Purpose and Scope
- Key data and information for both PMG and its clients
- Those who have access to or who administer IT/IS facilities
- Individuals who process or handle key data and information
- Defining PMG's policy for the protection of the Confidentiality, Integrity and Availability of its key data and information assets
- Establishing responsibilities for information security
- Providing reference to documentation that comprises the Information Security Management System (ISMS).
1. Policy Statement
3. Requirements for Policy
- Confidentiality - Knowing that key data and information can be accessed only by those authorised to do so
- Integrity - Knowing that key data and information is accurate and up-to-date, and has not been deliberately or inadvertently modified from a previously approved version
- Availability - Knowing that the key data and information can always be accessed when appropriate.
- All full-time, part-time and temporary staff employed by, or working for or on behalf of PMG
- Workers, contractors and consultants working for or on behalf of PMG
- External 3rd party suppliers where PMG 's internal security requirements and/or client security requirements will be flowed down
- All other individuals and groups who have been granted access to PMG's IS/IT systems and/or key data and information.
6. Policy Detail
The Information security governance will be implemented to ensure effective controls are in place throughout all operations of PMG.
Information Security Infrastructure
An Information Security Infrastructure has been developed to support the policy.
Ownership and Maintenance of the Policy
Ownership and maintenance of this policy is with PMG's IT Director.
An independent review of the implementation of the policy and its supporting policies, their effectiveness and the degree of compliance with it, will be carried out periodically by bodies that have appropriate experience of providing information security assurance.
Security of External Party Access
Access to PMG's information processing facilities by external parties will be controlled.
Identification of Risks from External Party Access
External parties who require access to PMG's infrastructure and/or information will be bound by an NDA that defines PMG's security requirements. Prior to being granted access to any information, they will be required to sign an undertaking to adhere to the requirements of the External Party Connection Policy.
Each agreement will also take into consideration client specific requirements for information security in the processing that PMG will undertake for that client. This will ensure that PMG will flow down any requirements to the external parties.
A standard approach to risk is defined through the Risk Assessment Methodology Policy. This policy sets out how PMG will maintain risks within a central risk register which is combined with assets that risks are applicable to. Additionally, the policy sets out how PMG will use a standard approach to the identification of risks across the business.
The policy also sets out the criteria for accepting risks and acceptable levels of risk. This is based on a score of 1-16 with 1 being the lowest and 16 the highest risk.
The risk methodology also sets out how PMG will manage and treat any risks that are identified. Risk reviews are ultimately owned by the IT Director who will report these to PMG's Board. Reviews will be undertaken at least annually.
Information assets will be categorised and recorded to enable appropriate management and control.
Inventory of Assets
Inventories of information assets, including hardware, software and key data will be developed and maintained in accordance with the Asset Management Policy.The asset register will be a managed document controlled by the IT Head of Technical Services.
Protection of Key Data and Information
Key data and information will be classified, protectively marked and handled and managed in accordance with the Information Classification & Protection Policy.
Controls will be put in place by PMG that will minimise the risks of human error, theft, fraud or malicious misuse of any PMG's facilities.
Security in Job Descriptions
Security roles and responsibilities will be included in job descriptions where appropriate to the role. These will include any specific responsibilities for the protection of particular assets, the execution of particular processes or activities such as data protection.
Personnel Screening Policy
PMG's HR Team, is responsible for conducting and maintaining the security vetting of all staff. Pre-employment controls are in place to mitigate client reputational and security damage. Employees must provide supporting documentation such as proof of identity, address details, nationality and entitlement to undertake work, previous employment history, and professional references. They may also be subject to Disclosure and Barring Service (DBS) and credit checks for appropriate roles, where there is access to personal identifiable data or there is a contractual requirement for staff to undergo enhanced screening. The company will also qualify any professional body memberships and qualifications.
All members of staff are reminded of their obligation to protect confidential information in accordance with PMG's standard terms and conditions of employment.
Employees will be informed of their information security responsibilities during induction training and these will be reiterated on the PMG's intranet in accordance with the Information Security Training Awareness Policy.
Information Security Education and Training
Information security awareness training and/or instruction will be made available to all staff. The Information Security Training Awareness Policy will identify where such training is mandatory. Additionally, roles that specifically manage key data and information will be identified.
Contractors and external parties, such as visiting clients, will be made aware of their responsibilities through various information security awareness documents and publications.
Suspected Security Weaknesses
Any person covered by the ISMS using or involved in the administration of any PMG's facilities will not try and prove any suspected or perceived security weakness that would cause system or process failure.
Where there may be a requirement to prove a weakness then a written exemption will be documented and approved by the IT Director prior to any action being undertaken.
