Definitions
The following terms are used throughout this Policy:
- Data Asset – any data and data processing assets of value to William Reed
- Data Owner – an individual accountable for Data Assets
- DPO – the Data Protection Officer or Committee responsible for William Reed’s use and management of Personal Data
- Employees – William Reed employees (permanent and temporary) and contractors delivering services to William Reed
- HTO – Head of Technical Operations for William Reed
- Personal Data – data from which an individual may be identified
- Policy – this Data Security Policy
- William Reed– any member for the time being of the William Reed group of companies
About this Policy
This Policy details William Reed’s data security policy governing all data used in its business, and in particular Personal Data, regardless of whether it is processed electronically or in paper form.
Types of Data
Data takes many forms, including:
v Personal Data including Employee records
v External customer materials, data and reports
v Operational plans, accounting records, and meeting minutes
v All data processing facilities used in support of William Reed’s operational activities to store, process and transmit data
v All external organisations that provide services to William Reed in respect of data processing activities or facilities
Principles
This Policy is based on the following principles in order to protect William Reed’s Data Assets:
v Confidentiality – Data must not be made available or disclosed to unauthorised individuals, entities, or processes
v Integrity – The accuracy and completeness of assets should be retained and maintained
v Availability – All data should be accessible and usable upon demand by an authorised entity
Risks and Risk Management
Lack of data security can lead to incidents such as breach of confidentiality, the corruption or unavailability of data which could affect William Reed’s ability to deliver its services to its customers, and could also affect William Reed’s corporate image. Failure of data security in respect of Personal Data could lead to legal action against William Reed and substantial fines.
A systematic approach to data security risk management is necessary to identify business needs regarding data security requirements (including contractual and regulatory) and to create an effective operational security framework.
Data security risk management is not a one-off exercise with a single set of control recommendations which remain static in time but a continual process. During the operational delivery and maintenance of William Reed’s services there are a number of instances where risk assessment is necessary.
The implementation of the data risk strategy shall be based on formal methods for risk assessment, risk management and risk acceptance and independent of technology or software.
Objectives
The objective of the Policy is to enable William Reed to produce, store and work with data in the most secure manner achievable. The security controls are aimed at covering all possible threats, whether external or internal, deliberate or accidental.
Compliance with this Policy is necessary to ensure the protection of Personal Data, business continuity, and to minimise damage to the business and individuals by preventing the occurrence, and minimising the impact, of data security incidents.
In support of this Policy, the directors of William Reed accept their role in being fully accountable for data security and are committed to:
v Securing Personal Data
v Managing and reducing risk in an informed manner,
v Minimising impact on William Reed when data security incidents occur,
v Ensuring the William Reed has identified and is compliant with the law.
Responsibilities
The William Reed Group Board shall be accountable for ensuring that appropriate security and legal controls are identified, implemented and maintained by Data Owners. They shall be supported in this task by the senior management team and the DPO.
Responsibility for managing data security at an operational level shall be performed by the HTO and, in respect of Personal Data, by the DPO. The HTO and DPO have direct responsibility to the William Reed Group Board for maintaining this Policy, and providing advice and guidance on its implementation.
Data Owners within William Reed shall be responsible for the identification, implementation and maintenance of controls that are commensurate with the value of the Data Assets they own and the risks to which they are exposed.
Provisions of this Policy
This Policy provides that:
v Data Assets and data processing facilities shall be protected against unauthorised access
v Data, and in particular Personal Data, shall be protected from unauthorised disclosure
v Confidentiality of Data Assets shall be a high priority
v Integrity of data shall be maintained
v William Reed’s requirements, as identified by Data Owners, for the availability of Data Assets and data processing facilities required for operational activities shall be met
v Legal obligations shall be met
v Business continuity plans shall be produced, maintained and tested
v Unauthorised use of Data Assets and data processing facilities shall be prohibited
v This Policy shall be communicated to all Employees and relevant third parties
v All breaches of data security, actual or suspected, shall be reported and investigated in line with William Reed’s published policies
v Controls shall be commensurate with the risks faced by William Reed
In support of this Data Security Policy, more detailed security policies and processes shall be developed for Employees, Data Assets and data processing facilities. These are detailed in section 2 of this policy.
Review and Maintenance
This Policy shall be reviewed annually by the HTO and DPO to ensure it remains fit for purpose.
PRINCIPLES
Acceptable Use
Employees are required to be familiar with and adhere to William Reed’s policies governing the use of computer hardware, e-mail, social media and the internet which should be read in conjunction with this Policy
Access
It is the policy of William Reed to ensure that:
v Access to and use of data processing facilities and systems is granted only where there is a legitimate need
v Employees may only gain access to and use data and data processing facilities for which they are specifically authorised
v William Reed’s data and data processing facilities must be used in accordance with:
- This Policy
- All relevant legislation including but not limited to the Computer Misuse Act 1990, Copyright, Designs and Patents Act 1988, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the General Data Protection Regulation 2018.
Encryption
All desktops and laptops are fully encrypted using industry-standard encryption technologies (e.g. Microsoft Windows BitLocker or Apple FileVault 2).
Data and Equipment Disposal
Any confidential printed material (such as that which may contain Personal Data, proprietary William Reed data, William Reed commercial data, and any customer data) that it is no longer necessary to retain must be disposed of using the secure disposal facilities in William Reed’s offices.
Any rewriteable storage devices (such as hard drives, USB flash drives or rewriteable optical media) that are no longer required must be securely wiped using a suitable software application such as DBAN. This activity will be undertaken by the System Support team.
