Introduction

This information security policy is a key component of Border Crossing Media Holdings Limited (trading as Border Crossing UX) management framework. It sets the requirements and responsibilities for maintaining the security of information within Border Crossing Media Holdings Limited. This policy may be supported by other policies and by guidance documents to assist putting the policy into practice day-to-day.

This policy must be adhered to by all members of staff, suppliers, partners and anyone who may also access the organisation’s information resources. Appropriate training will be provided.

Any breach of this policy, intended or otherwise, should be reported immediately to the Managing Director:

Esther Stringer
Email: esther@bordercrossingux.com
Telephone: 0131 467 9227

Aims and scope of this policy

The aims of this policy are to set out the rules governing the secure management of our information assets by:

  • preserving the confidentiality, integrity and availability of our business information.
  • ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this and other policies.
  • ensuring an approach to security in which all members of staff fully understand their own responsibilities.
  • creating and maintaining within the organisation a level of awareness of the need for information.
  • detailing how to protect the information assets under our control.

This policy applies to all information/data, information systems, networks, applications, locations and staff of Border Crossing Media Holdings Limited or supplied under contract to it.

Responsibilities

  • Ultimate responsibility for information security rests with the Chief Executive of Border Crossing Media Holdings Limited, but on a day-to-day basis the Managing Director shall be responsible for managing and implementing the policy and related procedures.
  • Responsibility for maintaining this Policy, the business Information Risk Register and for recommending appropriate risk management measures is held by the Managing Director. Both the Policy and the Risk Register shall be reviewed by the Board of Directors at least.
  • Line Managers are responsible for ensuring that their permanent staff, temporary staff and contractors are aware of:
    • The information security policies applicable in their work areas.
    • Their personal responsibilities for information security.
    • How to access advice on information security matters.
  • All staff shall comply with the information security policy and must understand their responsibilities to protect the company’s data. Failure to do so may result in disciplinary action.
  • Line managers shall be individually responsible for the security of information within their business area.
  • Each member of staff shall be responsible for the operational security of the information systems they use.
  • Each system user shall comply with the security requirements that are currently in force, and shall also ensure that the confidentiality, integrity and availability of the information they use is maintained to the highest standard.
  • Access to the organisation’s information systems by external parties shall only be allowed where a contract that requires compliance with this information security policy is in place. Such a contracts shall require that the staff or sub-contractors of the external organisation comply with all appropriate security policies.

Legislation

  • Border Crossing Media Holdings Limited is required abide by certain UK, European Union and international legislation. It also may be required to comply to certain industry rules and regulations.
  • The requirement to comply with legislation shall be devolved to employees and agents of the Border Crossing Media Holdings Limited, who may be held personally accountable for any breaches of information security for which they are responsible.
  • In particular, Border Crossing Media Holdings Limited is required to comply with:
    • The Data Protection Act (1998).
    • The Data Protection (Processing of Sensitive Personal Data) Order 2000.
    • The Copyright, Designs and Patents Act (1988).
    • The Computer Misuse Act (1990).
    • The Health and Safety at Work Act (1974).
    • Human Rights Act (1998).
    • Regulation of Investigatory Powers Act 2000.
    • Freedom of Information Act 2000.

Personnel security

Contracts of employment

  • Staff security requirements shall be addressed at the recruitment stage and all contracts of employment shall contain a security and confidentiality clause.
  • References for new staff shall be verified and a passport, driving license or other document shall be provided to confirm identity.
  • Information security expectations of staff shall be included within appropriate job definitions.
  • Whenever a staff member leaves the company their accounts will be disabled the same day they leave.

Information security awareness and training

  • The aim of the training and awareness programmes are to ensure that the risks presented to information by staff errors and bad practice are reduced.
  • Information security awareness training shall be included in the staff induction process and shall be carried out annually for all staff.
  • An on-going awareness programme shall be established and maintained in order to ensure that staff awareness of information security is maintained and updated as necessary.

Intellectual property rights

  • The organisation shall ensure that all software is properly licensed and approved by the Managing Director. Individual and Border Crossing Media Holdings Limited intellectual property rights shall be protected at all times.
  • Users breaching this requirement may be subject to disciplinary action.

Access management

Physical access

  • Only authorised personnel who have a valid and approved business need shall be given access to areas containing information systems or stored data.

