Information Security Policy

Purpose

This information security policy specifies management?s intent to protect all important information assets within IT Desk from all threats, whether internal, external, deliberate, or accidental. Information within IT Desk exists in many forms and this policy applies to and includes the protection of data stored electronically, transmitted across networks, and printed or written on paper. The prime purpose of this Information Security Policy is to protect and safeguard IT Desk?s customer information. The needs and expectations of all interested parties have been considered in the development of this security policy.

Information Security Threat Environment

IT Desk identifies the most significant cyber threats as.

Cybercrime: Cybercriminals use various techniques such as phishing, malware, social engineering, and ransomware to target individuals and organizations. They are motivated by financial gain and may steal sensitive data, demand ransom payments, or disrupt operations. Users with C-level positions are at an increased risk from attacks such as spear phishing.

State-sponsored attacks: State-sponsored attacks are a growing threat, with nation-states using cyber espionage and cyberattacks to achieve political and military objectives. These attacks can target critical infrastructure, government networks, and private companies with government contracts.

Insider threats: Insiders such as employees, contractors, or partners who have access to sensitive information can pose a significant threat to organizations. They may intentionally or unintentionally misuse or disclose confidential data, steal intellectual property, or sabotage systems.

Looking ahead, the security threat environment is expected to continue to evolve as technology advances and new threats emerge. Some projected threats include:

Artificial intelligence (AI) and machine learning (ML) attacks: Attackers may use AI and ML to develop sophisticated attacks that can evade traditional security measures.

Internet of Things (IoT) attacks: As more devices are connected to the internet, there is an increased risk of IoT attacks that can compromise critical infrastructure, personal privacy, and safety.

Objectives

The objective of information security is to ensure business continuity and minimise damage by preventing and reducing the impact of security incidents and to commit to continual improvement. The implementation of this policy is mandatory to maintain and demonstrate the firm?s integrity in dealings with all our customers, clients, and trading partners.

It is the policy of IT Desk to ensure:

Information is protected against unauthorised access.

Implement the CIA triad into information solutions where applicable.

Confidentiality of information is assured.

Information is not disclosed to unauthorised persons through deliberate or careless actions.

The integrity of information is maintained.

The availability of information to authorised users when needed.

Regulatory and legislative requirements are met.

Business continuity plans will be produced, maintained, and regularly tested.

Information security training will be given to all staff and a test must be completed to show understanding.

All breaches of information security, actual and suspected are recorded, reported and investigated in a timely manner.

That it is compliant with best practice as identified in ISO/IEC 27002 and meets all the criteria specified within BS ISO/IEC 27001. The IT Desk will seek formal certification to this standard.

As a company, we will set and aim to achieve all information security objectives.

All staff are being provided with user training and awareness in respect of their work, information assets and the policies and procedures associated with achieving the above objectives. Records of this training have been maintained within the skills matrix.

Standards, policies, and security operating procedures will be produced to support this policy and will include virus control, access control, personnel security, the use of email and the Internet. A formal disciplinary process is documented and implemented when necessary to address issues arising with employees who choose not to comply with these standards, policies and procedures.

The effectiveness of controls will be measured wherever it is practicable to do so, the results analysed, and improvements will be implemented where identified, as necessary.

Where it is impractical to measure controls, they will be monitored for effectiveness. When identified continual improvement of the ISMS will be actioned/implemented as appropriate.

The ISMS Manager has overall responsibility for maintaining this Policy and providing guidance on its implementation. All employees are personally responsible for implementing the policies and procedures within their business areas. It is the responsibility of each employee to adhere to the policies and procedures in their areas.

This policy will be reviewed regularly to ensure it remains appropriate for the business and the IT Desk?s ability to achieve the companies? security objectives and serve its customers.

Deviations and Exceptions

Here is a process for managing deviations and exceptions in the

Information Security Policy:

Any deviation or exception from the Information Security Policy should be identified and documented within a CAR and placed in the CAR register. This includes the reason for the deviation or exception, the impact it will have, and any corrective measures that will be taken.

The deviation or exception should be reviewed and monitored to ensure that it does not recur and that the corrective actions taken are effective. This should be done on a regular basis to ensure ongoing compliance with ISO 27001 standards.

Any significant deviations or exceptions should be reported to a line manager or ISMS manager and escalated as necessary to ensure that appropriate actions are taken.

Authorised by: Chris Wright, Managing DirectorDate: 24/02/2023