Reporting Security Incidents
All actual, near miss and suspected security incidents are to be reported in accordance with the Information Security Incident Reporting Policy.
Network Isolation and Reconnection
Any computer that is perceived to be placing the integrity of PMG's network at risk could be disconnected from network access in accordance with the Information Security Incident Reporting Policy. Subsequent reinstatement will only be permitted once the device concerned is cleaned and is passed by the IT Service Desk for reconnection.
Security Incident Management
Events that are regarded as being 'security incidents' are defined, and processes have been implemented to investigate, control, manage and review such events in accordance with the Information Security Incident Reporting Policy, with a view to preventing recurrence.
All departments are required to follow the Information Security Incident Reporting Policy.
Physical and Environmental Security
Controls have been implemented as appropriate to prevent unauthorised access to, interference with, or damage to, information assets.
Computer systems and networks are protected by suitable physical, technical, procedural and environmental security controls in accordance with the Physical Security Policy.
File servers and machines that hold or process high criticality, high sensitivity or high availability data are located in physically secured areas.
Access to facilities that hold or process high criticality, high sensitivity or high availability data (as defined within the Information Classification & Protection Policy) are controlled.
Key Information is protected in accordance with the Information Classification & Protection Policy.
Laptop computers and remote equipment are protected in accordance with the Mobile & Remote Working Policy.
Communications and Operations Management
Controls have been implemented to enable the correct and secure operation of information processing facilities.
Documented Operating Procedures
Design, build and configuration documentation will be produced in respect of system platforms. Sensitive documentation will be held securely and access restricted to staff on a need to know basis.
IT operating procedures shall be documented and maintained.
Segregation of Duties
Access to critical systems and key data and information will only be granted on a need to know basis.
Segregation of duties between operations and development environment shall be maintained for critical systems.
Permanent and full access to live operating environments is restricted to staff on role-based requirements.
Appropriate processes and procedures have been implemented in respect of capacity planning and alerting for critical systems as defined in the Information Classification & Protection Policy.
All changes to live critical systems will follow a pre-defined change management process, to ensure that activities are undertaken in accordance with stringent change control process in accordance with the Change Control Policy.
Security Assurance Testing
Critical systems, as defined by the Information Classification & Protection Policy, will be subjected to periodic security assurance testing to ensure that systems remain secure.
Controls against Malicious Software
Controls have been implemented to check for malicious or fraudulent code being introduced.Bespoke source code written by external parties, contractors and staff will be subjected to security scrutiny through code reviews before being installed on any system.
An Information Security Virus Protection Policy has been implemented to prevent the introduction and transmission of computer viruses and malware both within and from outside of PMG's networks. This extends to managing and containing viruses and malware should preventative measures fail.
Security Patches, Fixes and Workarounds
The IT Help Desk is responsible for the day to day management of systems to ensure that security patches, fixes and workarounds are applied in accordance with the Security Patching Policy.
Data on systems is managed in accordance with the Storage, Backup and Encryption Policy and subject to client and legislative requirements.
System, Application and Data Backup
All critical systems, applications and key data is backed up in accordance with the Storage, Backup and Encryption Policy.
All archive material is held, managed and stored in accordance with the contractual and regulatory requirements of PMG.
Controls have been implemented to achieve, maintain and control access to computer networks, including wireless LANs in accordance with the Access Control and Account Management Policy.
Handling and Storage
Media containing key data will be marked and handled in accordance with the Information Classification & Protection Policy and managed in accordance with the Storage, Backup & Encryption Policy.
Removable media containing data will be reused or disposed of through controlled and secure means when no longer required, in accordance with the Information Classification & Protection Policy.Procedures have been implemented in accordance with the Information Classification & Protection Policy for the secure disposal of storage media containing data when these are no longer required.
Where custody of equipment containing data is to be relinquished, procedures have been implemented in accordance with the Information Classification & Protection Policy to securely delete such data first.
Redundant computer equipment will be disposed of in accordance with the Waste Electrical and Electronic (WEEE) Regulations and through secure and auditable means.
Software Usage and Control
Software will be used, managed and controlled in accordance with business requirements and the Use of Company Systems Policy.
All software upgrades and in-house systems development for systems will be appropriately controlled and tested through a managed process before live implementation, as defined in the Information Classification & Protection Policy.
Activities involving Internet usage, for example e-mail transmission and web site access, are governed by the Use of Company Systems Policy.
Boundaries for businesses now extend beyond the sites owned and operated by a business. Increasingly PMG is making use of cloud technologies to provide competitive advantages in the marketplace. Cloud technologies invariably mean that PMG's data will be hosted in data centres not owned and controlled by PMG. Levels of security and control ensure PMG's data is secure and cannot be compromised.
