1.1. Information that is collected, stored, analysed, communicated and reported upon is subject to possible misuse, loss, corruption and theft. To counter this our Organisation implements security measures and controls to protect information based on an assessment of the risk posed.
1.2. This assessment balances the likelihood of negative business impact versus the resources that are required to implement the controls (and indeed any unintended negative consequences of the controls).
2.1. This Policy establishes the essential minimum standards for information security that must be met by IE Engagement Limited.
2.2. Additionally, the purpose of this Policy is to also state the principles our Organisation will use to identify, assess and manage information risk, whilst aligning itself to the overall University of Reading risk management framework.
2.3. It permits entities to enhance these security measures based on their unique business requirements and the specific legal and federal guidelines applicable to them, but mandates that they at least meet the security benchmarks outlined herein.
3.1. Serving as a foundational document, this Policy provides direction for all other security policies and related standards. It outlines the obligation to:
3.2. Inadequate security measures leading to compromised confidentiality, integrity, and availability of information assets can severely disrupt critical infrastructure operations, financial and business activities, and crucial governmental functions; endanger data; and result in legal and regulatory penalties.
3.3. This Policy ensures protective measures are adequately implemented to guard the confidentiality, integrity, and availability of information.
3.4. It also ensures that employees, affiliates and business associates are aware of their responsibilities, possess sufficient understanding of security policies, procedures, and practices, and are informed on how to safeguard information.
4.1. This information security Policy applies to all systems, both automated and manual, over which the entity has administrative control.
4.2. This includes systems that are managed or hosted by third-party services on the entity's behalf.
4.3. It covers all types of information, in any form or format, that are produced or utilised in the course of conducting business activities.
INFORMATION SECURITY:
5.1. Effective information security necessitates the establishment of both an information risk management function and an information technology security function.
5.2. The configuration of the Organisation will determine whether these roles are combined and undertaken by either an individual or a group, or if separate individuals or groups are allocated for each function. It is advised that a senior executive or a team involving senior executives undertake these responsibilities.
5.3. Our Organisation has appointed a Chief Information Security Officer (CISO) to oversee risk management. This role entails assessing and providing advice on information security risks and ensuring that:
5.4. Decisions regarding information security risk must involve consultations with the functional areas mentioned above.
5.5. While the technical aspect of information security may be outsourced, the ultimate responsibility for the security of its information remains with the Organisation.
6.1. Executive Management is tasked with:
6.2. IT Management is tasked with:
6.3. The Chief Information Security Officer (CISO) is tasked with:
7.1. Implement separation of duties to lower misuse risks. If infeasible, apply alternative controls like activity monitoring and management oversight.
7.2. Security control audit and approval must stay separate from their implementation.
8.1. Assign all IT hardware and software to a specific business unit or person.
8.2. Keep a detailed automated inventory of all hardware and software assets, noting key details like network address, machine name, and software version.
8.3. Use regular scanning to detect unauthorised hardware/software and alert relevant personnel.
9.1. Organisations must establish an incident response plan with consistent standards for effective security incident response.
9.2. Any detected or suspected security incidents or vulnerabilities must be promptly reported to the relevant supervisor / upper management and CISO as the designated security representative. Employees concerned about unaddressed cyber security issues can confidentially reach out to the Security Operations Centre.
9.3. The Security Operations Centre should be alerted to any cyber incidents with potential significant operational or security impacts, or those requiring digital forensics, to ensure appropriate response coordination and oversight.
10.1. Each account needs a designated individual or group for its management, potentially involving both the business unit and IT.
10.2. Access requires unique user-IDs, unless specified otherwise in the Account Management/Access Control Standard.
10.3. User-IDs must have an authentication method (e.g., password, biometric) for verifying identity.
10.4. Systems must lock after inactivity, displaying neutral information (e.g., screen saver), and require re-authentication.
10.5. Sessions must end automatically under defined conditions as per the standard.
10.6. Authentication tokens should be confidential and securely protected.
10.7. Tokens must be securely stored, if at all, with approved methods (e.g., password vault).
10.8. Information owners decide on access and privileges for their resources.
10.9. Access is based on job needs, adhering to the principle of least privilege.
10.10. Privileged account users must have a separate account for general business activities.
10.11. Systems should display a logon banner stating Policy compliance and monitoring.
10.12. Remote access requires prior approval, risk assessment, and documented controls.
10.13. Remote connections should occur through managed entry points as per ISO/security guidance.
10.14. Remote work needs management authorisation and secure data handling training.
11.1. Systems must undergo vulnerability scans before production deployment and regularly after.
11.2. Regular penetration testing is mandatory for all systems.
11.3. Critical systems require periodic penetration testing.
11.4. Outsourced system vulnerability scans and penetration tests must be coordinated.
11.5. Contracts with third parties must include scan/test and mitigation obligations.
11.6. Scan/test results are to be promptly reviewed by the system owner and shared with the CISO as the designated security representative for risk assessment.
