In order to ensure the continued delivery of services to our customers, Capstone is making ever increasing use of Information and Communication Technology (ICT) and customer information held by the business.
The information that the Business holds, processes, maintains and shares within the organisation
is an important asset that, like other important business assets, needs to be suitably protected.
In order to build current and prospective client confidence and ensure that the Business complies with relevant statutory legislation, it is vital that Capstone maintains the highest standards of information security. As such, a number of policies are in place to maintain these high standards of information security.
This document should be used in conjunction to M-0001 – Security Manual – ISO 27001 and P-0014 – Information Security Procedure.
This document provides a summary of the Information Security Policies developed by Capstone. The objective of these policies is to ensure the highest standards of information security are maintained across the Business at all times so that:
- Clients and all users of the Business’s information systems are confident of the confidentiality, integrity and availability of the information used and produced.
- Business damage and interruption caused by security incidents are minimised.
- All legislative and regulatory requirements are met.
- The Business’s ICT equipment and facilities are used responsibly, securely and with integrity at all times.
- These policies apply to all Capstone Employees and Directors and where applicable, partners, suppliers and sub-contractors.
- It is the responsibility of the Operations Director to ensure this procedure is implemented and complied with.
- POLICY COMPLIANCE
- If any user is found to have breached this policy, they may be subject to Capstone’s disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).
- If you do not understand the implications of this policy or how it may apply to you, seek advice from the HR Department.
- Information Security Policy Documents
- EMAIL POLICY
Capstone have ensured all users of Business email facilities are aware of the acceptable use of such facilities.
- All emails that are used to conduct or support official Capstone business must be sent using a “@Capstoneconnects.com” address.
- Non-work email accounts must not be used to conduct or support official Capstone business.
- Business users must ensure that any emails containing sensitive information must be sent from an official business email.
- All official external e-mail must carry the official Business disclaimer.
- Under no circumstances should users communicate material (either internally or externally), which is defamatory, obscene, or does not comply with the Business’s Equal Opportunities policy.
- Automatic forwarding of email must be considered carefully to prevent PROTECT and RESTRICTED material being forwarded inappropriately.
- INTERNET ACCEPTABLE USAGE POLICY
Capstone have ensured all users of Business provided internet facilities are aware of the acceptable use of such facilities.
- Users must familiarise themselves with the detail, essence and spirit of this policy before using the Internet facility provided.
- At the discretion of your line manager, and provided it does not interfere with your work, the Business permits personal use of the Internet in your own time (for example during your lunch-break).
- Users are responsible for ensuring the security of their Internet account logon-id and password. Individual user log-on id and passwords should only be used by that individual user, and they should be the only person who accesses their Internet account.
- Users must not create, download, upload, display or access knowingly, sites that contain pornography or other “unsuitable” material that might be deemed illegal, obscene or offensive.
- Users must assess any risks associated with Internet usage and ensure that the Internet is the most appropriate mechanism to use.
- SOFTWARE POLICY
Capstone have ensured the acceptable use of software by all users of the Business’s computer equipment or Information Systems.
- All software acquired must be purchased through the Procurement Department and approved by the Business Continuity Steering committee Under no circumstances should personal or unsolicited software be loaded onto a Business machine.
- Every piece of software is required to have a licence and the Business will not condone the use of any software that does not have a licence.
- Unauthorised changes to software must not be made.
- Users are not permitted to bring software from home (or any other external source) and load it onto Business computers.
- Users must not attempt to disable or reconfigure the Personal Firewall software.
- Illegal reproduction of software is subject to civil damages and criminal penalties.
- IT ACCESS POLICY
Capstone have establish specific requirements for protecting information and information systems against unauthorised access.
Capstone have effectively communicate the need for information and information system access control.
- All users must use strong passwords defined as minimum 8 characters, at least one numeric, one special character.
- Passwords must be protected at all times and must be changed at least every 90 days.
- User access rights must be reviewed at regular intervals.
