IT SECURITY POLICY
The Language Services UK Limited (Hereafter referred to as: LSUK) is responsibile to ensure that all legal obligations to maintain security and confidentiality including but not limited to the GDPR Regulations (2018) Data Protection Act (1998), Human Rights Act (1998), Copyright, Designs and Patents Act (1988), and Computer Misuse Act (1990) are met.
The safe and effective use of IT including internet and e-mails are increasingly important in business today. As such, it is of utmost importance that LSUK computer systems are maintained and secure.
LSUK seeks to protect its computer systems from misuse and to minimise the impact of service breaks by development of this Security Policy and procedures to manage and enforce it.Key purpose of the Security Policy is to ensure that:
- Computer systems are properly assessed, and an effective security regime established.
- Procedures to detect and resolve security incidents are in place.
- The confidentiality, integrity and availability of LSUK systems are maintained
- Staff are aware of their responsibilities, roles and accountability when using LSUK systems.
IT manager roles and responsibilities
It is the responsibility of the LSUK IT manager to ensure that all legal obligations to maintain security and confidentiality including but not limited to the GDPR Regulations (2018) Data Protection Act (1998), Human Rights Act (1998), Copyright, Designs and Patents Act (1988), and Computer Misuse Act (1990) are met.
Other IT manager roles and responsibilities include;
- Ensure all LSUK staff are instructed in their security responsibilities.
- Ensure all staff using computer systems/media are fully trained.
- Ensure no unauthorised staff are allowed to access any LSUK computer systems.
- Determine which individuals are to be given access to each level of system data based upon on a job function and need and independent of status.
- Ensure the relevant system managers are advised immediately about staff changes affecting computer access so that passwords etc. may be withdrawn or deleted.
- Ensure that LSUK staff know how to report any security breaches, incidents, malfunctions and suspected system weaknesses or threats.
- Monitor for actual or potential information security breaches.
- Implement procedures to minimise exposure to fraud/theft/disruption of its systems.
- Implement, monitor, document and communicate information security policy and guidance.
- Report to the Senior Management Team as part of Management Review Meetings on the effectiveness of LSUK IT and Security policies and procedures, key risks and mitigation.
- Advise on actual or potential breaches of confidentiality and recommend remedial action.
- Ensure LSUK meets its legal responsibility under the Freedom of Information Act, advising staff on their legal responsibilities under the act and ensure a proper process exists for responding to requests of information in a timely manner.
- Development and implementation of Information sharing protocols
- Ensure LSUK equipment is sited or protected to reduce risks from environmental threats and hazards, and unauthorised access.
- Ensure LSUK equipment purchases are security labelled, appropriate licensed software loaded, and suitably configured for use prior to addition to the LSUK assets list.
- Allocate and configure individual user accounts and associated user authentication for each authorised user and any relevant network operating systems.
- Authorise computer hardware disposal, delete it from the LSUK asset list and ensure data storage devices are purged of sensitive data prior to secure disposal.
Each member of LSUK Staff (this includes all permanently employed, contracted and voluntary staff members) and any other authorised users share a responsibility to maintain the security of LSUK information and systems and these are listed below;
- Each user is personally responsible for ensuring that no breaches of computer security result from their actions.
- Must comply with LSUK’s relevant security and confidentiality policies and procedures.
- Understand that breaches of policy will be investigated by formal disciplinary procedure which may lead to dismissal and/or legal action.
- Is personally responsible for the accuracy and currency of the data they record on systems.
- Must not disclose their passwords or allow anyone else to use their password or allow another user to work under their log on.
- Should declare any potential conflicts of interest.
- Must report any software or system malfunctions that it is believed could lead to a security incident to the IT Manager immediately.
- Must report suspected security weaknesses or threats to the IT Manager.
- All employees and relevant third-party users shall receive appropriate training and regular updates on LSUK’s policies and procedures.
- Authorised users of LSUK systems shall receive appropriate system training before authorisation is granted.
- Violations of this policy and associated procedures shall be dealt with through a formal disciplinary process and / or legal action.
Formal procedures will be used to control access to systems. The IT manager will approve each application for access and access privileges will be modified or removed, as appropriate, when an individual changes job or leaves.
Access to systems will be based upon the staff member’s job role and relevant requirements. No individual will be given access to a live system unless properly trained and made aware of his or her security responsibilities.
Passwords are required which should be at least eight characters long and a mix of alphanumeric characters with sufficient complexity of structure to reflect the confidentiality of data held on LSUK systems. Users must keep their passwords secret, never disclose them to colleagues, and if requested to do so report that incident to their Line Manager.
Passwords should be changed at least every 180 days.
Who do we provide these services to?
We are provisioning these services to :
- Advice and Support Service Providers
- Charities and Trusts
- Corporations and Large Businesses
- Events Management Organisations
- Law Firms
- Mental Health Service Providers
- Police, Fire and Ambulance Service Providers
- Schools, Colleges and Universities
- Social Services
Equipment siting and protection
LSUK equipment will always be installed and sited in accordance with the manufacturer’s specification and with due consideration of Health and Safety legislation.
