IT Security Policy
Updated January 2020
The security and integrity of their IT Systems is a priority for Microtia UK. All employees of Microtia UK and any authorised third parties, including without limitation, sub-contractors, consultants and contractors (together “Users”) are expected to comply with this Policy, which is effective from the date above, but subject to being updated from time to time.
- Intended purpose
The purpose of this Policy is to establish a framework for managing risks and protecting Microtia UK’s IT infrastructure, computing environment, hardware, software and any and all other relevant equipment (“IT Systems”) against all types of threats, internal or external, intentional or unintentional.
- Stakeholder Responsibilities
3.1 Tina Rycroft, non-executive director of fundraising and communications (the “IT Department”) shall be responsible for carrying out the installation, ongoing maintenance (including without limitation, any upgrades or repairs) and ensuring the security and integrity of the IT Systems, either directly or, via an authorised third party. Accordingly, the IT Department is responsible for data stored on the IT Systems, unless otherwise stated.
- In furtherance of section 3.1 above, the IT Department shall be responsible for:
- investigating any security breaches and / or misconduct, and shall escalate to Liz Jones, Trustee as appropriate;
- ensuring organisational management and dedicated staff responsible for the development, implementation and maintenance of this Policy;
- providing assistance as necessary to Users to help them in their understanding and compliance with this Policy, as well as keeping all Users aware and up to date with all applicable laws including, without limitation, the GDPR and the Computer Misuse Act 1990;
- providing adequate training and support in relation to IT security matters and use of the IT Systems, to all Users;
- ensuring that the access to IT Systems granted to all Users takes into account their job role, responsibilities and any additional security requirements, so that only necessary access is granted for each User;
- dealing with all reports, whether from Users or otherwise, relating to IT security matters and carrying out a suitable response for the situation
- implementing appropriate password controls, as further detailed in section 5;
- maintaining a complete list of all hardware items within the IT Systems. All such hardware shall be labelled and the corresponding data shall be kept by the IT Department;
- ensuring that daily backups of all data stored within the IT Systems are taken, and that all such backups are stored off Microtia UK premises at a suitably secure location; and
- [ensure compliance with all IT security standards set out in ISO 27001, to the extent such standards are not covered by the obligations set out in section 3.2 (a) – (j)].
- The Users shall be responsible for:
- informing the IT Department immediately of any actual or potential security breaches or concerns relating to the IT Systems;
- informing the IT Department immediately in respect of any technical or functional errors experienced relating to the IT Systems; and
- complying with this Policy and all laws applicable to the Users relating to their use of the IT Systems.
3.4 Users must not attempt to resolve an IT security breach on their own without consulting the IT Department first.
- Access to IT Systems
4.1 There shall be logical access controls designed to manage electronic access to data and IT System functionality based on authority levels and job functions, (e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all Users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
- All IT Systems shall only be accessible by a secure log-in system as deemed suitable by the IT Department. Such suitable systems may include, without limitation, secure passwords, fingerprint identification and facial recognition.
- The IT Department shall conduct regular system audits or event logging and related monitoring procedures to proactively record User access and activity on the IT Systems for routine review.
- IT Systems that are not intended to be part of everyday use by most Users (including without limitation, servers, networking equipment and infrastructure) and any other areas where personal data may be stored (eg. data centre or server room facilities) shall be designed to:
- protect information and physical assets from unauthorised physical access;
- manage, monitor and log movement of persons into and out of the relevant facilities; and
- guard against environmental hazards such as heat, fire and water damage.
5.1 The IT Department shall implement password controls designed to manage and control password strength, expiration and usage including prohibiting Users from sharing passwords and requiring that Microtia UK passwords that are assigned to Users:
- be at least 9 characters in length,
- not be stored in readable format on Microtia UK’s IT Systems;
- must be changed every 180 days;
- must have defined complexity;
- newly issued passwords must be changed after first use.
- Users must keep passwords confidential and not share it with anyone else.
6.1 All Company mobile devices (including, without limitation, laptops, tablets and mobile telephones) should be kept securely by Users using secure cases where appropriate. Users should not leave such mobile devices unattended other than at their homes or Company premises.
- All Company non-mobile devices (including, without limitation, desktop computers, workstations and monitors) shall, wherever possible and practical, be secured in place with a suitable locking mechanism.
- Users are not permitted to connect any of their personal hardware to the IT Systems without the express approval of the IT Department in writing.
7.1 All software installation on to the IT Systems shall be the responsibility of the IT Department. Users are not permitted to install any software on to the IT Systems unless expressly approved in writing by the IT Department.
7.2 All software installed on to the IT Systems shall be kept sufficiently up to date in order to ensure that the security and integrity of the IT Systems is not compromised.
- Vulnerability Assessment and Anti-Virus
8.1 The IT Department shall carry out regular vulnerability assessments, and utilise patch management, threat protection technologies and scheduled monitoring to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
- The IT Department shall ensure that Microtia UK uses an up to date reputable anti-virus checking software tool to check the IT Systems and to scan all email attachments before they are opened.
- The IT Department shall implement network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
- Data Protection
9.1 The collection, holding and processing of all personal data (as defined in the General Data Protection Regulation 2016(“GDPR”)) by Microtia UK will be carried out in compliance with (i) the GDPR and other related legislation, including the Data Protection Act 2018; and (ii) Microtia UK’s own Data Protection Policy.
9.2 The IT Department shall ensure there are data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for personal data that is:
(a) transmitted over public networks (i.e. the Internet) or when transmitted wirelessly; or
(b) at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD, USB drives, back-up tapes).
9.3 Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted.
9.4 If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it.
9.5 Personal data may only be transferred to any device personally belonging to an employee’s personal device or any devices belonging to agents, contractors, or other parties working on behalf of Microtia UK where the party in question has agreed to comply fully with the letter and spirit of this Policy and of GDPR (which may include demonstrating to Microtia UK that all suitable technical and organisational measures have been taken).
9.6 The IT Department shall ensure operational procedures and controls to provide for the secure disposal of any part of the IT Systems or any media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Microtia UK’s possession.
9.7 Where any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. Hardcopies should be shredded, and electronic copies should be deleted securely.
9.8 The IT Department shall ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it).
9.9 All personal data stored electronically should be backed up every 6 months with backups stored onsite AND/OR offsite. All backups should be encrypted using password protection and bitlocker drive encryption.
9.10 All electronic copies of personal data should be stored securely using passwords and bitlocker drive data encryption.
9.11 Where personal data held by Microtia UK is used for marketing purposes, it shall be the responsibility of Tina Rycroft, Non-executive director of fundraising and communications, firstname.lastname@example.org to ensure that no data subjects have added their details to any marketing preference databases including, but not limited to, the Telephone Preference Service, the Mail Preference Service, the Email Preference Service, and the Fax Preference Service. Such details should be checked at least once a year.
9.12 Only Users that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by Microtia UK.
9.13 All Users that have access to, and handle personal data on Microtia UK’s behalf, shall adhere to Microtia UK’s Data Protection Policy.
- Business Continuity
Microtia UK shall have in place adequate business resiliency/continuity and disaster recovery procedures designed to maintain any information and the supply of any service and/or recovery from foreseeable emergency situations or disasters.
- Email and Internet
Please refer to Microtia UK’s policy on Email and Internet usage in respect of email and internet use on the IT Systems.
Security awareness training for Users shall be provided by the IT Department. Training will be provided at different levels for different Users based on their role. Users may request retraining after two years from previous training.