- It is a user’s responsibility to prevent their userID and password being used to gain unauthorised access to Business systems.
- Partner agencies or 3rd party suppliers must not be given details of how to access the Business’s network without permission from the Operations Director.
- Partners or 3rd party suppliers must contact the IT Helpdesk before connecting to the Capstone network.
- BYOD POLICY
This policy is intended to protect the security and integrity of Capstone Ltds data, technology infrastructure and Customer Data. Limited exceptions to the policy may occur due to variations in devices and platforms.
Capstone Ltd employees must agree to the terms and conditions set forth in this policy in order to be able to connect their devices to Capstone Ltd network.
- Capstone Ltd defines acceptable business use as activities that directly or indirectly support the business of Capstone Ltd.
- Capstone Ltd defines acceptable personal use on company time as reasonable and limited personal communication.
- Capstone Ltd has a zero-tolerance policy for texting or emailing while driving and only hands-free talking while driving is permitted.
- The employee is expected to use his or her device(s) in an ethical manner at all times and adhere to all Capstone Ltds procedures and policies, directly or indirectly impacted by mobile device usage.
- Devices’ camera and/or video capabilities are permitted while on-site, but must be used in accordance with data protection rules and procedures, as well as in compliance with this document and the employee handbook.
- Photographic recording must not take place in Capstone Ltd without expressed consent of management.
- Devices may not be used at any time to:
- Store or transmit illicit materials
- Store or transmit proprietary information belonging to another company
- Harass others
- Engage in outside business activities
- Employees may use their mobile device to access the following company-owned resources: email, calendars, contacts, documents, etc.
- In order to prevent unauthorised access, devices must be password protected using the features of the device and a strong password is required to access Capstone Ltd network.
- The device must lock itself with a password or PIN if it’s idle for more than five minutes.
- Smartphones and tablets belonging to employees that are for personal use only are allowed to connect to the guest network only.
- Rooted (Android) or jailbroken (iOS) devices are strictly forbidden from accessing the network.
- These devices may access the internet via the guest WiFi only.
- Lost or stolen devices must be reported to Capstone Ltd within 24 hours. Employees are responsible for notifying their mobile carrier immediately upon loss of a device.
- Connectivity issues are supported by IT; employees should contact the device manufacturer or their carrier for operating system or hardware-related issues.
- Capstone Ltd reserve the right to require that devices be presented to IT for proper job provisioning and configuration of standard apps, such as browsers, office productivity software and security tools, before they can access the network.
- HUMAN RESOURCES INFORMATION SECURITY STANDARDS
Capstone have ensured that individuals are checked to ensure that they are authorised to access Business information systems.
Capstone have ensured that users are trained to use information systems securely.
Capstone have ensured that user access to information systems is removed promptly when the requirement for access ends.
- Every user must be aware of, and understand, the following policies [amend list as appropriate]:
- Information Protection Policy
- Email Policy
- Internet Acceptable Usage Policy
- Software Policy
- Acceptable Usage Policy and Personal Commitment Statement.
- IT Access Policy
- Information Security Incident Management Policy
- Background verification checks must be carried out on all users.
- All users must receive appropriate information security awareness training and regular updates in related statute and organisational policies and procedures as relevant for their role.
- Processes must be implemented to ensure that all access rights of users of Business information systems shall be removed in a timely manner upon termination or suspension of their employment, contract or agreement.
- INFORMATION PROTECTION POLICY
Capstone have ensured the protection of all information assets within the custody of the Business.
High standards of confidentiality, integrity and availability of information will be maintained at all times.
- The Business must draw up and maintain inventories of all important information assets.
- All information assets, where appropriate, must be assessed and classified by the owner in accordance with the Security Policy.
- Access to information assets, systems and services must be conditional on acceptance of the appropriate Acceptable Usage Policy.
- Users should not be allowed to access information until the Business Continuity Steering committee are satisfied that they understand and agree the legislated responsibilities for the information that they will be handling.
- PROTECT and RESTRICTED information must not be disclosed to any other person or organisation via any insecure methods including paper based methods, fax and telephone.
