Policy aim

The aim of this policy is to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by [organisation] by:

 

· Ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this and other policies.

· Describing the principals of security and explaining how they shall be implemented in the organisation.

· Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibilities.

· Creating and maintaining within the organisation a level of awareness of the need for Information Security as an integral part of the day to day business.

· Protecting information assets under the control of the organisation.

 

Policy Framework

Management of Security

· At board level, responsibility for Information Security shall reside with the [insert appropriate director].

· The [organisation’s] Security Officer [or appropriate title] shall be responsible for implementing, monitoring, documenting and communicating security requirements for the organisation.

 

 

Information Security Awareness Training

 

· Information security awareness training shall be included in the staff induction process.

· An ongoing awareness programme shall be established and maintained in order to ensure that staff awareness is refreshed and updated as necessary.

 

Contracts of Employment

· Staff security requirements shall be addressed at the recruitment stage and all contracts of employment shall contain a confidentiality clause.

· Information security expectations of staff shall be included within appropriate job definitions.

 

Security Control of Assets

Each IT asset, (hardware, software, application or data) shall have a named custodian who shall be responsible for the information security of that asset.

 

Access Controls

Only authorised personnel who have a justified and approved business need shall be given access to restricted areas containing information systems or stored data.

 

User Access Controls

Access to information shall be restricted to authorised users who have a bona-fide business need to access the information.

 

Computer Access Control

Access to computer facilities shall be restricted to authorised users who have business need to use the facilities.