- Internal and External Communication: Employees should use official company platforms such as Microsoft Teams or company email accounts when communicating internally. To ensure security, external communication with clients, partners, or vendors must also be conducted through approved communication channels.
8.2 Phishing and Suspicious Emails
- Identifying Phishing Attempts: Employees should be vigilant when receiving unsolicited emails or messages, especially those asking for sensitive information or containing suspicious links or attachments. Phishing emails may appear to come from legitimate sources but are intended to steal data or install malicious software.
- Reporting Phishing Emails: If an employee suspects they have received a phishing email or message, they must report it immediately to the IT administrators. Employees must not click on any links, download attachments, or respond to suspicious emails.
8.3 Data Transmission via Email
- Sensitive Data Transmission: Employees must avoid sending sensitive or confidential data via email whenever possible. When sensitive information must be shared, encryption tools must be used to protect the data in transit. This includes personal data, financial information, and intellectual property.
- Email Attachments: When sending files as email attachments, employees should ensure that the files are properly encrypted and that the recipient is authorised to receive the information. Large files or multiple documents should be shared via the company’s approved cloud storage systems (e.g., SharePoint, OneDrive) rather than email attachments.
8.4 Communication Tools (Microsoft Teams, etc.)
- Teams and Other Messaging Tools: Employees must use Microsoft Teams and other approved communication platforms for internal discussions and collaboration. Messages sent via these platforms should follow the same standards of professionalism and security as email communication.
- File Sharing on Communication Platforms: Employees should use approved file-sharing methods when collaborating through messaging platforms like Teams. Sensitive documents should be shared using the company’s cloud storage systems rather than through direct file uploads in chats.
8.5 Email and Communication Monitoring
- Monitoring of Communication Channels: The company reserves the right to monitor employee emails and communications on company systems to ensure compliance with security policies. This monitoring is conducted in line with relevant privacy regulations and company policy. Employees should be aware that their communications may be reviewed by IT administrators or management for security purposes.
9. Third-Party Vendors and Service Providers
To ensure that the company’s data and IT systems remain secure, any third-party vendors or service providers with access to company systems or data must adhere to strict security and compliance standards. This section outlines the expectations and requirements for managing third-party relationships.
9.1 Vendor Selection and Assessment
- Due Diligence: Before engaging any third-party vendor or service provider, the company will conduct thorough due diligence to assess the vendor’s security practices, compliance with relevant regulations, and overall reliability. This process may include reviewing the vendor’s certifications, data protection policies, and references.
- Security and Compliance Requirements: Vendors must demonstrate compliance with industry standards and relevant legal frameworks, such as the General Data Protection Regulation (GDPR), regarding data privacy and protection. They must also have robust security measures in place, including encryption, access controls, and incident response plans.
9.2 Access Control for Vendors
- Limited Access: Vendors will only be given access to the company’s systems and data that are necessary for them to perform their duties. Access will be granted based on the principle of least privilege, ensuring that third parties do not have unnecessary access to sensitive data or systems.
- Vendor User Accounts: All vendor personnel with access to company systems must be assigned individual user accounts. Shared logins are prohibited. IT administrators will be responsible for creating and managing these accounts, as well as promptly deactivating them when the vendor’s services are no longer required.
9.3 Data Protection and Confidentiality
- Data Handling: Vendors with access to company data must follow the company’s data protection policies. This includes ensuring that any data shared with third parties is securely transmitted and stored. Vendors must not share or disclose company data to any other parties without explicit authorisation.
- Confidentiality Agreements: All vendors must sign a confidentiality agreement before being granted access to company systems or data. This agreement will outline the vendor’s obligations to protect company information and the consequences of any breach of confidentiality.
9.4 Vendor Incident Response
- Incident Notification: Vendors must immediately notify the company if they experience any security incident or data breach that may affect the company’s data or systems. This includes unauthorised access, malware infections, or any other event that could pose a risk to the company’s operations.
- Collaboration in Incident Response: In the event of a security incident involving a third-party vendor, the vendor must collaborate with the company’s IT administrators to resolve the issue promptly. This includes sharing relevant information about the incident and taking necessary steps to mitigate any risks.
9.5 Termination of Vendor Access
- Revoking Access: When a vendor’s contract or service agreement is terminated, IT administrators will immediately revoke the vendor’s access to all company systems and data. Any company-owned devices or data in the vendor’s possession must be returned or securely deleted in accordance with the company’s data retention policies.
- Post-Termination Audit: After a vendor relationship has ended, the company may conduct a post-termination audit to ensure that the vendor has retained no data and that all access points have been securely closed.
10. Policy Review and Updates
This policy must be regularly reviewed and updated to ensure that the company’s IT policies remain effective, secure, and compliant with evolving regulations and technological developments. This section outlines the process for reviewing, updating, and communicating changes to the IT policy.
10.1 Policy Review Process
- Annual Review: This IT policy will be reviewed annually to ensure it remains relevant and effective. The IT administrators will conduct the review in collaboration with senior management and legal advisors, as needed. Any significant changes in technology, company operations, or regulatory requirements may also trigger a review outside the regular schedule.
- Stakeholder Involvement: The review will involve key stakeholders, including IT administrators, department heads, and senior management. Their input will help identify areas for improvement and ensure that the policy reflects the company's current needs.
10.2 Updates to the Policy
- Policy Updates: Based on the review's findings, the policy will be updated to address any identified gaps, outdated practices, or new security threats. Changes will be approved by senior management before being finalised and implemented.
- Communication of Changes: Any changes to the IT policy will be communicated to all employees, contractors, and third-party vendors promptly. Employees are required to review the updated policy and acknowledge their understanding and compliance. Training sessions may be provided if significant changes are made, especially if new systems, tools, or procedures are introduced.
10.3 Compliance with Legal and Regulatory Changes
- Adapting to New Regulations: The company will ensure that the IT policy complies with all relevant laws and regulations, including data protection laws such as the General Data Protection Regulation (GDPR). Any updates to legal requirements will be promptly reflected in the policy to maintain compliance.
- Audit and Compliance Checks: The company may periodically conduct internal or external audits to ensure compliance with the IT policy and applicable regulations. These audits will help identify areas where the policy needs to be strengthened or adjusted.
10.4 Employee Acknowledgement
- Policy Acknowledgement: All employees, contractors, and third-party vendors must acknowledge that they have read, understood, and agreed to comply with the IT policy upon joining the company and each time the policy is updated. The HR or IT departments will maintain a record of these acknowledgements.
Policy Information
• Policy Title: IT Security Policy
• Version: 1.2
• Last Reviewed: 18th August 2024
• Next Review Due: 01st August 2025
IT Administrators
The following individuals are responsible for managing and enforcing this policy. They serve as the primary contacts for any IT-related issues, policy clarification, or incident reporting:
IT Administrators: Jack Randall, jack@adaptabletravel.co.uk / Matt Connelly, matt@adaptabletravel.co.uk