- Disclosing PROTECT or RESTRICTED classified information to any external organisation is also prohibited, unless under secure or NDA rules..
- Where Capstone email is available to connect the sender and receiver of the email message, this must be used for all external email use and must be used for communicating PROTECT or RESTRICTED material.
- COMPUTER, TELEPHONE AND DESK USE POLICY
Capstone have ensured that every user is aware of, and understands, the acceptable use of Capstone’s computer and telephony resources and the need to operate within a “clear desk” environment.
- Users must adhere to Capstone Telephone Acceptable Use Policy / Code of Practice at all times.
- Users must maintain a clear desk at all times.
- Capstone PROTECT or RESTRICTED information must be stored in a facility (e.g. lockable safe or cabinet) commensurate with this classification level.
- LEGAL RESPONSIBILITIES POLICY
Capstone have ensured that every user is aware of, and understands, their responsibilities under the Data Protection Act 1998 and other relevant legislation.
- The Business have ensured compliance with the Data Protection Act 1998.
- The Business has established a number of roles to assure compliance of this policy.
- Every Business user has a duty to provide advice and assistance to anyone requesting information under the Freedom of Information Act.
- All Business users must accept responsibility for maintaining Information Security standards within the Business.
- REMOTE WORKING POLICY
Subject to the following conditions, Capstone have no objection to employees working remotely or from home from time-to-time, subject to the role, and provided it is by prior agreement with your manager. In all cases it is assumed that working from home for any reason is the most efficient location to carry out the duties of the role. Specifically, remote workers must make every effort to ensure that they do not become isolated from the business requirements and their team requirements on a daily basis. Awareness of information security is particularly important for remote workers who are working in a non-controlled environment.
The following information security rules apply for remote workers:
- Users must take due care and attention of ICT equipment and devices when moving between home and another business site;
- Users will not install or update any software on to Company owned ICT equipment or device;
- Users will not install any screen savers on to Company owned ICT equipment or device;
- Users will not change the configuration of any Company ICT equipment or device;
- Users will not install any hardware to or inside any Company owned ICT equipment or device;
- All faults must be reported to the Company via the Helpdesk;
- Users must not remove or deface any asset registration number;
- User requests for upgrades of hardware or software must be approved by the IT Department. Equipment and software will then be purchased and installed by ICT Services;
- Only software supplied and approved by the Company can be used;
- No family members may use the ICT equipment. The ICT equipment is used for the staff members’ sole use.
- The user must ensure that reasonable care is taken of the ICT equipment supplied. Where any fault in the Equipment has been caused by the user, in breach of any of the above, Company may recover the costs of repair;
- ICT Services may at any time, and without notice, request a software and hardware audit, and may be required to remove any equipment at the time of the audit for further inspection. All users must co-operate fully with any such audit;
- Under no circumstances should Company information be emailed to or from a private non-Company email address. If a user has a requirement to work remotely then they should contact the ICT Department so that a suitable solution can be put in place.
Remote and Mobile Working Arrangements
- Users must be aware of the physical security dangers and risks associated with working within any remote office or mobile working location:
- Devices must be assessed by the IT Department before being used at home. This will ensure that device build, encryption, antivirus and lockdown criteria are met.
- Equipment should not be left where it would attract the interests of the opportunist thief, in the home it should be ideally located out of sight of the casual visitor;
- Users must ensure that passwords are not written down and left in the area of Company ICT equipment (see Password Policy for further information);
- All paper documentation should be securely locked away and a clear desk maintained outside of working hours (See Clear Desk Policy for further information);
- Waste paper containing personally identifiable information or other sensitive information must be shredded;
- Client PCs or laptops should be switched off, logged off, or the keyboard locked when left unattended, even if only for a few minutes.
Users should only connect to trusted networks and unless absolutely necessary the use of public WiFi hotspots should be avoided at all times. All users must comply with appropriate policies associated with the use of ICT equipment.
