Information Security Policy

This document forms PMG's Information Security Policy. Its purpose is to provide the framework (a commitment of undertaking) for PMG to apply information security controls throughout the organisation.

Supporting policies containing detailed Information Security requirements have been developed in support of this overarching policy. Dependent upon the subject matter, supporting policies will apply either across the entire organisation or to specific groups or individuals within PMG, its clients and supply chain. All members of staff who have access to PMG's computers, information systems and key data assets, and all other parties who have been granted such access, are responsible for complying with the supporting policies that are applicable to them.

This Information Security Policy has been developed in support of the requirement for PMG to have an Information Security Management System (ISMS).

PMG has an obligation to its staff and clients to clearly define requirements for the use of its information technology infrastructure facilities and its information systems. This is so that users of these facilities do not unintentionally place themselves or PMG at a risk of prosecution or compromise/loss of sensitive data and information.

In addition, the bulk of information at PMG is not intended to be openly accessible and available for sharing outside of PMG, its clients or suppliers who are deemed necessary to complete the contracted works. As such most information has to be processed, handled and managed securely and with accountability and integrity.

Legislation and industry requirements are key drivers of this policy, but it is also derived from the criticality and sensitivity of certain information where loss of accuracy, completeness or availability could prevent PMG from functioning efficiently or where disclosure could damage PMG's or its client's reputation. Unless a policy is in place to stipulate control requirements for such information, there is an increased risk that security breaches will be suffered, potentially resulting in a wide range of adverse consequences.

• Confidentiality - Knowing that key data and information can be accessed only by those authorised to do so
• Integrity - Knowing that key data and information is accurate and up-to-date, and has not been deliberately or inadvertently modified from a previously approved version
• Availability - Knowing that the key data and information can always be accessed when appropriate.

PMG is committed to protect its members of staff, its clients, supply chain, its key data and information to deploy controls that minimise the impact of any security incidents.

• All full-time, part-time and temporary staff employed by, or working for or on behalf of PMG
• Workers, contractors and consultants working for or on behalf of PMG
• External 3rd party suppliers where PMG 's internal security requirements and/or client security requirements will be flowed down
• All other individuals and groups who have been granted access to PMG's IS/IT systems and/or key data and information.

All managers are ultimately responsible for ensuring the policy is implemented within their respective departments and for overseeing compliance by users under their direction, control or supervision.

It is the personal responsibility of each person to whom the policy applies to adhere with its requirements.

Organisational SecurityThe Information security governance will be implemented to ensure effective controls are in place throughout all operations of PMG.

Information Security InfrastructureAn Information Security Infrastructure has been developed to support the policy.

Ownership and Maintenance of the PolicyOwnership and maintenance of this policy is with PMG's IT Director.

Independent ReviewAn independent review of the implementation of the policy and its supporting policies, their effectiveness and the degree of compliance with it, will be carried out periodically by bodies that have appropriate experience of providing information security assurance.

Security of External Party AccessAccess to PMG's information processing facilities by external parties will be controlled.

Identification of Risks from External Party AccessExternal parties who require access to PMG's infrastructure and/or information will be bound by an NDA that defines PMG's security requirements. Prior to being granted access to any information, they will be required to sign an undertaking to adhere to the requirements of the External Party Connection Policy.

Each agreement will also take into consideration client specific requirements for information security in the processing that PMG will undertake for that client. This will ensure that PMG will flow down any requirements to the external parties.

Risk MethodologyA standard approach to risk is defined through the Risk Assessment Methodology Policy. This policy sets out how PMG will maintain risks within a central risk register which is combined with assets that risks are applicable to. Additionally, the policy sets out how PMG will use a standard approach to the identification of risks across the business.

The policy also sets out the criteria for accepting risks and acceptable levels of risk. This is based on a score of 1-16 with 1 being the lowest and 16 the highest risk.

The risk methodology also sets out how PMG will manage and treat any risks that are identified. Risk reviews are ultimately owned by the IT Director who will report these to PMG's Board. Reviews will be undertaken at least annually.

Asset ClassificationInformation assets will be categorised and recorded to enable appropriate management and control.