11.7. Discovered vulnerabilities must be promptly addressed through actions like patching, with a documented action and milestones plan for mitigation.
11.8. Only authorised individuals can conduct scans/tests, with prior notification to the CISO as the designated security representative. Unauthorised attempts are prohibited.
11.9. Authorised testers must adhere to a formal, tested process to avoid disruption.
INFORMATION RISK MANAEMENT:
12.1. Risks are assessed by considering the likelihood of occurrence and the impact a breach of data confidentiality, integrity and/or availability would have if it did occur.
12.2. Risk assessments shall be completed with appropriate/relevant understanding of and access to:
12.3. A risk assessment must be completed (at least) for the following:
13.1. The Organisation shall consider all high and critical threats that apply to a system whether deliberate or accidental.
13.2. Threat information shall be obtained from asset owners, users, incident reviewing, contacts across the sector and region, security consultancies, and local and national law enforcement agencies and security services.
14.1. The Organisation shall consider all high and critical vulnerabilities that apply to a system.
14.2. Vulnerability information shall be obtained from internal sources (e.g. IT personnel, vulnerability scans etc.), technology providers, contacts across the sector and region, security consultancies, and local and national law enforcement agencies and security services.
15.1. The Impact x Likelihood risk score shall form the basis for the risk register. Risks shall be assigned owners alongside a review date and the risk treatment option/s taking place.
15.2. The risk register shall be restricted to those with a need to know.
16.1. The treatment option will fall into one or more of the following categories:
16.2. Risk avoidance (terminate) – There is no cost-effective action to reduce risk. Deciding not to proceed with activities that introduce unacceptable risk to the University.
16.3. Risk sharing (transfer) – Shifting part of the risk to other organisations. Common techniques include insurance and outsourcing.
16.4. Risk modification (treat) – Information risks are reduced to an acceptable level by introducing, removing or altering controls.
16.5. Risk retention (tolerate) – No additional action is required other than what is already in place.
16.6. Risk treatment options shall be selected based on the outcome of the risk assessment, and the expected cost/benefit of implementing the options.
16.7. The four options for risk treatment are not mutually exclusive. In some cases, the Organisation may benefit by using a combination of options such as reducing the likelihood of risks, reducing their consequences, and sharing or retaining any residual risks.
17.1. Once the risk treatment plan has been defined, residual risk/s need to be determined. This involves an update of the risk assessment, taking into account the expected effects of the proposed risk treatment.
17.2. If the residual risk still does not fall within the Organisation’s acceptable risk criteria, a further iteration of risk treatment may be necessary before proceeding to documented formal sign off via risk acceptance.
18.1. In some cases, it may be necessary to accept risk despite it falling outside of normal acceptable risk parameters.
18.2. This may be necessary because (for example) the benefits accompanying the risks are very attractive, the cost of risk modification is too high, or because appropriate risk treatment cannot be applied within timeframes defined in Policy.
18.3. In such cases, the risk owner (e.g. information asset owner, system owner etc.) must complete a risk acceptance form that explicitly states the risk/s and includes a justification for the decision to override normal acceptable risk criteria.
18.4. Risk acceptance forms shall be reviewed and signed off by a member of the Organisation Directorate or an appropriate equivalent.
18.5. Deviation from any information security/cyber security Policy shall require risk acceptance.
19.1. This Policy becomes active immediately upon publication. All members are required to adhere to the established enterprise policies and standards.
19.2. These policies and standards are subject to change at any time, and adherence to any revised policies and standards is also required.
19.3. Should adherence to this standard be impractical or technically unattainable, or if a departure from this Policy is required to facilitate a business function, entities must seek approval for an exception via the Chief Information Security Officer's exception procedure.
20.1. Submit all inquiries and requests for future enhancements to the Legal Compliance Department which is this Policy owner at: legal@ieengagement.co.uk.
Reviewed & Approved: 11/2024
