Information Security Policy & Statement

Transcription

1 Information Security Policy & Statement

2 Document Details Document Name Document Control Information Information Security Policy & Statement Purpose of Document To describe the high-level approach to the management of information security at BCS, The Chartered Institute of IT Document Version Number v3.1 Document Status Live Document Owner Carl Harris Prepared By Carl Harris Date Approved 9th September 2014 Effective Start Date Effective End Date Approved By Executive Board Next Scheduled Review Date August 2015 Version History Version Date Checked Changes Made Number Amended By V3.1 09/09/14 Approved revisions following annual review. Carl Harris V3.0 20/09/13 Approved revisions from the working group Carl Harris established to review this document. V2.0 Approved David Clarke V1.5 Updated to include version control etc V1.1 Revisions made to change responsibility from IT Director to QIM V0.1 Draft version Distribution List Name Paul Fletcher Jon Buttriss All staff via the GreenRoom Member Groups Officers via the BCS website Title BCS Group CEO BCS Learning & Development Ltd CEO

3 Information Security In this day and age it is increasingly important that we are concerned with Information Security. The information that we hold and process within BCS is sensitive in nature. The loss or disclosure of the data could lead to prosecution or serious harm to our reputation. There is also a risk to the privacy of our members, our customers and the organisations with whom we work. Because of these risks, BCS takes very seriously the need for Information Security and we have implemented systems and processes, which are aligned with the International Standard (ISO27001), to define the way that we manage it. All new members of staff will receive awareness training as part of the induction process and existing staff will all receive awareness training at regular intervals. Our volunteers, partner organisations and contractors will also be required to observe the standard in their dealings with us, or with others on our behalf. If you are unsure about any of the guidance it contains or would like further information, it is your responsibility to contact your manager to ask for assistance. Similarly, if you have an idea about how to improve our systems or processes, please let them know. It is the responsibility of every member of the organisation, including myself, to become familiar with our systems and processes and comply with the policies and procedures defined within them. We take this requirement most seriously failure to comply with our policies and procedures could lead to disciplinary proceedings. We will review how well we as an organisation comply with the systems and processes we have defined, and find new ways to improve how we manage Information Security. The Executive Team fully support our approach to Information Security Management and require all members of staff, volunteers, partner organisations and contractors to do the same. Paul Fletcher Group Chief Executive BCS, The Chartered Institute for IT

4 Information Security Policy Statement 1. The aim of this Information Security Policy ( this Policy ) is to protect BCS information from security threats, whether internal or external, deliberate or accidental. Information is an important asset of significant value to BCS which requires protection at all times. Compliance with this Policy protects BCS information and minimises the effect of a security incident. 2. Information may be in paper or electronic format, held on BCS computer systems or removable storage devices, spoken over the telephone or in documents sent by post or courier. This Policy refers to all such information as BCS Information and the systems on which it is held as BCS Information Systems. 3. BCS Information may contain BCS intellectual property and confidential information, the personal information of staff, customers and members all of which must be held securely at all times to safeguard BCS business continuity, reputation and interests and the interests of all those having an interest in BCS Information. 4. This Policy applies to all those who have access to BCS Information and includes staff, members, volunteers, contractors, services suppliers, agents and applies at all locations where BCS Information may be accessed. 5. The Senior Management Team at BCS recognises the importance of information security and has approved this Policy. 6. All those with access to BCS Information are responsible for complying with this Policy. 7. In respect of BCS Information, this Policy requires that: a. It is protected against unauthorised access; b. Its confidentiality is assured; c. Its integrity is maintained; d. Its availability and accessibility is ensured; e. Regulatory and legislative requirements are met; f. Business continuity plans are produced, maintained, tested and if appropriate improved; g. Information security guidance and training are available to all staff and others accessing this information; and h. All breaches of this Policy, actual, suspected or potential are reported immediately and investigated.

5 8. This Policy and BCS internally developed policies and procedures are consistent with the principles in a number of standards including: a. ISO/IEC 27002:2013 (ISO/IEC 17799); and b. ISO27001: With the exception of Information published and made available publically, all users of BCS information systems must have the formal authorisation of an appropriate member of staff or by any other process authorised specifically by the Chief Executive. Authorised users will be in possession of a unique user identity. Any password associated with a user identity must not be disclosed to any other person. 10. The BCS Information Security Working Group has responsibility for reviewing and setting policies to do with information security. 11. All BCS managers are directly responsible for day to day management of this Policy and for implementing this within their business areas and for ensuring compliance by their staff. 12. It is the responsibility of everyone to keep to the requirements of this Policy.