26/ Cyber Security

INTRODUCTION 

This document specifies a comprehensive set of Technology Security Policy statements and guidelines to define how information security will be applied within Reprotec UK Ltd.

Its purpose is to communicate management information security directives so as to ensure consistent and appropriate protection of information throughout Reprotec UK Ltd and its subsidiary companies.

Applicability

This policy is applicable to;

●     all employees working within Reprotec UK Ltd and others working on behalf of Reprotec UK Ltd in a similar capacity including contractors, consultants, temporary staff, student placements etc; and

●     all information/data, information processing/computer systems and networks (collectively known as “information assets”) owned by Reprotec UK Ltd, or those entrusted to Reprotec UK Ltd by third parties.

Purpose

The purpose of Information Security within Reprotec UK Ltd is to ensure the Confidentiality, Integrity and Availability (CIA) of information and systems. This is achieved by the minimisation of business risk by preventing or reducing the impact of potential security incidents. Information Security further mitigates risks by allowing information to be shared in a controlled manner that ensures the protection of information and computing assets.

CIA is defined for the purposes of this document below;

●     Confidentiality: Protection of sensitive information from unauthorised disclosure.

●     Integrity: Maintaining accuracy and completeness of information assets.

●     Availability: Ensuring that information assets and vital services are available to users whenever they are required. This policy outlines the high-level principles that must be applied to all information systems and environments. Associated documents such as standards, process and procedure documents are based upon this policy and are referenced by it.

Security Policy Principles

1. Information Security is a business enabler and aligns with business goals and objectives.

2. Information is a critical Reprotec UK Ltd business asset and must be protected and handled to a degree appropriate to its classification and its value to the business.

3. Information Security controls are necessary to protect Reprotec UK Ltd information assets against unacceptable loss.

4. Information Security permeates throughout the business.

5. Information Security is recognised as a core element of corporate governance.

6. Reprotec UK Ltd adheres to accepted best practices regarding Information Security Standards and Data Protection.

Aim

The aim of this Reprotec UK Ltd Security Policy is to ensure that:

●     Confidentiality and Integrity of Reprotec UK Ltd information is assured and Business requirements for the availability of Reprotec UK Ltd information and information systems are met.

Achieving these goals requires that:

●     Detailed security standards, process and procedure documents are produced and maintained in order to support Reprotec UK Ltd business functions.

●     Clear division of responsibilities is defined.

●     All Reprotec UK Ltd assets are classified in order to ensure that they are adequately secured.

●     Information is protected against unauthorised access.

●     All breaches of information security, actual or suspected, are investigated and reported to the Director of IT.

●     Software and systems are only used for legitimate business purposes.

●     Violation and incident management procedures are maintained.

●     Regulatory and legislative requirements are met.

●     Data Protection and information security awareness is provided for all staff with access to our systems and data.

●     Appropriate business and technical risk assessments are conducted for new services or when changes are made to existing services.

Compliance

The statements in this policy are mandatory unless otherwise stated. Where compliance with one or more of the policy statements or derived standards cannot be achieved, then the instance and reason for non-compliance must be justified, documented and presented to the Director of IT.

Changes to Policy

Any request for change to the policy (additions, deletions or alterations) must be submitted to the IT Director for approval or denial. Approved changes considered critical and immediate outside of an annual internal audit may be granted and the request will be incorporated into the policy. Alternatively, an exception may be granted until the next annual internal audit.

Organisation of Information Security

Management Commitment

The management of information security within Reprotec UK Ltd must function within a clearly defined organisational structure. Roles and responsibilities must be defined and maintained in order to support this security organisation. By maintaining a clearly defined structure within information security, the following organisational benefits will be achieved:

●     Coherent policy definitions that are applied in all situations at all levels of the business. In achieving this, Information Security will be implemented consistently and hence more effectively.

●     Clearly defined reporting lines will ensure that escalation paths provide an effective response mechanism in the management of security incidents.

●     All staff members will have clearly defined roles with regard to maintaining the integrity and on-going effectiveness of Information Security.

●     The Directors give overall strategic direction by approving and mandating the Reprotec UK Ltd Security Policy and delegate operational responsibilities for Information Security to the IT Director..