Inventory of AssetsInventories of information assets, including hardware, software and key data will be developed and maintained in accordance with the Asset Management Policy.

The asset register will be a managed document controlled by the IT Head of Technical Services.

Protection of Key Data and InformationKey data and information will be classified, protectively marked and handled and managed in accordance with the Information Classification & Protection Policy.

Personnel SecurityControls will be put in place by PMG that will minimise the risks of human error, theft, fraud or malicious misuse of any PMG's facilities.

Security in Job DescriptionsSecurity roles and responsibilities will be included in job descriptions where appropriate to the role. These will include any specific responsibilities for the protection of particular assets, the execution of particular processes or activities such as data protection.

Personnel Screening PolicyPMG's HR Team, is responsible for conducting and maintaining the security vetting of all staff. Pre-employment controls are in place to mitigate client reputational and security damage. Employees must provide supporting documentation such as proof of identity, address details, nationality and entitlement to undertake work, previous employment history, and professional references. They may also be subject to Disclosure and Barring Service (DBS) and credit checks for appropriate roles, where there is access to personal identifiable data or there is a contractual requirement for staff to undergo enhanced screening. The company will also qualify any professional body memberships and qualifications.

Confidentiality UndertakingAll members of staff are reminded of their obligation to protect confidential information in accordance with PMG's standard terms and conditions of employment.

Employee ResponsibilitiesEmployees will be informed of their information security responsibilities during induction training and these will be reiterated on the PMG's intranet in accordance with the Information Security Training Awareness Policy.

Information Security Education and TrainingInformation security awareness training and/or instruction will be made available to all staff. The Information Security Training Awareness Policy will identify where such training is mandatory. Additionally, roles that specifically manage key data and information will be identified.

Contractors and external parties, such as visiting clients, will be made aware of their responsibilities through various information security awareness documents and publications.

Suspected Security WeaknessesAny person covered by the ISMS using or involved in the administration of any PMG's facilities will not try and prove any suspected or perceived security weakness that would cause system or process failure.

Where there may be a requirement to prove a weakness then a written exemption will be documented and approved by the IT Director prior to any action being undertaken.

Reporting Security IncidentsAll actual, near miss and suspected security incidents are to be reported in accordance with the Information Security Incident Reporting Policy.

Network Isolation and ReconnectionAny computer that is perceived to be placing the integrity of PMG's network at risk could be disconnected from network access in accordance with the Information Security Incident Reporting Policy. Subsequent reinstatement will only be permitted once the device concerned is cleaned and is passed by the IT Service Desk for reconnection.

Security Incident ManagementEvents that are regarded as being 'security incidents' are defined, and processes have been implemented to investigate, control, manage and review such events in accordance with the Information Security Incident Reporting Policy, with a view to preventing recurrence.

All departments are required to follow the Information Security Incident Reporting Policy.

Physical and Environmental SecurityControls have been implemented as appropriate to prevent unauthorised access to, interference with, or damage to, information assets.

Physical SecurityComputer systems and networks are protected by suitable physical, technical, procedural and environmental security controls in accordance with the Physical Security Policy.

File servers and machines that hold or process high criticality, high sensitivity or high availability data are located in physically secured areas.

Access to facilities that hold or process high criticality, high sensitivity or high availability data (as defined within the Information Classification & Protection Policy) are controlled.

Office SecurityKey Information is protected in accordance with the Information Classification & Protection Policy.

Laptop computers and remote equipment are protected in accordance with the Mobile & Remote Working Policy.

Communications and Operations ManagementControls have been implemented to enable the correct and secure operation of information processing facilities.

Documented Operating ProceduresDesign, build and configuration documentation will be produced in respect of system platforms. Sensitive documentation will be held securely and access restricted to staff on a need to know basis.

IT operating procedures shall be documented and maintained.

Segregation of DutiesAccess to critical systems and key data and information will only be granted on a need to know basis.

Segregation of duties between operations and development environment shall be maintained for critical systems.

Permanent and full access to live operating environments is restricted to staff on role-based requirements.

Capacity PlanningAppropriate processes and procedures have been implemented in respect of capacity planning and alerting for critical systems as defined in the Information Classification & Protection Policy.

