1. Scope
This policy applies to all employees, contractors, and third parties involved in handling customer and employee data within IndyForms.
2. Purpose
3. Introduction
To protect IndyForms Information from unauthorised access, loss, or damage, a security framework is needed that will ensure the protection of this information while still supporting the open and information-sharing needs of our business. This policy provides such a framework and sets forth Standards and Procedures related to information security in line with the requirements of the ISO/IEC 27001:2022/COR 2022 standard. Failure to comply with this policy may subject you to disciplinary action. More information about these Standards and Procedures will be developed and published separately.
4. Who is Affected by this Policy?
The Information Security Policy applies to all individuals and entities granted access to IndyForms information. This includes contractors and staff, through service, and other individuals or entities granted use of IndyForms information. It is important that everyone understands their responsibilities under this policy and takes the necessary steps to protect sensitive data. Violations of the policy should be reported in accordance with the IT Breach procedure.
5. Definitions
- Authorisation:
- Authorisation is the process of granting or denying access to data and systems based on an evaluation of the requesting user’s identity and role. Authorisation is one of the three main functions of security policy, along with authentication and accounting.
- Availability:
- Ensuring that information is ready and suitable to use.
- Confidentiality:
- Confidentiality is one of the most important concepts in information security. To protect your company’s data, you must ensure that all confidential information remains just that – confidential. This means that only authorized individuals are allowed to access this information, and it should not be shared with anyone who does not have authorised access.
- Integrity:
- Integrity means that the data has not been changed in any way since it was last accessed or processed. This is a fundamental principle of information security policy and is essential for ensuring the accuracy and reliability of data.
- Unauthorised Access:
- Unauthorised access is one of the most serious security violations that can arise in an organisation. It occurs when a user accesses data or systems without authorisation. This can lead to several problems for the company, including theft of information, damage to data, and even financial losses.
6. Policy
IndyForms recognises that the disciplines of confidentiality, integrity and availability in Information Security Management are integral parts of its management function. IndyForms is committed to protecting the security of its information and information systems in line with the requirements of the ISO/IEC 27001:2022/COR 2022 standard.
IndyForms has a policy in place to protect its information from unauthorised access, loss, or damage. The policy covers all forms of information, both electronic and paper based. It applies to all employees, contractors and suppliers.
- The policy in conjunction with INDY03 – IT Operating Policies establishes several key requirements, including:
- the use of strong passwords and other authentication methods.
- Real time advanced threat detection systems to proactively detect unauthorised access to systems
- the protection of information when it is stored securely by encryption methods
- prevention of malware infection by utilizing only company issues computers; and
- the timely reporting of any security incidents etc.
The Director of IndyForms views these primary responsibilities and fundamental to the best business practice of adopting appropriate Information Security Controls, in line with ISO/IEC 27001:2022/COR 2:2022 requirements.
IndyForms Information Security Policy seeks to operate the highest standards including continual improvement, through Certification and annual review.
IndyForms will:
- Comply with all applicable laws and regulations and contractual obligations.
- Implement continual improvement initiatives including risk assessment and risk treatment strategies, whilst making best use of its management resources to better meet Information Security requirements.
- Communicate its information security objectives, and its performance in achieving these objectives, throughout the organisation and to interested parties.
- Adopt an Information Security management system compromising a security manual and procedures which provide direction and guidance on information security matters relating to employees, customers, suppliers and interested parties who encounter its activities.
- Work closely with its customers, business partners and suppliers in seeking to establish appropriate Information Security standards.
- Adopt a forward-looking view on future business decisions, including the continual review of risk evaluation criteria, which may have an impact on Information Security.
- Train all members of staff in the needs and responsibilities of Information Security Management.
- Constantly strive to meet, and where possible, exceed its customers, staff, and suppliers’ expectations.
- Provide education, training, and awareness for information security and for ensuring the continued operation of the Information Security Management System.
Responsibility for upholding this policy applies companywide under the guidance and with the assistance of the Director who encourages the personal commitment of all staff to address Information Security as part of their skills.
6.1 Confidential
Please be aware that confidential information must not be shared with unauthorised individuals. Sharing this information without authorisation can result in disciplinary action, up to and including termination of employment.
7. Managing Information Security
7.1 Objectives and Measurement
The main objective of an information security policy statement is to protect the organisation’s computer systems, electronic data, and customer data information. The policy should also ensure that employees are aware of their responsibilities with regards to information security. To measure the effectiveness of the policy, it is important to track both the number and severity of incidents that occur. This will help you identify any areas that need improvement. In addition, you should periodically review the policy to make sure that it is still relevant and effective.
The main objective of an information security policy statement is to protect the organisation’s computer systems, electronic data, and customer information. The policy should also ensure that employees are aware of their responsibilities with regards to information security.
INDY06 – Information Security Objectives & Targets further details the Company’s objectives.
The Executive Team is responsible for reviewing these INDY06 – Information Security Objectives & Targets in conjunction with INDY03– IT Operating Policies & procedures and setting new ones where required. ISMS objectives must be reviewed at least once a year.
7.2 Responsibilities
In order to maintain the security and integrity of organisation information, all IndyForms staff, contractors and others granted users of organisation Information are expected to comply with the Information Security Management System. This includes:
- Understanding classification levels defined in the policy and appropriately classifying information for which one is responsible.
- It is also important to access information only as needed to meet legitimate business needs and not divulge, copy, release, sell, loan, alter or destroy any information
- IndyForms takes information security seriously and expects all members of the community to do their part in protecting our data.
- By understanding and following these expectations, we can help keep our information safe and secure.
- To protect the information of IndyForms, there are specific guidelines that must be followed.
- These guidelines include appropriate storage and use and disposing of media that contains personal information in a manner consistent with its classification level.
- Failure to comply with these guidelines could result in serious consequences.
7.3 Validity and Data Management
This Document is Valid as of Date 25/10/2024.
The owner of the Documents is the Director, who must check and update the document at least once in a year.
When evaluating the document. You need to follow the following criteria:
- Number of Employees and the external parties who have a role in the ISMS, but are not familiar with this document
- Unclear Responsibilities for ISMS Implementation.
- Ineffectiveness of Implementation and maintenance.
7.4 Policy Review
The information Security Policy will be reviewed every 12 Months.