●     The IT Director reviews IT policies throughout Reprotec UK Ltd and ensures that suitable policies are in place to support Reprotec UK Ltd security principles.

●     The IT Director and the Senior Management Team demonstrate their commitment to Information Security by:

●     Reviewing and re-approving the policy annually.

●     Receiving and acting appropriately on management reports concerning Information Security performance metrics and security incidents.

Information Security Roles and Responsibilities

The Directors (or assigned delegate, in this case the IT Director, responsible for:

●     Taking the lead on information governance as a whole by providing the overall strategic direction, support and resource necessary to ensure that information assets are identified and suitably protected throughout Reprotec UK Ltd.

Systems Owners

A Systems Owner is the individual or organization accountable for the entire lifecycle of an information system, including its procurement, development, integration, maintenance, and retirement.

System Owners are managers held accountable for the protection of particular Information Assets. A System Owner may delegate information security tasks to managers or other individuals but still remain accountable for them.

System Owners are responsible for:

●     Appropriate classification and protection of the information assets.

●     Specifying and funding suitable protective controls.

●     Authorising access to information assets by individuals in accordance with their role, classification and business requirements.

●     Undertaking or commissioning information security risk assessments for new systems or upgrades, to ensure that the Information Security requirements are properly defined and documented during the early stages of development.

●     Monitoring compliance against the protection requirements associated with their assets.

●     Ensuring up-to-date documentation of working practices, processes and procedures.

●     Periodic access right reviews and promptly notifying the HR / Office Manager  of redundant/invalid User IDs, inappropriate access rights and/or if users change jobs or leave Reprotec UK Ltd.

●     Systems Users (SUs) are all users of the Reprotec UK Ltd Information systems including all the above mentioned.

●     System users are all required to familiarise themselves and comply with the Reprotec UK Ltd Acceptable Usage Policy (AUP) applicable to all system users, and details the SU’s roles and responsibilities.

The Director for IT is responsible for:

●     Defining technical and non-technical Information Security Standards, Procedures and Guidelines.

●     Supporting System Owners and managers in the definition and implementation of controls, processes and supporting tools to comply with this policy and manage Information Security risks.

●     Reviewing and monitoring compliance with policy statements.

●     Collecting, analysing and commenting on Information Security metrics and incidents.

●     Supporting System Owners in the investigation and remediation of Information Security incidents or other policy violations.

●     Liaising as necessary with auditors, the Directors and external functions such as the Police when appropriate.

●     Authorising access to information assets by role in accordance with their classification and business requirements.

●     The administration and assignment of information security activities to authorised personnel within the organisation.

●     Ensuring that all Information Security initiatives are in alliance with all company-wide regulatory compliance, governance and security mandates

●     Creating and distributing security policies and procedures

●     Monitoring and analysing security alerts and distributing information to appropriate information security and business unit management personnel

●     Creating and distributing security incident response and escalation procedures

●     Administering user account and authentication management (Systems related to Reprotec UK Ltd customer products)

Employees and Contractors throughout Reprotec UK Ltd are responsible for:

●     Day-to-day implementation of this policy;

●     Ensuring that suitable technical, physical and procedural controls are in place in accordance with this policy and associated guidance, and are properly applied and used by all employees. In particular, they must take measures to ensure that employees:

●     Are informed of their obligations to fulfil relevant corporate policy statements by means of appropriate awareness, training and education activities.

●     Comply with the policy statements and actively support the associated controls.

●     Are monitored to assess their compliance with the policy statements and the correct operation of the associated controls, and reminded of their obligations as appropriate.

●     Providing the direction, resources, support, and review necessary to ensure that information assets are appropriately protected within their area of responsibility.

●     Informing Security and/or SOs of actual or suspected policy violations (Information Security incidents) affecting their assets.

●     Evaluating compliance with the policy and associated guidance through regular checks.