Identity and passwords

  • Passwords must offer an adequate level of security to protect systems and data.
  • All passwords shall be ten characters or longer and contain at least two of the following: uppercase letters, lowercase letters and numbers.
  • All administrator-level passwords shall be changed at least every 60 days.
  • Where available, two-factor authentication shall be used to provide additional security.
  • All users shall use uniquely named user accounts.
  • Generic user accounts that are used by more than one person or service shall not be used.

User access

  • Access to information shall be based on the principle of “least privilege” and restricted to authorised users who have a business need to access the information.

Application access

  • Access to data, system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. systems or database administrators.
  • Authorisation to use an application shall depend on a current licence from the supplier.

Hardware access

  • Where indicated by a risk assessment, access to the network shall be restricted to authorised devices only.

System perimeter access (firewalls)

  • The boundary between business systems and the Internet shall be protected by firewalls, which shall be configured to meet the threat and continuously monitored.
  • All servers, computers, laptops, mobile phones and tablets shall have a firewall enabled, if such a firewall is available and accessible to the device’s operating system.
  • The default password on all firewalls shall be changed to a new password that complies to the password requirements in this policy, and shall be changed regularly.
  • All firewalls shall be configured to block all incoming connections.
  • If a port is required to be opened for a valid business reason, the change shall be authorised following the system change control process. The port shall be closed when there is no longer a business reason for it to remain open.

Monitoring system access and use

  • An audit trail of system access and data use by staff shall be maintained wherever practical and reviewed on a regular basis.
  • The business reserves the right to monitor and systems or communications activity where it suspects that there has been a breach of policy in accordance with the Regulation of Investigatory Powers Act (2000).

Asset management

Asset ownership

  • Each information asset, (hardware, software, application or data) shall have a named custodian who shall be responsible for the information security of that asset.

Asset records and management

  • An accurate record of business information assets, including source, ownership, modification and disposal shall be maintained.
  • All data shall be securely wiped from all hardware before disposal.

Asset handling

  • Border Crossing Media Holdings Limited shall identify particularly valuable or sensitive information assets through the use of data classification.
  • All staff are responsible for handling information assets in accordance with this security policy. Where possible the data classification shall be marked upon the asset itself.
  • All company information shall be categorised into one of the 4 categories in the table below based on the description and examples provided:
CategoryDescriptionExample
PublicInformation which is not confidential and can be made available publicly through any channels.
  • Details of products and services on the website
  • Published company information
  • Social media updates
  • Press releases
Internal informationAny internal information circulated within the company only (external access is not permitted), including information which is only accessible to employees or contracted parties, which, if lost or made available to unauthorised persons could impact the company’s effectiveness, benefit competitors or cause embarrassment to the organisation and/or its partners.
  • Internal communications
  • Timetables
  • Diaries
  • Task lists
  • Intranet pages
Restricted informationAny external information and any internal or external information that contains personal or confidential information that:

 

– Contains any personal data under GDPR Art. 6.

– Disclosure would prejudice the interests of any person and/or organisation.

– Is likely to impact the company’s effectiveness, benefit competitors or cause embarrassment to the organisation and/or its partners.

  • Company operating procedures and policy
  • Client records
  • Staff records
Secret informationInformation which, if lost or made available to unauthorised persons would cause severe impact on the company’s ability to operate or cause significant reputational damage and distress to the organisation and/or its partners.

 

By default, this includes, any highly-sensitive personal information:

– Special categories of personal data (GDPR Art. 9). Disclosure would be in breach of the GDPR.

This information requires the highest levels of protection of confidentiality, integrity and availability.

  • Client intellectual property
  • Data in e-commerce systems
  • Company board meeting minutes
  • Company plans and strategic documentation
  • Employee salary details
  • Any information defined as “sensitive personal data” under the Data Protection Act

Removable media

  • Only company provided removable media (such as USB memory sticks and recordable CDs/DVDs) shall be used to store business data and its use shall be recorded (e.g. serial number, date, issued to, returned).
  • Removable media of all types that contain software or data from external sources, or that has been used on external equipment, require the approval of the Managing Director before they may be used on business systems. Such media must be scanned by anti-virus before being used.
  • Where indicated by the risk assessment, systems shall be prevented from using removable media.

Users breaching these requirements may be subject to disciplinary action.

Mobile working

  • Where necessary, staff may use company-supplied mobile devices such as phones, tablets and laptops to meet their job role requirements.
  • Use of mobile devices for business purposes (whether business-owned or personal devices) requires the approval of the Managing Director.
  • Such devices must have anti-malware software installed (if available for the device), must have PIN, password or other authentication configured, must be encrypted (if available for the device) and be capable of being remotely wiped. They must also comply with the software management requirements within this policy.
  • Users must inform the Managing Director immediately if the device is lost or stolen and business information must then be remotely wiped from the device.

