Information Security Policy

1. Introduction and Purpose

1.1 Information security is concerned with all information, in electronic and paper format. The main purpose of implementing good information security is to allow the effective and efficient use of information, whilst safeguarding the organisation’s data from unauthorised access or modification, to ensure its availability, confidentiality and integrity.

1.2 This high-level policy is a key component of our overall approach to information governance and should be considered alongside all other information governance and cybersecurity policies.

1.3 The aim of this policy is to advise staff and contractors of their obligations with regards to confidentiality and where to seek further guidance and assistance. The objectives of this policy are to preserve:

  • Confidentiality – Access to data shall be confined to those with appropriate authority.
  • Integrity – Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.
  • Availability – Information shall be available and delivered to the right person, at the time when it is needed.

2. Scope

2.1 This policy applies to:

  • Shinetech Software;
  • All subsidiary companies of Shinetech Software;
  • All staff of Shinetech Software and its subsidiary companies;
  • All contractors, suppliers and other people working on behalf of Shinetech Software or its subsidiary companies.

2.2 It applies to all data that Shinetech Software holds.

3. Definitions

3.1 System Level Security Policies (SLSPs) – Documentation specific to a system or systems, covering security and management procedures in place to ensure the security of the system.

3.2 Information Security Management System (ISMS) – The governing principle behind an ISMS is that an organisation should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

3.3 Information Asset – Information held which is of value to an organisation. This is generally a body of records or information managed as a single entity.

3.4 Information Security Incident – is any incident which affects the confidentiality, integrity or availability of any information of value to the organisation.

4. Roles and Responsibilities

4.1 Everyone who works for or with Shinetech Software and its subsidiary companies has some responsibility for ensuring data is collected, stored and handled appropriately. Each team that handles data must ensure that it is handled and processed in line with this policy.

4.2 The Board is ultimately responsible for ensuring that Shinetech Software and its subsidiary companies meets its legal obligations.

4.3 Overall responsibility for this policy lies with the Shinetech Software’s Senior Information Risk Owner (SIRO), who will be a member of the Senior Leadership Board.

4.4 The Information Governance Manager and Data Protection Officer is responsible for drawing up all information governance policies, including data protection and information security policy. Developing process and guidance for all of the Information Governance (IG) policy areas and providing advice and guidance on the collection, use and protection of all types of information.

4.5 The Cyber Security Architect is responsible for developing IT security policy, standards and guidelines. He/She is also responsible for ensuring that effective IT security systems, controls and training programs are operationally implemented, fit for purpose and available across the organisation.

4.6 The Country Managers have responsibility for ensuring compliance with information governance policies within their areas of responsibility, and will assume the role of Information Asset Owner within their areas of responsibility. The Information Asset owner will assign information asset administrator(s) from their areas of responsibility.

4.7 Information Asset Administrators are accountable to their Country Managers and will be the day to day contact for the IG Team and wider service users, and will be responsible for monitoring compliance with IG policy, within their faculty / service.

5. Policy Details

5.1 All information handled by Shinetech Software will be handled in line with all applicable laws and regulations.

5.2 All relevant records and information will be classified, in line with the Information Classification Process.

5.3 All records and information will be organised into groups known as Information Assets where it is appropriate to do so.

5.4 All Information assets will be risk assessed, following the Information Risk Management processes and procedures. The outcome of each risk assessment will be shared and where necessary, appropriately acted upon.

5.5 All access to information assets will be controlled by the appropriate asset owner / administrator, ensuring a minimum required access model is followed. Access will be periodically reviewed and amended as applicable.

5.6 All information security incidents will be centrally reported, and where applicable, remedial recommendations will be made and followed up. Reporting of information security incidents will be carried out in line with the Information Security Incident reporting procedure.

5.7 Information Asset Owners shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks.

5.8 Where information is being shared, stored or processed outside of Shinetech Software’s controlled environment, sufficient assessment will be carried out on the recipient to ensure the security of our data. All data sharing activity will be covered by appropriate data sharing agreements or other contractual clauses.

5.9 All technical security measures, will be taken where appropriate so to protect information, details of technical security measures can be found in the IT Security Policy and associated documentation.

5.10 Where there is a requirement to operate outside of the bounds of this policy, such activity will be signed off by an appropriate Information Asset Owner with an appropriate assessment of the risks and held centrally by the Information Governance Team.

6. Training and Education

6.1 All staff will receive training as part of their Cyber Security and Data Protection Training.

6.2 Staff identified as Information Asset Owners or Administrators will receive additional training above and beyond the basic staff training. This will be delivered face to face by a member of the Cyber Security or Information Governance Team.

6.3 Compliance with Legislation – All staff have an obligation to abide by all UK legislation, of particular importance:

  • Computer Misuse Act 1990
  • Data Protection Act 2018
  • Human Rights Act 1998
  • National Cyber Security Centre (NCSC) Cyber Essentials Plus
  • Regulation of Investigatory Powers Act 2000
  • Terrorism Act 2006 and Counter Terrorism Information Security Policy
  • UK General Data Protection Regulation (UK GDPR) and ICO Guidance

7. Documents

7.1 All staff should also be aware of the following policies:

accessibility icon