This information security policy specifies management?s intent to protect all important information assets within IT Desk from all threats, whether internal, external, deliberate or accidental. Information within IT Desk exists in many forms and this policy applies to and includes the protection of data stored electronically, transmitted across networks and printed or written on paper. The prime purpose of this Information Security Policy is to protect and safeguard IT Desk?s customer information. The needs and expectations of all interested parties have been considered in the development of this security policy.

IT Desk identifies the most significant cyber threats as.

Supply chain data breach: Supply chain data breach is a type of cyber attack that targets the weakest link in a supply chain to gain access to sensitive information. This can happen when an attacker infiltrates a third-party supplier or vendor that has access to a company’s data or systems. Once inside, the attacker can steal sensitive information, disrupt operations, or cause other damage.

Unintended Disclosure: Unintended disclosure is the accidental release of sensitive information to an unauthorized party. This can happen due to human error, such as sending an email to the wrong recipient, or due to a security vulnerability that allows an attacker to access the information. Unintended disclosure can have serious consequences, including loss of trust, damage to reputation, and legal repercussions.

Insider threats: Insider threats are a significant risk to organizations, as they involve individuals who have access to sensitive information and systems. These individuals, such as employees, contractors, or partners, may intentionally or unintentionally misuse or disclose confidential data, steal intellectual property, or sabotage systems.

Looking ahead, the security threat environment is expected to continue to evolve as technology advances and new threats emerge. Some projected threats include:

Cybercrime using AI and ML: Cybercriminals may use AI and ML to create more sophisticated attacks that can bypass traditional security measures. They may target individuals and organizations with phishing, malware, ransomware, and social engineering.

Cloud and Identity Attacks: Cloud attacks can include attempts to exploit vulnerabilities in cloud infrastructure or applications, while identity attacks can include attempts to steal or compromise user credentials, enabling lateral movement or allowing for reconnaissance activity.

The objective of information security is to ensure business continuity and minimise damage by preventing and reducing the impact of security incidents and to commit to continual improvement. The implementation of this policy is mandatory to maintain and demonstrate the firm?s integrity in dealings with all our customers, clients and trading partners.

It is the policy of IT Desk to ensure:

• Information is protected against unauthorised access
• Implement the CIA triad into information solutions where applicable
• Confidentiality of information is assured
• Information is not disclosed to unauthorised persons through deliberate or careless actions
• The integrity of information is maintained
• The availability of information to authorised users when needed
• Regulatory and legislative requirements are met
• Business continuity plans will be produced, maintained and regularly tested
• Information security training will be given to all staff and a test must be completed to show understanding
• All breaches of information security, actual and suspected are recorded, reported and investigated in a timely manner
• That it is compliant with best practices as identified in ISO 27001 2022
• All staff are being provided with user training and awareness in respect of their work, information assets and the policies and procedures associated with achieving the above objectives. Records of this training have been maintained within the skills matrix.

Standards, policies and security operating procedures will be produced to support this policy and will include vulnerability control, access control, personnel security, the use of email and the Internet. A formal disciplinary process is documented and implemented when necessary to address issues arising with employees who choose not to comply with these standards, policies and procedures.

The effectiveness of controls will be measured wherever it is practicable to do so, the results analysed, and improvements will be implemented where identified, as necessary.

Where it is impractical to measure controls, they will be monitored for effectiveness. When identified continual improvement of the ISMS will be actioned/implemented as appropriate.

The ISMS Manager has overall responsibility for maintaining this Policy and providing guidance on its implementation. All employees are personally responsible for implementing the policies and procedures within their business areas. It is the responsibility of each employee to adhere to the policies and procedures in their areas.

This policy will be reviewed regularly to ensure it remains appropriate for the business and the IT Desk?s ability to achieve the companies? security objectives and serve its customers.

Here is a process for managing deviations and exceptions in the Information Security Policy:

Any deviation or exception from the Information Security Policy should be identified and documented within a CAR and placed in the CAR register . This includes the reason for the deviation or exception, the impact it will have, and any corrective measures that will be taken.

The deviation or exception should be reviewed and monitored to ensure that it does not recur and that the corrective actions taken are effective. This should be done on a regular basis to ensure ongoing compliance with ISO 27001 2022 standards.

Any significant deviations or exceptions should be reported to a line manager or ISMS manager and escalated as necessary to ensure that appropriate actions are taken.

Authorised by: Chris Wright, Managing Director

Date: 22/02/2024