Information Security Policy

Purpose

This information security policy (“Policy”) describes how data and systems will be secured by Think Information Technology Ltd (“Think IT”), also referred to as “us”, “we” and “our”.

This Policy includes:

  • our approach to information security; and
  • alignment of our approach to relevant legislation and regulatory requirements.

The objectives of this Policy are:

  • to clarify our commitment to information security in relation to Think IT staff, clients, suppliers and other third parties;
  • to set out relevant information security processes and practices that we adopt; and
  • to align our information security processes and practices with relevant legislation and regulatory requirements.

This Policy applies to:

  • all data and systems owned or operated by us in the course of our business;
  • all products and services developed and/or provided by us, to the extent that such products and services interface with the data and systems; and
  • all of our staff, to the extent that they interface with the data and systems.

It is intended for use by ourselves, our clients, our suppliers and other third parties with a legitimate interest in our information security processes.

Guidelines and Background Information

We need to store and use various data and systems in order to operate, including (i) to provide our services; (ii) to employ our staff; and (c) to adhere with applicable requirements.

We shall seek to achieve and to maintain a good standard of information security.

Information security is the process of ensuring that only authorised users have access to accurate and complete information, when access is required.

We shall seek to support our data protection activities with relevant review and assurance processes (e.g. Cyber Essentials).

Policies

We shall:

  • seek to ensure that we achieve and maintain a good standard of information security;
  • protect data and systems from loss or damage arising from failures in information security;
  • protect data and systems in accordance with relevant legislation and our own policies, specifically those covering information security and data protection;
  • seek to ensure that only authorised users have access to data and systems, to maintain their confidentiality;
  • seek to ensure that data and systems are maintained in an accurate and complete form, to maintain their integrity;
  • seek to ensure that data and systems are available when access is required, to maintain their availability;
  • seek to apply appropriate organisational and technological security measures to data and systems;
  • enforce compliance with this information security policy;
  • seek to:
    • make all of our staff and our users aware of relevant legislation and our own policies regarding information security;
    • ensure that all of our staff understand their individual and collective responsibility in maintaining information security within our organisation; and
    • provide for all staff appropriate training and other support to enable them to comply with this responsibility, and
  • seek to remain aware of risks to information security and respond accordingly.

Information Security

We shall employ suitable measures and controls to ensure an appropriate standard of information security.

Where available and appropriate, services shall be used (both for purchase and for supply) that are suitably assured (e.g. certified to ISO 27001).

We shall employ a range of technical measures, including but not limited to:

  • data encryption;
  • anti-virus and anti-malware software;
  • network security and monitoring; and
  • access management.

We shall employ a range of non-technical measures, including but not limited to:

  • physical security controls at premises;
  • IT procurement and configuration processes;
  • appropriate IT and security policies; andi
  • information security and data protection training for our staff.

Suppliers

We shall endeavour to ensure that all suppliers will either:

  • comply with this information security policy; or
  • otherwise demonstrate sufficient information security provisions as to be equivalent to those set out in this information security policy.

Legislation

The legislation below is applicable to information security and data protection:

  • Computer Misuse Act 1990;
  • Data Protection Act 2018;
  • Freedom of Information Act 2000 (“FOIA”);
  • General Data Protection Regulation (EU) 2016/679 (“GDPR”);
  • Investigatory Powers Act 2016;
  • Privacy and Electronic Communications Regulations 2003 (“PECR”);
  • Protection of Freedoms Act 2012;
  • Regulation of Investigatory Powers Act 2000; and
  • Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.

The legislation below is applicable to broader principles of security and to acceptable use of data and systems:

  • Defamation Act 1996;
  • Obscene Publications Act 1959 and 1964;
  • Protection of Children Act 1978;
  • Terrorism Act 2006; and
  • Counter-Terrorism and Security Act 2015 (and accompanying “Prevent duty” statutory guidance).

Review

This Policy is subject to annual review.

Updated versions of this Policy shall be published following review.

This version of the Policy was updated on 14 April 2021.