Equipment will be sited to reduce risks from environmental threats, and from unauthorised access. Where equipment must be kept in public areas, it will be positioned to reduce the risk of unauthorised access or casual viewing.
Environmental controls will be installed to protect central/key equipment. Such controls will trigger alarms if environmental problems occur. In such cases only authorised entry will be permitted.
All central processing equipment, including file servers, will be covered by appropriate maintenance agreements or arrangements.
Records of all faults/suspected faults will be maintained by the IT Manager supported by the administration support team.
Any supplier requiring remote access to resolve system issues will be required to provide a written commitment to maintain confidentiality of data and information and only use qualified representatives.Each request for remote access will be authorised by the IT Manager.
Security of equipment and data off premises
- Hard disks on any machine and removable devices to backup/compress datamay contain sensitive/confidential data. Removal off site of such disks/storage media represents a potential threat.
- Other than to transport it for a legitimate purpose, equipment and data will not be taken off site without approval of the appropriate line manager.
- Portable computing devices must be provided with encryption and should not be left unattended.To preserve the integrity of data, frequent synchronisations should be made with system server computers. They should be maintained regularly, batteries kept charged to preserve their availability, and anti-virus software updated appropriately.
Disposal of Equipment
Computer hardware disposal can only be authorised by the LSUK IT Manager who will ensure that data storage devices are irreversibly purged of sensitive data before disposal or they are securely destroyed. The procedures for disposal will be documented.
Unusable computer media (e.g. floppy disks, magnetic tapes, CD-ROMS, USB keys) must also be securely destroyed.
- LSUK only permit approved software to be installed on its PCs.
- Users must not download or load unauthorised software.
- No newly acquired disks, magnetic media, or CDs, from whatever source are to be loaded unless they have been virus checked and approved by the IT Manager.
- Users should report any viruses detected/suspected on their machines immediately to the IT Manager.
- It is a criminal offence to make or use unauthorised copies of commercial software and offenders are liable to disciplinary action and civil or criminal prosecution.
- All central systems have daily backup regimes.
- Secure storage for the backups is geographically separate from the system location to protect against building loss.
- The viability of central systems backups is tested when used in contingency tests.
- All users must use the LSUK networks for any project documentation to ensure that back up of all key documents is maintained.
- Internet use on Company time is authorized to conduct Company business only.Internet use brings the possibility of breaches to the security of confidential Company information and creates the possibility of contamination to our system via viruses or spyware which may allow unauthorized people outside the Company potential access to confidential information.
- Removing such programs from the Company network requires investment of time and resources that is better devoted to progress. For this reason, and to assure the use of work time appropriately for work, we ask staff members to limit Internet use.
- Additionally, under no circumstances may Company computers or other electronic equipment be used to obtain, view, or reach any pornographic, or otherwise immoral, unethical, or non-business-related Internet sites. Doing so can lead to disciplinary action up to and including termination of employment.
- Limited, responsible use of LSUK Internet access during non-working hours such as a lunch break is acceptable however the use of social networking sites such as Facebook which may introduce unsafe access to the LSUK computer network will constitute a serious breach of internet policy and will not be tolerated at any time.
- Email Usage is to be used for Company business only.
- Company data and information must not be shared outside of the Company without authorisation at any time.
- Viewing pornography or sending pornographic jokes or stories via email is considered sexual harassment and will be treated as a disciplinary offence, as will any emails that discriminate against employees by virtue of any protected classification including race, gender, nationality, religion, and so forth.
- You are also not to conduct personal business using the Company computer or email.
- Please keep this in mind also as you consider forwarding non-business emails to associates, family or friends. Non-business-related emails waste company time and attention. Sending or forwarding non-business emails could result in disciplinary action that may lead to employment termination.
- E-mail and Internet usage assigned to an employee's computer are solely for the purpose of conducting Company business.
- Keep in mind that the Company owns any communication or information sent via email or that is stored on company equipment. Management and other authorized staff have the right to access any material in your email or on your computer at any time. Please do not consider your electronic communication, storage or access to be private if it is created or stored at work.
A security incident is an event that may result in:
- Degraded system integrity.
- Loss of system availability.
- Disclosure/loss or corruption of confidential information.
- Disruption of activity.
- Financial loss.
- Legal action.
- Unauthorised access to applications.
- Misuse of software or access privileges
All security incidents must be reported to the IT Manager immediately who will decide the most appropriate action to resolve or minimise impact on LSUK data or systems.
The incident will be further reported to the Senior Management Team who will take advice from the IT manager as to any further actions.
Any security incidents will be formally logged, categorised by severity and the resultant actions recorded.
Any major security incident will be immediately referred to the Senior Management Team for investigation.
The management and implementation of all IT and Security systems are subject toperiodic review by both internal and external auditors as part of LSUK’s Quality Management System.
This policy will be brought to the attention of all users and monitored in line with normal assurance processes.
This policy will be reviewed each year to ensure its continued suitability.