Embedded Files
Information & Data Security Policy Statement
Information & Data Security Policy Statement
Last Reviewed: 03/01/2022
Next Review Date : 03/01/2025
Objective
The objective of this Information Security Policy is to ensure that the Company’s information and information systems are protected so that core and supporting business operations can continue with minimal disruption.
The Company is committed to ensuring that all information created, processed, stored, or transmitted by the business maintains appropriate levels of confidentiality, integrity, and availability.
This policy supports, and operates alongside, the Company’s separate Data Protection and GDPR Policy
Policy
The purpose of this policy is to protect the Company’s information assets from all threats, whether internal or external, deliberate or accidental.
The Company is committed to ensuring that:
Information is available to employees and clients as required to support business operations, with minimal disruption.
The integrity and accuracy of information is maintained.
Confidential information (including commercial, technical, research, third-party and personal data) is protected from unauthorised access or disclosure.
All applicable legal, regulatory, and contractual requirements are met.
Information security risks are identified, assessed, and managed.
Access Control and System Security
Access to information and systems is provided on a role-based basis, aligned to job responsibilities.
All systems are protected by unique user credentials, passwords, and appropriate security controls.
Access rights are reviewed when roles change or employment ends.
Company devices (including laptops and specialist equipment) must be used in accordance with Company policies and protected against loss, theft, or unauthorised use.
Business Continuity
The Company maintains a proportionate Business Continuity Plan appropriate to its size and operations.
This plan is intended to support the continuation of key business activities in the event of disruption.
The Business Continuity arrangements are reviewed periodically and may be expanded or formalised further as the business grows.
Training and Awareness
Information security awareness is covered as part of employee induction and is supported by the Company’s policies and procedures.
As part of induction, employees are required to sign confidentiality and impartiality agreements, which set out their responsibilities in relation to the protection of Company information and the avoidance of conflicts of interest. These obligations are reinforced on an ongoing basis, including through periodic re-confirmation where required.
Employees are expected to understand their role in protecting Company information and to comply with all information security requirements relevant to their role.
Incident Reporting and Management
All actual or suspected information security incidents must be reported promptly to senior management.
Incidents will be investigated appropriately and proportionately.
Where required by law, relevant statutory bodies (such as the Information Commissioner’s Office) will be notified in accordance with legal obligations.
Roles and Responsibilities
Senior management is responsible for overall oversight of information security and for ensuring this policy is implemented and maintained.
Managers are responsible for ensuring compliance within their teams.
All employees are responsible for complying with this policy and related procedures.
Scope of Information Covered
Information includes, but is not limited to:
Electronic data and systems
Cloud-hosted platforms
Software and source code repositories
Printed documents
Emails and electronic communications
Verbal information shared in the course of business
Continuous Improvement
The Company will take reasonable steps to improve information security controls over time, taking into account changes in risk, technology, and business operations.
Review
This policy will be reviewed every three years, or sooner if required due to changes in legislation, business operations, or identified risks.
Joe Charlesworth
Director - Highway Data Systems Ltd
Page updated
Google Sites
Report abuse