Any write-once storage device (such as CD-R’s or DVD-Rs) must be physically destroyed, or shredded or passed to the System Support team for secure destruction.
Where a storage device has become damaged, it must be physically destroyed by the System Support team (for example a hard drive should be disassembled and subject to magnetic contamination).
Data Backup
Employees using desktop computers shall store data on network servers rather than local drives unless appropriate controls have been agreed with the Data Owner, in order to ensure the integrity and availability of data.
Employees who use laptop computers, who have a requirement to store data locally on associated hard drives, shall ensure that this data does not contain any confidential details such as William Reed or customer passwords or Personal Data. It is strictly forbidden to store unencrypted confidential information on a portable device (laptop, USB memory stick or portable hard drive) of any kind.
Data Classification Handling and Protection
Personal Data, customer data and all data that contains William Reed proprietary data (such as passwords, business practices, or commercial data) is classified as “confidential”. All data that is non-proprietary or otherwise publically available (such as a computer software manual or third-party data sheet) is classified as “non-confidential”.
Email on Mobile Devices
Employees are entitled to, but not obligated to, access William Reed emails on personally-owned mobile devices (eg mobile phones and tablets) in accordance with the policies in force from time to time. The following security measures are in place (it should be noted that all of these measures increase the security of the device and therefore offer a security benefit that extends to all data on the device, including the owner’s personal data):
v If you do not already have a PIN in place you will be prompted to set one. This means that the Employee will be required to enter a PIN of at least four digits whenever they use their device
v You should configure your device to automatically lock after being inactive for a maximum ten minutes (requiring the entry of the PIN before further use)
v If you have configured your mobile device to do so then the device will be automatically wiped after ten failed PIN attempts (note that this does not apply to all mobile devices)
v William Reed System Support may have the ability remotely to wipe the device on demand or on request, for example if your device was lost or stolen. This will include the wiping of all data on the phone including personal data (eg photos taken with the mobile device’s camera)
v The IT team does not have access to your mobile device or any of its content in any way and will not wipe it unless explicitly requested
If an Employee loses their mobile device and it has been configured to receive William Reed emails then ServiceDesk must be notified immediately, whereupon ServiceDesk will likely recommend that the device be remotely wiped (if possible). Remote wiping has the benefit of ensuring that your personal emails, photos and other content would be deleted from the device so it could not be accessed by a third party.
Security Incident Reporting
Employees shall report security incidents, weaknesses or significant software malfunction at the earliest opportunity to the ServiceDesk.
Security Management
The confidentiality of data is treated as an absolute priority. William Reed implements strict electronic access control systems to ensure that Employees only have access to the data that is necessary to perform their job function, or that may be made available to them from time to time.
Statutory and legally implied obligations shall be met at all times.
Business continuity plans are maintained and tested, ensuring that data security is maintained throughout any Service Continuity or Business Continuity event.
Unauthorised use of Data Assets is prohibited and subject to William Reed’s disciplinary procedures.
All breaches of data security shall be reported to the Employee’s line manager and the DPO.
Data Security risk management is undertaken on a continual basis and subject to ongoing review with the implementation of any new system as defined within the Change Control process.
Mobile Computing
Employees shall exercise appropriate care when using William Reed’s Data Assets outside the normal office environment. This particularly applies when data is processed on mobile equipment such as laptops, tablets and mobile phones.
As the data contained on mobile equipment is especially vulnerable, special care should be exercised. Mobile equipment must not be left unattended in insecure places (e.g. unlocked in customer offices, in plain sight in homes or non-William Reed sites where it could be easily stolen) and must not, for instance, be left in observable parts of one’s car.
Password Management
Employees shall be issued with a unique username / account and a confidential password. Passwords shall always be selected carefully and shall be kept confidential by committing them to memory. Passwords must be kept secure and shall not be shared. Authorised users are responsible for the security of their passwords and accounts. Network access passwords should be changed as demanded by the system and conform to the agreed password standards.
Company passwords, such as those used to login to third party systems, must not be shared with a third party at any time.
On rare occasions when an Employee must divulge their password to a member of the William Reed Support teams the Employee must change their password as soon as possible after the incident has been resolved.
Physical and Environmental
Employees shall ensure that the confidentiality of data is not breached whilst in their possession. To facilitate such control, William Reed operates a clear screen and clear desk policy.
All PCs, laptops and workstations must be “locked” (such that the screen is disabled) when Employees are away from their desks or secured by logging-off or shutting-down whenever the equipment will be left unattended for an extended period (ego at the end of every working day). This is particularly important when working away from William Reed’s offices.
Employees must ensure that any confidential paperwork is locked away whenever they are away from their desks and that it does not leave their possession when working away from William Reed’s offices.
If a member of the Support Team has remotely connected to a device in order to fix a problem then verbal assurance will be sought to confirm that the affected Employee is at their desk and in front of their computer. If this is not the case then the workstation should be “locked” so that another Employee cannot walk up to the device and start using it, thereby impersonating that individual.
Vulnerability and Patch Management
William Reed’s computing facilities are all subject to the continuous execution of anti-virus software, and the installation of William Reed-approved vendor patches.
Vendor patches (such as those provided by Microsoft) are first tested in a control environment before subsequent approval and deployment to William Reed’s servers, workstations and laptops.
Non-Compliance with this Policy
An employee found to have violated this Policy may be subject to disciplinary action, up to and including termination of employment.
Employees should discuss any concerns relating to this Data Security Policy with their Line Manager.