Introduction
Information is a key resource for Brighton Business IT Ltd, without which virtually all of our activities would cease. Our information includes: computing network, database systems, coding and case data; administrative, personnel and financial data. Information may exist in many forms: it may be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown online, or spoken in conversation. Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected.
Brighton Business IT Ltd must endeavour to do all it can to protect its information assets in ways that are appropriate and effective. This will help enable Brighton Business IT Ltd to fulfil its responsibilities and to enable our staff to continue their work and to lease together within organisation.
Objective
Our security objective is to protect Brighton Business IT Ltd from security problems that might have an adverse effect on operations and professional standing.
Security problems can include confidentiality, integrity and availability. A wide definition of security will be used to include all types of incidents that pose a threat to the effective use of information. This includes performance, consistency, reliability, accuracy and timeliness.
Principles
Approach
We will:
Use all reasonable, appropriate, practical and effective security measures to protect important processes and assets in order to achieve our security objective.
Utilise BS7799: Code of Practice for Information Security Management as a framework for guiding our approach to managing security.
Continually review our use of security measures so that we can improve the way in which we protect our business.
Protect and manage information assets to enable us to meet our contractual, legislative, privacy and ethical responsibilities.
Responsibilities
All staff, past and present, permanent, honorary and temporary, of Brighton Business IT Ltd have an obligation to protect information assets, systems and infrastructure. They will, at all times, act in a responsible, professional and security-aware way, maintaining an awareness of and conformance to this Policy.
Everyone will respect the information assets of third parties whether or not such protection is required contractually, legally or ethically.
All members of Brighton Business IT Ltd are responsible for identifying security shortfalls in our existing security practices and/or improvements that could be made. These should be reported to the Directors.
All members who have supervisory responsibility are required to actively promote best practice amongst their supervised staff.
The Director of Brighton Business IT Ltd has ultimate responsibility for ensuring that information within Brighton Business IT Ltd is adequately protected. The Director will delegate responsibility for approving and reviewing access rights to information to named, responsible individuals.
The Director of Brighton Business IT Ltd is responsible for ensuring that our security objective is achieved. The Security staff group is authorised by the Director to pursue appropriate activities and actions that contribute to achieving our security objective and that are consistent with this Information Security Policy.
The Director of Brighton Business IT Ltd is responsible for allocating sufficient resources so that Brighton Business IT Ltd can realistically achieve its security objective. This includes people, time, equipment, software, education and access to external sources of information and knowledge.
Practices
We will identify our security risks and their relative priorities, responding to them promptly and implementing safeguards that are appropriate, effective, culturally acceptable and practical.
All members of Brighton Business IT Ltd will be responsible for their actions with regard to information security.
All information (including third party information) will be protected by security controls and handling procedures appropriate to its sensitivity and criticality.
Brighton Business IT Ltd will ensure that its activities can continue with minimal disruption, or other adverse impact, should it suffer any form of disruption or security incident.
Actual or suspected security incidents will be reported promptly to the Security Steering Group, who will manage the incident, and arrange for an analysis of the incident and consequent lessons to be learnt.
Documented procedures and standards, along with education and training, will support these Principles and the Practices to which they give rise.
Compliance with the Policy will be monitored on a regular basis by the security staff group which will meet on a regular basis.
The Director of Brighton Business IT Ltd owns this Information Security Policy and is committed to the implementation of it. He or she will facilitate an annual review of it by the security staff group. It will be reviewed for completeness, effectiveness and usability. Effectiveness will be measured by Brighton Business IT Ltd ability to avoid security incidents and minimise resulting impacts.
The Director of Brighton Business IT Ltd will sign off all new versions of the Information Security Policy. All members of the Brighton Business IT Ltd are responsible for identifying ways in which the Information Security Policy might be improved. Suggestions for improvement should be sent to the Director. If immediate changes are required a special meeting of the security group will be called, otherwise suggestions will be discussed at the meeting to conduct the annual review of the Policy.
Policy Awareness
A copy of this Policy will be made available to all staff currently employed, or when they join Brighton Business IT Ltd. Individual sections of the Policy will be updated as required and will be available on Brighton Business IT Ltd Internet site. All members of Brighton Business IT Ltd are expected to be familiar with, and to comply with, the Information Security Policy at all times. The members of the security staff group will, in the first instance, be responsible for interpretation and clarification of the Information Security Policy. Staff requiring further information on any aspects of this Policy should discuss their needs with a member of the security staff group.
Applicability and Enforcement
This Policy applies to all members of Brighton Business IT Ltd and those who use its facilities and information. Compliance with the Policy will form part of the contract of employment.
Failure to comply with the Information Security Policy could harm the ability of Brighton Business IT Ltd to achieve its aims and security objectives and could damage the professional reputation of the organisation. Failure to comply will, in the ultimate sanction, be treated as a disciplinary matter. The Director of Brighton Business IT Ltd will be responsible for all decisions regarding the enforcement of this policy, utilising the disciplinary procedures at his or her disposal as appropriate.
Brighton Business IT Ltd will encourage the adoption and use of this Information Security Policy by third parties.