The objective of information security is to ensure business continuity and minimise business damage by preventing and minimising the impact of security incidents.
The purpose of this policy is to ensure the confidentiality, integrity and availability of all the ********* information assets and to ensure that they are appropriately protected from all threats, whether internal or external, deliberate or accidental.
It is the ********* policy that
• All employees and ********* are aware of this policy and the associated legal requirements, and their rights and responsibilities in relation to information security.
• All ********* information assets, including equipment and data, are adequately protected.
• All employees and ********* have access to appropriate information security training.
• A high level of awareness of the need for information security is maintained.
• Monitoring arrangements exist to ensure compliance with policy objectives and supporting standards.
• All security incidents, actual or suspected, will be reported and investigated.
• This policy and supporting standards are reviewed regularly.
Standards will be produced to support this policy. Together they will form an Information Security Management System.
The Depute Director of ********* has been designated the Information Security Officer for the *********. It is the Information Security Officer’s responsibility to maintain this policy, provide advice and guidance on its implementation, and to administer the Information Security Management System.
Direct responsibility for information security rests with all employees and ********* of the *********. Typical responsibilities can be summarised as: -
• duty to comply with this information security policy
• duty to comply with the associated information security standards
• duty to report all security incidents
• duty to comply with all legislation (Data Protection Act 1998, Copyright Designs & Patents Act 1988, Computer Misuse Act 1990, etc.)
• security of personal passwords
• using information assets, including equipment and data, only for authorised purposes
This policy will apply to
• All employees of *********.
• All third parties working with, or on behalf, of *********
The Information Security Policy will be reviewed every three years to ensure the continuing relevance and effectiveness of the policy. If, at any time, there is a need to amend the policy to take account of changing circumstances, technologies, or requirements this will be done within the review period.