Information Security Policy
Total Page:16
File Type:pdf, Size:1020Kb
Version Date Issuer Approved by Addressee circular 1.0 May 2018 Compliance All Staff Department May 2018 K2 Group Information Security Policy Contents Preamble 4 General 4 Objectives 4 Scope 5 Information Security 6 Information Security Cornerstones 6 Legal and regulatory 6 Classification of Information 6 K2 Suppliers 9 Cloud and System Providers 9 Compliance and Disciplinary Procedures 9 Incident Management 10 Supporting Policies 10 Review Process 10 Responsibilities 10 User and Privileged Access Management 11 User Management 11 Access Control 12 Managing Privileges 12 Authentication/ Password Management 12 Privileged Access 13 Network and System Management 13 Software Management 14 Appendix A: Relevant National Legislation 16 Relevant UK Legislation 16 Relevant German Legislation 18 Relevant Swiss Legislation 20 Relevant Spanish Legislation 21 Information Security Policy Version 1.0 / May 2018 2 Relevant Singaporean Legislation 23 Relevant Chinese Legislation 24 Relevant Japanese Legislation 27 Relevant US Regulation 31 Relevant Mexican Legislation 34 Relevant Brazilian Legislation 36 Information Security Policy Version 1.0 / May 2018 3 Preamble K2 Group as a provider of highly specialised services in the Staffing and Information Technology field is aware of the all-encompassing role data and information play in every kind of human interaction. The possibility to process, store and exchange information by electronic means has brought about great benefits for societies, but also comes with its own set of challenges concerning security and privacy of information. Governments are globally seeking to address these modern challenges through legislation in order to regulate the handling of information. As an international organisation whose most valuable asset is information, K2 is committed to ensuring that legal compliance, confidentiality and integrity is given at all times within our information systems. We must ensure that the information we hold or are responsible for is safeguarded against inappropriate disclosure and data privacy violations; is accurate, timely and attributable; and is available to those who should be able to access it. The Information Security Policy below provides the framework by which we take account of these principles. Its primary purpose is to enable all K2 staff to understand both their legal and ethical responsibilities concerning information, and empower them to collect, use, store and distribute it in appropriate ways. This policy is the cornerstone of K2’s ongoing commitment to enhance and clarify our information security procedures. All K2 staff is urged to read it and has to abide by it in the course of their work. 1. General Privacy, security and availability of information are critical to the internal processes and good governance of K2. Abuse of information we control brings about the risk of financial and reputational loss. Thus, this information security policy outlines our approach to information security management. It provides the guiding principles and responsibilities necessary to safeguard the security of K2’s information systems. Supporting policies, codes of practice, procedures and guidelines, such as our Acceptable Use Policy, BYOD Policy or Privacy Notice, provide further details. K2 is seeking to continue the establishment of a comprehensive Information Security Management implemented in all parts of our business activities. The principles defined in this policy will be applied to all of our physical and electronic information assets. K2 is specifically committed to preserving the confidentiality, integrity and availability of documentation and data supplied by and held on behalf of third parties pursuant to the carrying out of business in accordance with the requirements of current data security legislation. 1.1.Objectives The objectives of this policy are to: 1.1.1. Provide a framework for establishing suitable levels of information security for all K2 information systems (including but not limited to all cloud environments Information Security Policy Version 1.0 / May 2018 4 commissioned or run by K2, computers, storage, mobile devices, networking equipment, software and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems. The resources required to manage such systems will be made available 1.1.2. Make certain that users are aware of and comply with all current and relevant legislation. 1.1.3. Provide the principles by which a safe and secure information systems working environment can be established for staff and any other authorised users. 1.1.4. Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle. 1.1.5. Protect K2 from liability or damage through the misuse of its IT facilities. 1.1.6. Maintain data and other confidential information provided by clients, consultants and suppliers at a level of security commensurate with its classification, including upholding any legal and contractual requirements around information security. 1.1.7. Respond to changes in the context of the organisation as appropriate, initiating a cycle of continuous improvement. 1.2.Scope This policy is applicable to, and will be communicated to, all staff and third parties who interact with information held by the K2 and the information systems used to store and process it. Staff hereby includes all employees, officers, consultants, contractors, interns and casual workers engaged with us. Information and information systems includes but is not limited to: Cloud systems used, developed or commissioned by K2, any systems or data attached to the K2 data or telephone networks, systems managed by K2, mobile devices used to connect to K2 networks or hold K2 data, data over which K2 holds the intellectual property rights, data over which K2 is the data controller or data processor, electronic communications sent from the K2. Information Security Policy Version 1.0 / May 2018 5 2. Information Security 2.1.Information Security Cornerstones The following information security principles provide overarching governance for the security and management of information within K2 group. ● Information should be classified according to an appropriate level of confidentiality, integrity and availability (see Section 2.3. Information Classification) and in accordance with relevant legislative, regulatory and contractual requirements (see Section 2.2. Legal and Regulatory Obligations). ● Staff with particular responsibilities for information (see Section 3. Responsibilities) must ensure the classification of that information; must handle that information in accordance with its classification level; and must abide by any contractual requirements, policies, procedures or systems for meeting those responsibilities. ● All users covered by the scope of this policy (see Section 1.2. Scope) must handle information appropriately and in accordance with its classification level. ● Information should be both secure and available to those with a legitimate need for access in accordance with its classification level. a. On this basis, access to information will be on the basis of least privilege and need to know. ● Information will be protected against unauthorized access and processing in accordance with its classification level. ● Breaches of this policy must be reported (see Sections 2.4. Compliance and 2.5. Incident Handling). ● Information security provision and the policies that guide it will be regularly reviewed, including through the use of annual internal audits and penetration testing. 2.2.Legal and regulatory K2 group is committed to abide by and adhere to all applicable legislation as well as a variety of regulatory and contractual requirements. A non-exhaustive summary of the UK and EU legislation and regulatory and contractual obligations that contribute to the form and content of this policy is provided in Appendix A. Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarised below. 2.3.Classification of Information The following table provides a summary of the information classification levels which complement the eight principles of information security defined in this policy. These classification levels explicitly follow the General Data Protection Regulation’s (GDPR) definitions of Personal Data and Special Categories of Personal Data. Please also refer to K2’s Privacy Notice and Breach Management Policy. Information Security Policy Version 1.0 / May 2018 6 Information may change classification levels over its lifetime, or due to its volume – for instance, information which was initially confidential can become public due to the data subject’s decision to make information publicly available. Classification of Impact on K2 if Definition: Examples: Information such information was made public without authorisation: Public None Can be accessed Publications and seen by Press Releases anyone inside Services advertised and outside Principle K2 contacts for of K2 public facing roles i.e name, email address and landline telephone number published online Public events Open Low; Available to Contact information not May result in very people available on public minor affiliated with websites(e.g. name, reputational or K2 like role, email address, financial damage current and and telephone number) to the K2; previous staff Internal K2 communication very minor or externals details