System ChangesAll changes to live critical systems will follow a pre-defined change management process, to ensure that activities are undertaken in accordance with stringent change control process in accordance with the Change Control Policy.

Security Assurance Testing Critical systems, as defined by the Information Classification & Protection Policy, will be subjected to periodic security assurance testing to ensure that systems remain secure.

Controls against Malicious SoftwareControls have been implemented to check for malicious or fraudulent code being introduced.Bespoke source code written by external parties, contractors and staff will be subjected to security scrutiny through code reviews before being installed on any system.

Virus ProtectionAn Information Security Virus Protection Policy has been implemented to prevent the introduction and transmission of computer viruses and malware both within and from outside of PMG's networks. This extends to managing and containing viruses and malware should preventative measures fail.

Security Patches, Fixes and WorkaroundsThe IT Help Desk is responsible for the day to day management of systems to ensure that security patches, fixes and workarounds are applied in accordance with the Security Patching Policy.

Data StorageData on systems is managed in accordance with the Storage, Backup and Encryption Policy and subject to client and legislative requirements.

System, Application and Data BackupAll critical systems, applications and key data is backed up in accordance with the Storage, Backup and Encryption Policy.

ArchivingAll archive material is held, managed and stored in accordance with the contractual and regulatory requirements of PMG.

Network ManagementControls have been implemented to achieve, maintain and control access to computer networks, including wireless LANs in accordance with the Access Control and Account Management Policy.

Handling and StorageMedia containing key data will be marked and handled in accordance with the Information Classification & Protection Policy and managed in accordance with the Storage, Backup & Encryption Policy.

DisposalRemovable media containing data will be reused or disposed of through controlled and secure means when no longer required, in accordance with the Information Classification & Protection Policy.

Procedures have been implemented in accordance with the Information Classification & Protection Policy for the secure disposal of storage media containing data when these are no longer required.

Where custody of equipment containing data is to be relinquished, procedures have been implemented in accordance with the Information Classification & Protection Policy to securely delete such data first.

Redundant computer equipment will be disposed of in accordance with the Waste Electrical and Electronic (WEEE) Regulations and through secure and auditable means.

Software Usage and ControlSoftware will be used, managed and controlled in accordance with business requirements and the Use of Company Systems Policy.

All software upgrades and in-house systems development for systems will be appropriately controlled and tested through a managed process before live implementation, as defined in the Information Classification & Protection Policy.

Internet UsageActivities involving Internet usage, for example e-mail transmission and web site access, are governed by the Use of Company Systems Policy.

Cloud TechnologyBoundaries for businesses now extend beyond the sites owned and operated by a business. Increasingly PMG is making use of cloud technologies to provide competitive advantages in the marketplace. Cloud technologies invariably mean that PMG's data will be hosted in data centres not owned and controlled by PMG. Levels of security and control ensure PMG's data is secure and cannot be compromised.

The usage of cloud technology will be controlled by the Cloud Technology Requisition Policy, Cloud Technology User Policy and an approved list of cloud technologies. The IT Director must assess and approve any cloud technology before becoming operational within PMG.

User ResponsibilitiesUsers who access PMG's computer systems and/or networks must do so in accordance with the Use of Computer Systems Policy.

User Access Management and AdministrationUsers are only authorised access to PMG's facilities in accordance with specific privileges that they have been given in accordance with the Access Control & User Account Management Policy.

Remote AccessControls have been implemented to manage and control remote access to PMG's facilities and data in accordance with the Mobile & Remote Working Policy.

Privilege ManagementThe allocation and use of system privileges on each computer platform is restricted and controlled in accordance with the Access Control & User Account Management Policy.

Password ManagementThe allocation and management of password/passphrases is controlled in accordance with the Secret Password Usage and Control Policy.

PasswordsUsers are required to follow good security practices in the selection, use and management of their secret authentications and to keep them confidential in accordance with the Secret Password Usage and Control Policy.

Unattended User EquipmentUsers of IT/IS facilities are responsible for safeguarding data by ensuring that computing devices are locked or not left logged-on when unattended, and that portable equipment in their custody is not exposed to opportunistic theft. Laptop or other portable devices should be placed in lockable containers when they are not being used for extended periods of time for example overnight.

