Information Security - awareness guide

 

These guidelines are provided to make you aware of what we are already doing to meet ISO 27001 standards and the part you have to play in maintaining these standards.

 

Visitors and Entry To Company Locations

  • Our office and warehouse facilities are secure areas, all other measures would be of no importance if we were simply to let anyone walk in through the doors. Therefore, the following guidelines should be followed as closely as possible to maintain the presence of authorised employees and/or sub-contractors only!
  • All visitors must be signed in at reception on arrival and out upon leaving.
  • Visitors to Ardington Archives' office or warehouses must be escorted at all times.
  • Notification and authorisation is required by the Chief Executive (or IMS Manager) for all visitors (including service engineers) requiring access to any of the warehouses or office.


Security Incidents and What To Do About Them

Security Incidents are events that must be recorded and acted upon. The following events are examples of what constitute security incidents:

  • Abuse (Internet, e-mail, viruses, malicious activity, sharing passwords).
  • Access (unauthorised access to the office or warehouses, or to systems or information).
  • Loss or theft (Loss or the theft of information stored on media (e.g. hard or floppy discs, memory sticks etc. or in documents or held on company systems, laptops and other mobile devices).
  • Non-compliance with company policies or guidelines.
  • Any observed or suspected security weaknesses.
     

Reporting

All information security incidents must be reported as quickly as possible through the following channels:
Internal IT systems - The IT helpdesk
All other incidents - The IMS Manager, who will record them in an Incident Log and appropriate action is planned and implemented in order to prevent or further reduce the risk of reoccurrence.


Information Control

To avoid the potential for customer or company information to be communicated to unauthorised parties, ALL COMPANY AND CUSTOMER INFORMATION SHALL BE TREATED AS SENSITIVE:

The key policy and procedures that all employees and sub- contractors need to read and implement are as follows:

  • Customer and Company Information for which access and use is regulated by the Information Control Policy.
  • Emails and Internet use which are subject to corporate controls as described in the Computer Use Policy.


Good Password Practice

Passwords are the major mechanism employed in Ardingtons for user authentication and accountability. You must help to make these effective by following the following guidelines. Good password practice may include:

  • Selecting a long password, minimum of 8 characters.
  • Using at least one number or special characters, as well as letters such as “BATLH4!”
  • Not using anything which would be well known or easily discovered about you, such as your name or favourite football team.
  • Never write your password down.
  • Never let anyone else use your password even temporarily.
  • Change your password regularly.
  • Do not use cyclic passwords e.g. hello1 hello2 etc.
  • Report password misuse as a security incident.Are you the “WEAKEST LINK” on any of the Company systems?


Web & Email

  • Incoming e-mails and their attachments may carry dangerous or potentially business damaging viruses. If you are in any doubt about incoming e-mail and the existence of a virus do not open it, you must consult the IT Support Desk immediately.
  • E-mail is not a secure means of communication. The prior consent of the person or organisations to which the information is potentially sensitive must be obtained before transmission.
  • Always work on the assumption that e-mail messages may be read by others than the intended recipient and that improper statements or breaches of confidentiality can give rise to personal or company liability.
  • The publication of any information relating to the company, our clients or partners in any way on any internet site must be approved in advance by the CEO.

 

Virus Awareness

  • A virus is any software created to damage, access or disrupt your data. Ardington Archives holds a lot of sensitive and system critical data, we need to protect it from harmful virus activity.
  • Not all problems are virus related but it is important to report a suspected virus as soon as possible to the IT Support Desk.
  • All company provided desktops and laptops will have virus protection installed on them. It is important that you let the virus software run in the background at all times. Please do not try to disable or alter the settings as this will affect detection of virus activity.


Clear Desk & Screen Policy

  • Keep your work area tidy, so that you know exactly what documentation/information is on your desktop.
  • Lock documents away in drawers and cupboards when not working on them.
  • Ensure that all surfaces (including the floor) which are not designed for the storage of papers, disks equipment etc, are kept clear.
  • Clear desktops every night.
  • Make sure there is an automatic password protected screen saver on your PC.


Media Handling & Disposal

  • All client media within the company is treated as ‘sensitive’ and requires company management approval for it to be removed or copied outside of the company. The company Information Control Policy sets out relevant arrangements for handling client media.
  • Floppy disks, CDs and any computer media should be passed to the IMS to be destroyed prior to disposal..
  • Where information is saved onto portable storage devices e.g. floppy disk, CD, Memory Stick, hard drive etc such devices should not be left unattended and should be stored securely when not in use.
  • Where company or customer information is stored on any device or −in hard copy and the device or hard copy is no longer required:
    • Hard copy should be destroyed (preferably shredded) when finished with.
    • Information contained on any device must be deleted before disposal.


Data Protection

Ardington Archives complies with its obligations under the Data Protection Act 1998.
Personal Information is held within paper-based files and within computer systems. No personal information should be passed to anyone else either inside or outside of the Company without the permission of the CEO or individual concerned, e.g.:

1. Private telephone numbers
2. Private E-mail addresses
3. Private addresses
4. CV's


Software

Non-approved software exposes the Company’s systems to the risk of virus infection and the introduction of non-approved software may adversely affect the operation of the Company’s systems.
You should not:

  • Install or use non-approved software.
  • Install or use non-licensed software.
  • Copy and distribute electronic copyright material without the appropriate authorisation.


Masquerading of Identity

Many security breaches are caused by external individuals approaching employees or sub-contractors, masquerading as officials who may then request information under false pretences.

You should always be careful to ensure the authenticity of those you admit to the building or share information with (e.g. over the phone), particularly, in relation to security information (e.g. passwords).