IT Security Policy
Rambert Grades has an obligation to its staff and customers to clearly define requirements for the use of its information technology (IT) facilities and its information systems (IS). This is so that users of IT/IS facilities do not unintentionally place themselves, or Rambert Grades, at risk of prosecution, by carrying out computer related activities outside the law.
1. Purpose and Scope
Information plays a major role in supporting the organisations administrative activities. The purpose of The Policy is to provide a framework for protecting:
Rambert Grades IT/IS infrastructure;
key data and information;
those who have access to or who administer IT/IS facilities;
individuals who process or handle key data and information.
The Policy is designed to provide protection from internal and external security threats, whether deliberate or accidental by:
defining Rambert Grades’ policy for the protection of the Confidentiality, Integrity and Availability of its' key data and information;
establishing responsibilities for information security;
2. Objective
Confidentiality - knowing that key data and information can be accessed only by those authorised to do so
Integrity - knowing that key data and information is accurate and up-to-date, and has not been deliberately or inadvertently modified from a previously approved version
Availability - knowing that the key data and information can always be accessed
Rambert Grades is committed to protect both its customers (Candidates and Teachers), its staff (employees, Creative Team and Examiners) and its key data and information and to deploy controls that minimise the impact of any Security Incidents.
3. Applicability
The Policy applies to the following categories, referred to hereafter as 'subjects'.
all full-time, part-time and temporary staff employed by, or working for or on behalf of Rambert Grades
contractors and consultants working for or on behalf of Rambert Grades
all other individuals and groups who have been granted access to the companies systems and/or key data and information
The Head of Operations is ultimately responsible for ensuring that The Policy is implemented and it is the personal responsibility of each person to whom The Policy applies to adhere with its requirements.
4. Organisational Security
Ownership and Maintenance of the Policy
The policy will be updated and reviewed by the Head of Operations, who will report to the CEO.
5. Security of Third Party Access
Access to Rambert Grades’ information processing facilities by third parties will only be permitted to the subcontracted IT Support Provider. In agreeing to a contract of employment, the IT Provider will agree to adhere to the terms of this policy and its related documentation.
6. Assets
Inventories of information assets, including hardware, software will be maintained by the designated staff member and overseen by the Head of Operations
7. Personnel security
Controls will be deployed to reduce the risks of human error, theft, fraud, nuisance or malicious misuse of facilities.
8. Personnel Screening Policy
Steps will be taken to minimise the likelihood of personnel, who pose a security risk, being employed in posts involving key data and information, such as those concerned with financial or personnel related data. This will usually be determined through the appointment process, including references and through an enhanced DBS Check.
9. Confidentiality Undertaking
All members of staff are reminded of their obligation to protect confidential information in accordance with Rambert Grades standard terms and conditions of employment.
10. Reporting Security Incidents
All actual and suspected security incidents are to be reported to the Head of Operations.
11. Physical and environmental security
Controls will be implemented as appropriate to prevent unauthorised access to, interference with, or damage to, information assets.
12. Physical Security
Computer systems and networks will be protected by suitable physical and technical security controls
File servers and machines that hold or process high criticality, high sensitivity or high availability data will be located in physically secured areas.
Access to facilities that hold or process high criticality, high sensitivity or high availability data will be controlled.
13. Communications and operations management
Documented Operating Procedures
Sensitive documentation will be held securely and access restricted to staff on a need to know basis.
Segregation of Duties
Access to critical systems and key data and information will only be granted on a need to know basis.
Permanent and full access to live operating environments will be restricted to staff on role-based requirements.
Controls against Malicious Software
Controls will be implemented to check for malicious or fraudulent code being introduced to critical systems. This will be provided by the external IT Support Company
Virus Protection
Appropriate software will be installed and managed to prevent the introduction and transmission of computer viruses both within and from outside Rambert Grades. This will be the responsibility of the external IT support provider.
Housekeeping
Data Storage
Data on critical systems will be backed up on a daily basis. This service will be provided by the external IT support provider. The provider will be required to present Rambert Grades with a copy of their back up procedures and also clarify arrangements for reinstalling back-ups in the event of server loss.
Network Management
Controls will be implemented to achieve, maintain and control access to computer networks, including wireless LANs. The SSID for the wireless network must remain hidden and staff should be made aware that the network information must not be shared.
Control and access to the Network is granted to the external IT provider, however, that provider must agree to provide written confirmation of their in-house security protocols to prevent unlawful access to the Rambert Grades Network.
Disposal of Equipment
Removable magnetic and optical media containing key data will be reused or disposed of through controlled and secure means when no longer required.
Procedures will be made to ensure the secure disposal of disk drives and disk packs containing key data when these become defunct or unserviceable.
Redundant computer equipment will be disposed of in accordance with the Waste Electrical and Electronic Equipment (WEEE) Regulations and through secure and auditable means.
Exchanges of Information and Software
Software Usage and Control
Software will be used, managed and controlled in accordance with legislative requirements.
All major software upgrades will be appropriately controlled and tested through a managed process before live implementation. Where appropriate, this will be undertaken by the External IT Support provider
Access control
Access to key data and information will be appropriately controlled.
User Responsibilities
Subjects who use Rambert Grades’ computer systems and/or networks must do so in accordance with the acceptable usage policy
Requirements for Systems Access
Remote Access
Controls will be implemented to manage and control remote access to key data
Privilege Management
The allocation and use of system privileges on each computer platform shall be restricted and controlled by the Rambert Grades IT Support, upon confirmations from the CEO.
Passwords
The allocation and management of passwords shall be controlled by the Rambert Grades IT Support. Users are required to follow good security practices in the selection, use and management of their passwords and to keep them confidential
Unattended User Equipment
Users of IT facilities are responsible for safeguarding key data by ensuring that desktop machines are not left logged-on when unattended, and that portable equipment in their custody is not exposed to opportunistic theft.
Password protected automatic log-out mechanisms are to be used on office-based systems to prevent individual accounts being used by persons other than the account holders.
Monitoring System Access and Use
Access to and use of critical systems will be monitored for staff. Reviewing the information will be the responsibility of the Head of Operations working with the External IT provider and Rambert Grades IT Support.
Business continuity management
Controls will be implemented to counteract disruptions to Rambert Grades’ information processing facilities and to protect critical systems from the effects of major failures and disruption.
Data Storage
Key data will be held on a network resource so that it is backed up through a routine managed process. Where this is not possible, provision must be made for regular and frequent backups to be taken. At Rambert Grades, back-ups are contacted out to the External IT support provider, who will ensure procedures are in place to restore systems in the event of a system failure.
Backup Media
A controlled and fully auditable process for the handling, transportation, storage and retrieval of backup media containing key data will be implemented by the External IT support provider
Compliance
Controls will be implemented to avoid contravention of legislation, regulatory and contractual obligations and security policy.
Review of Security Policy
The Policy will be subjected to review annually and in the event of any major changes in circumstances, to ensure those controls remain effective.
Compliance with Security Policy
Compliance with The Policy is mandatory. Failure to comply with policy requirements, will be viewed as a breach of security. Any such event may be the subject of investigation and possible further action in accordance with Rambert Grades’ procedures.
Version Number: 2
Date Created: March 2020
Date Reviewed: November 2023
Next review date: June 2024