Personal devices / Bring your own device (BYOD)

  • No personal devices are to be used to access business information.
  • Only company provided devices should be used by employees to access business information.
  • Suppliers and Partners may use their own company registered devices to access limited business information for a limited period, if they have the necessary Cyber and Information Security measure in place. However, these devices require the approval of the Managing Director before they may be used on business systems or process personal data controlled by the company.

Social media

  • Social media may only be used for business purposes by using official business social media accounts with authorisation from the Managing Director. Users of business social media accounts shall be appropriately trained and be aware of the risks of sharing sensitive information via social media.
  • Business social media accounts shall be protected by strong passwords in-line with the password requirements for administrator accounts.
  • Users shall behave responsibly while using any social media whether for business or personal use, bearing in mind that they directly or indirectly represent the company. If in doubt, consult the Social Media Policy or the Managing Director.
  • Users breaching this requirement may be subject to disciplinary action.

Physical and environmental management

  • In order to minimise loss of, or damage to, all assets, equipment shall be physically protected from threats and environmental hazards. Physical security accreditation should be applied if necessary.
  • Systems requiring particular environmental operating conditions shall be maintained within optimum requirements.

Computer and network management

Operations management

  • Management of computers and networks shall be controlled through standard documented procedures that have been authorised by the Managing Director.

System change control

  • Changes to information systems, applications or networks shall be reviewed and approved by a Director.

Accreditation

  • The organisation shall ensure that all new and modified information systems, applications and networks include security provisions.
  • They must be correctly sized, identify the security requirements, be compatible with existing systems according to an established systems architecture (as required) and be approved by a Director before they commence operation.

Software management

  • All application software, operating systems and firmware shall be updated on a regular basis to reduce the risk presented by security vulnerabilities.
  • All software security updates/patches shall be installed within 7 days of their release.
  • Only software which has a valid business reason for its use shall be installed on devices used for business purposes.
  • Users shall not install software or other active code on the devices containing business information without permission from a Director.
  • For the avoidance of doubt, all unnecessary and unused application software shall be removed from any devices used for business purposes.

Local data storage

  • Data stored on the business premises shall be backed up regularly and restores tested at appropriate intervals (at least monthly).
  • A backup copy shall be held in a different physical location to the business premises.
  • Backup copies of data shall be protected and comply with the requirements of this security policy and be afforded the same level of protection as live data.

External cloud services

  • Where data storage, applications or other services are provided by another business (e.g. a ‘cloud provider’) there must be independently audited, written confirmation that the provider uses data confidentiality, integrity and availability procedures which are the same as, or more comprehensive than those set out in this policy.

Protection from malicious software

  • The business shall use software countermeasures, including anti-malware, and management procedures to protect itself against the threat of malicious software.
  • All computers, servers, laptops, mobile phones and tablets shall have anti-malware software installed, where such anti-malware is available for the device’s operating system.
  • All anti-malware software shall be set to:
    • scan files and data on the device on a daily basis
    • scan files on-access.
    • automatically check for, and install, virus definitions and updates to the software itself on a daily basis.
    • block access to malicious websites.

Vulnerability scanning

  • The business shall have a yearly vulnerability scan of all external IP addresses carried out by a suitable external company.
  • The business shall act on the recommendations of the external company following the vulnerability scan in order to reduce the security risk presented by any significant vulnerabilities.
  • The results of the scan and any changes made shall be reflected in the company risk assessment and security policy as appropriate.

Response

Information security incidents

  • All breaches of this policy and all other information security incidents shall be reported to the Managing Director.
  • If required as a result of an incident, data will be isolated to facilitate forensic examination. This decision shall be made by the Managing Director.
  • Information security incidents shall be recorded in the Security Incident Log and investigated by the Board of Directors to establish their cause and impact with a view to avoiding similar events. The risk assessment and this policy shall be updated if required to reduce the risk of a similar incident re-occurring.

Business continuity and disaster recovery plans

  • The organisation shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks.

Reporting

  • The Information Security Officer shall keep the business informed of the information security status of the organisation by means of regular reports to senior management.

Further information

Further information and guidance on this policy can be obtained from Esther Stringer:

Email: esther@bordercrossingux.com

Telephone: 0131 467 9227

Comments and suggestions to improve security are always welcome.

Last updated

This document was last updated on 31/07/2023.