The usage of cloud technology will be controlled by the Cloud Technology Requisition Policy, Cloud Technology User Policy and an approved list of cloud technologies. The IT Director must assess and approve any cloud technology before becoming operational within PMG.
Users who access PMG's computer systems and/or networks must do so in accordance with the Use of Computer Systems Policy.
User Access Management and Administration
Users are only authorised access to PMG's facilities in accordance with specific privileges that they have been given in accordance with the Access Control & User Account Management Policy.
Controls have been implemented to manage and control remote access to PMG's facilities and data in accordance with the Mobile & Remote Working Policy.
The allocation and use of system privileges on each computer platform is restricted and controlled in accordance with the Access Control & User Account Management Policy.
The allocation and management of password/passphrases is controlled in accordance with the Secret Password Usage and Control Policy.
Users are required to follow good security practices in the selection, use and management of their secret authentications and to keep them confidential in accordance with the Secret Password Usage and Control Policy.
Unattended User Equipment
Users of IT/IS facilities are responsible for safeguarding data by ensuring that computing devices are locked or not left logged-on when unattended, and that portable equipment in their custody is not exposed to opportunistic theft. Laptop or other portable devices should be placed in lockable containers when they are not being used for extended periods of time for example overnight.
Where available, password protected screen locks and automatic logout mechanisms are used on computing devices to prevent individual accounts being used by persons other than the account holders, but not on cluster computers that are shared by multiple users.
Network Access Control
The use of networked services, connectivity to the PMG's network and the use of information systems connected to the PMG's network are controlled in accordance with the Access Control & User Account Management Policy.
Operating System and Application Access Control
Access to systems' operating systems and applications are controlled in accordance with the Access Control & User Account Management Policy.
Access to system utilities software is restricted to authorised people only.
Monitoring System and Access and Use
Access to and use of systems is monitored in accordance with the Systems Usage Logging and Audit Policy.
Systems Development and Maintenance
Controls will be implemented to ensure that security requirements are considered when developing existing information systems and prior to introducing new ones.
Use of Cryptography
System administration and account management secret authentications should be encrypted where possible.
Dependant on the nature of data being stored, contractual and regulatory requirements PMG will store data in an encrypted format wherever possible.
Security in Test and Development Processes
Test and development systems will be appropriately isolated from live critical systems at all times.
Business Continuity Management
Controls have been implemented to counteract disruptions to PMG's information processing facilities and to protect critical systems from the effects of major failures and disruption.
Ideally, data is held on a network resource so that it is backed up through a routine managed process. Where this is not possible, provision is made for regular and frequent backups to be taken in accordance with the Information Classification & Protection Policy and the Storage, Backup and Encryption Policy.
A controlled and fully auditable process for the handling, transportation, storage and retrieval of backup media containing data has been implemented.
A Business Continuity plan has been developed, and will continue to be maintained to ensure the availability of services in the event of unexpected disruption in accordance with that plan.
Testing of this plan will be undertaken and documented ensuring that the plan is kept aligned with a changing business and operational environment.
Controls have been implemented to avoid contravention of legislation, regulatory and contractual obligations and security policy.
Compliance with Legal Requirements
Legislation that has a bearing on information processing and management will be identified and controls will be implemented to ensure compliance. The legal and regulatory compliance policy sets this out.A legal register of applicable legislation is maintained and periodic reviews undertaken. PMG will engage with external expertise to help ensure compliance.
Details of all legal requirements applicable to PMG are maintained as part of the legal register. External experts will be utilised by PMG to ensure that legal requirements are maintained with changing legislation and regulatory requirements.
Review of Security Policy
The Policy is subjected to review annually and in the event of any major changes in circumstances, to ensure those controls remain effective.
Any changes to the policy will be reviewed by the security working group (SWG) and has to be approved by the SWG before being accepted.
Compliance with Security Policy
Compliance with the policy is mandatory. Failure to comply with policy requirements, outside the process for exemption authorisation, will be viewed as a breach of security. Any such event may be the subject of investigation and possible further action in accordance with PMG's procedures.
PMG's Board will ensure that the Information Security policy is adhered to within their departments. All parts of PMG will be subject to review to ensure compliance with the policy.
In certain circumstances, it may not be practical for some users or functional departments to rigorously adhere to specific areas of the policy. Where there are justifiable reasons why a particular policy requirement cannot be implemented, a specific policy exemption must be requested and approved by the SWG.
Any exemption requirement will be fully documented and presented to the SWG for review. Any associated risks will be documented according to the Risk Assessment Methodology Policy and noted that these risks have been accepted with an exemption.
All exemptions must be signed off by the IT Director following review and this will be documented.
No processes or procedures that require an exemption will be put into operation until an exemption has been granted.