- REMOVABLE MEDIA POLICY
Capstone have ensured the controlled use of removable media devices to store and transfer information by all users who have access to information, information systems and IT equipment for the purposes of conducting official business.
- It is Capstone policy to allow the use of removable media where absolutely necessary.
- Where possible, use of existing IT systems and software must be used to transfer data on removable media.
- If data is stored, even temporarily on a removable media, the user must notify a member of management as to what was stored on the device and what precautions were taken.
- Any removable media device that is to be used, the user must ensure it is safe to do so and complied with the BYOD policy and where necessary, the remote working policy
- All data stored on removable media devices must be encrypted where possible.
- Damaged or faulty removable media devices must not be used.
- Special care must be taken to physically protect the removable media device and stored data from loss, theft or damage. Anyone using removable media devices to transfer data must consider the most appropriate way to transport the device and be able to demonstrate that they took reasonable care to avoid damage or loss.
- Removable media devices that are no longer required, or have become damaged, must be disposed of securely to avoid data leakage.
- INFORMATION SECURITY INCIDENT MANAGEMENT POLICY
Capstone have ensured that it reacts appropriately to any actual or suspected incidents relating to information systems and information within the custody of the Business.
- All staff should report any incidents or suspected incidents immediately by contacting a member of the Steering Committee.
- We can maintain your anonymity when reporting an incident if you wish.
- COMMUNICATIONS AND OPERATION MANAGEMENT POLICY
Capstone have ensured the protection of the Business IT service (including any information systems and information processing equipment used by the Business) against malware and malicious and mobile code.
Only authorised changes will be made to the Business IT service (including any information systems and information processing equipment).
Information leakage will be prevented by secure controls.
- Changes to the Business’s operating systems must follow the Business’s formal change control procedure.
- Appropriate access controls shall be put in place to prevent user installation of software and to protect against malicious and mobile code.
- Regular backups of essential business information will be taken to ensure that the Business can recover from a disaster, media failure or error.
- Storage media must be handled, protected and disposed of with care.
- Audit logs for RESTRICTED data must be kept for a minimum of six months.
- Connections to the Business network are made in a controlled manner.
- An annual health check must be made of all Business IT infrastructure systems.
- IT INFRASTRUCTURE SECURITY POLICY
There shall be no unauthorised access to either physical or electronic information within the custody of the Business.
Protection shall be afforded to:
- Sensitive paper records.
- IT equipment used to access electronic data.
- IT equipment used to access the Business network.
- PROTECT or RESTRICTED information, and equipment used to store and process this information, must be stored
- Keys to all secure areas housing IT equipment and lockable IT cabinets are held centrally the IT Helpdesk as appropriate. Keys are not stored near these secure areas or lockable cabinets.
- All general computer equipment must be located in suitable physical locations.
- Desktop PCs should not have data stored on the local hard drive.
- Non-electronic information must be assigned an owner and a classification. PROTECT or RESTRICTED information must have appropriate information security controls in place to protect it.
- Staff should be aware of their responsibilities in regard to the Data Protection Act.
- Equipment that is to be reused or disposed of must have all of its data and software erased / destroyed.
- SUPPLIER SECURITY POLICY
Capstone attaches particular importance to the security of its own, its employees’ and its customers’ data. It is therefore vital that existing and potential new suppliers to Capstone have appropriate security controls to ensure the confidentiality, integrity and appropriate availability of such data is not compromised and these controls are in maintained in accordance with Capstone security policies.
The reference standard for Capstone security policies is ISO27001 and the suppliers shall comply with the principles of that standard at all times.
At a minimum; Suppliers agree to:
- Maintain the confidentiality of any information shared with the supplier by Capstone
- Not to distribute any information to a third party without prior expressed permission from a senior member of management in Capstone
- Allow Capstone, when deemed necessary, to audit their facilities, systems and processes specific to services provided to Capstone
- Ensure that their employees are aware of the nature of the supplier relationship with Capstone and ensure that they are in compliance with the information security requirements at all times