Where available, password protected screen locks and automatic logout mechanisms are used on computing devices to prevent individual accounts being used by persons other than the account holders, but not on cluster computers that are shared by multiple users.

Network Access ControlThe use of networked services, connectivity to the PMG's network and the use of information systems connected to the PMG's network are controlled in accordance with the Access Control & User Account Management Policy.

Operating System and Application Access ControlAccess to systems' operating systems and applications are controlled in accordance with the Access Control & User Account Management Policy.

Access to system utilities software is restricted to authorised people only.

Monitoring System and Access and UseAccess to and use of systems is monitored in accordance with the Systems Usage Logging and Audit Policy.

Systems Development and MaintenanceControls will be implemented to ensure that security requirements are considered when developing existing information systems and prior to introducing new ones.

Use of CryptographySystem administration and account management secret authentications should be encrypted where possible.

Dependant on the nature of data being stored, contractual and regulatory requirements PMG will store data in an encrypted format wherever possible.

Security in Test and Development ProcessesTest and development systems will be appropriately isolated from live critical systems at all times.

Business Continuity ManagementControls have been implemented to counteract disruptions to PMG's information processing facilities and to protect critical systems from the effects of major failures and disruption.

Data StorageIdeally, data is held on a network resource so that it is backed up through a routine managed process. Where this is not possible, provision is made for regular and frequent backups to be taken in accordance with the Information Classification & Protection Policy and the Storage, Backup and Encryption Policy.

Backup MediaA controlled and fully auditable process for the handling, transportation, storage and retrieval of backup media containing data has been implemented.

Continuity StrategyA Business Continuity plan has been developed, and will continue to be maintained to ensure the availability of services in the event of unexpected disruption in accordance with that plan.

Testing of this plan will be undertaken and documented ensuring that the plan is kept aligned with a changing business and operational environment.

ComplianceControls have been implemented to avoid contravention of legislation, regulatory and contractual obligations and security policy.

Compliance with Legal RequirementsLegislation that has a bearing on information processing and management will be identified and controls will be implemented to ensure compliance. The legal and regulatory compliance policy sets this out.

A legal register of applicable legislation is maintained and periodic reviews undertaken. PMG will engage with external expertise to help ensure compliance.

Details of all legal requirements applicable to PMG are maintained as part of the legal register. External experts will be utilised by PMG to ensure that legal requirements are maintained with changing legislation and regulatory requirements.

Review of Security PolicyThe Policy is subjected to review annually and in the event of any major changes in circumstances, to ensure those controls remain effective.

Any changes to the policy will be reviewed by the security working group (SWG) and has to be approved by the SWG before being accepted.

Compliance with Security PolicyCompliance with the policy is mandatory. Failure to comply with policy requirements, outside the process for exemption authorisation, will be viewed as a breach of security. Any such event may be the subject of investigation and possible further action in accordance with PMG's procedures.

PMG's Board will ensure that the Information Security policy is adhered to within their departments. All parts of PMG will be subject to review to ensure compliance with the policy.

ExemptionsIn certain circumstances, it may not be practical for some users or functional departments to rigorously adhere to specific areas of the policy. Where there are justifiable reasons why a particular policy requirement cannot be implemented, a specific policy exemption must be requested and approved by the SWG.

Any exemption requirement will be fully documented and presented to the SWG for review. Any associated risks will be documented according to the Risk Assessment Methodology Policy and noted that these risks have been accepted with an exemption.

All exemptions must be signed off by the IT Director following review and this will be documented.

No processes or procedures that require an exemption will be put into operation until an exemption has been granted.

Any breach of this policy may cause reputational damage or significant inconvenience to the company resulting in the use of valuable corporate resources to rectify any ensuing problems. Violations of this policy or any other abuse of our IT systems may be treated as gross misconduct and appropriate disciplinary action taken in line with PMG's Disciplinary Action policy. Depending on the seriousness of the offence, this could take the form of immediate dismissal, particularly if it involves real or threatened damage to the company's reputation, damage to our IT systems and property or a criminal offence.