Information Security and Business Continuity Policy
The objective of information security is to minimise business damage by protecting the confidentiality, integrity and availability of information assets within C Data’s control. It is Company policy to manage risk exposed to those assets from all threats, internal or external, deliberate or accidental, through compliance with ISO27001 (augmented by ISO27017 for Cloud Computing controls) and, in the case of unforeseen events, disaster recovery through Business Continuity Management to the ISO22301 standard. The Government’s Cyber Essentials Plus will also be maintained.
It is the policy of C Data to ensure that:
· Internet connected devices will be protected as far as possible from external threats.
· Corporate data will be protected against unauthorized access including segregation between clients.
· Regulatory and legislative requirements will be met.
· Confidentiality and integrity of information will be maintained.
· Business requirements for the availability of information will be met.
· Business continuity plans will be produced, maintained and tested.
· Standard practices and procedures to support this policy will be maintained including virus control, access control, identification and authentication, and business continuity.
· Whilst it is the responsibility of each member of staff to adhere to the policy and associated procedures, they are actively encouraged to report any security related issue, incident, event, observation or suggestion without fear of recrimination.
· All breaches of information security; actual or suspected, will be reported to, and investigated by the SECURITY CONTROLLER, lessons learnt, and, where appropriate, forwarded to NCSC.
· The SECURITY CONTROLLER is responsible for implementing this policy and for providing advice and guidance on security matters including instigating appropriate staff training.
C Data’s Security boundary is defined as:
· C Data’s Office 365 tenant at Microsoft.
· C Data’s office network extending out through VPNs to external networks/equipment.
· End-user-devices and their connections to C Data’s Office 365 and on-premise data assets from outside the building.
Any connection through this boundary represents an external threat.
Internal threats may exist and therefore, where required by contract, data is to be available on a “need to know” basis.