Employees and Contractors

Employees and contractors utilising and having access to a broad range of Reprotec UK Ltd information systems are required to adhere to the policies, procedures, provisions, general guidelines outlined in this security policy document and all other applicable supporting policy and procedure documents. Information security responsibilities include, but are not limited to the following system components and any other personnel deemed critical by Reprotec UK Ltd:

●     Network devices and supporting network protocols and activities

●     Operating systems and supporting systems

●     Applications and supporting systems and activities

●     Databases

●     Data transmission protocols

●     End-user devices and technologies

Information security responsibilities include not engaging in any activity that may potentially compromise the organisation’s network infrastructure, cause harm to other related systems or pose a significant financial, operational or business threat to the organisation because of misuse of system components or any other I.T. personnel deemed critical by the organisation. Violation of these information security responsibilities will be grounds for disciplinary action.

1. Security Awareness

As a minimum all Reprotec UK Ltd employees and contractors must have reviewed and acknowledged understanding of the Reprotec UK Ltd Security Policy on an annual basis. Where relevant to their job functions, workers must receive appropriate training and regular updates in information security policies, standards, procedures, laws, regulations etc. This includes security requirements, legal responsibilities and business controls (such as security incident reporting processes), as well as induction training in the appropriate and secure use of Reprotec UK Ltd facilities before access to information is granted. Security and risk awareness, education and training activities must reflect employee needs e.g.:

●     Managers must receive information on their information security management, supervisory and governance responsibilities.

●     I.T. system administrators, whether or not they are employed within Reprotec UK Ltd, must be informed about the technical aspects of information security.

●     Employees who routinely handle sensitive and valuable proprietary or personal data must be reminded periodically of their confidentiality and integrity obligations.

●     All employees must be briefed about information security in general terms, using current security issues, changes, incidents or near-misses, regular appraisals, team meetings etc. as convenient opportunities to raise the subject.

2. Exemption

A system owner may propose short term exemptions to policy or standards, while an action plan to return the system to a compliant state is underway.

The System Owner, working with the IT Director  is responsible for documenting any risks arising from the proposed exemptions and specifying any mitigating controls which could be deployed to reduce the risk. The System Owner must document a mitigation action plan that details how their asset will become fully compliant with the policy or standard within a documented time frame. The exemption must be documented and be included in the System Owner risk register. The System Owner will be held accountable for all mitigating controls and undertaking their agreed action plan within the agreed timeframe. All exemptions must be reviewed at least every 6 months (or longer if agreed in the action plan) by the System Owner and the IT Director. The IT Director will maintain the list of authorised exemptions and the reasons why the exemptions exist.

3. Deviation

A system owner may also propose a permanent deviation to policy or standards for an information asset under their remit, where no action plan exists or is being pursued to return the system to a compliant state. The IT Director, working with the System Owner, is responsible for documenting any risks arising from the proposed deviation and specifying any mitigating controls which could be deployed to reduce the risk. The deviation must be documented and be included in the System Owner Log and where appropriate, corporate risk register. The System Owner is responsible for any and all risks introduced to Reprotec UK Ltd as a result of their deviation. All Deviations must be reviewed at least every 12 months by the IT Director and the respective System Owner. The IT Director will maintain a list of authorised deviations and the reasons why the deviation exists.

4. SUPPORTING DOCUMENTATION

This security policy should be read in collaboration with:

·         Acceptable Usage Policy (AUP)

·         Password Policy

·         Data Protection Policy

5. Formal Risk Assessment

Security Risk Assessments are expected to be carried out for all new systems and upgrades, either in-house or 3rd party.

6. Identification of risk from third party access

Third parties who require access to Reprotec UK Ltd services may be asked to adhere to the requirements of the Reprotec UK Ltd Acceptable Usage Policy (AUP).

7. Access and Password management

Users are required to follow good security practices in the selection, use and management of their passwords and to keep them confidential.

Uses are assigned login details and assigned levels of access to systems and data based on minimum permissions necessary in order to deliver their role.

Further information can be found in the Password Policy.

8. Change management

Controls must be in place to ensure system changes are duly authorised by the IT Director, risk assessed and approved for live systems.

9. Physical Security

Physical security is in place in the Reprotec UK Ltd offices to protect our physical and data assets.

Responsibility for Policy Maintenance

The IT Director is responsible for ensuring that the aforementioned policy is kept current as needed for purposes of compliance.