Policy key definitions:
• “I”, “our”, “us”, or “we” refer to the business PHC Digital Ltd, 7 The Close, Norwich, Norfolk NR1 4DJ.
• GDPR means General Data Protection Act.
• ICO means Information Commissioner’s Office.
We are registered with the ICO under the Data Protection Register number: ZA337228
Overview
This document outlines high-level policy for Information Security across PHC Digital Ltd and all its staff members as well as expected minimum Information Security standards for 3rd party suppliers and contractors.
The person designated with day-to-day responsibility for Information Security is Pete Henshall who can be emailed on gdpr@phc-digital.com or contacted via mobile 07852 942082.
This document will be reviewed regularly in line with the GDPR review policy as outlined in the main GDPR Data Protection Policy document available on our website.
We maintain an audit of hardware and software used by PHC Digital Ltd staff and regularly update it so we are always aware of which assets need to be tracked.
Staff Training
All staff are trained in the basics of Information Security, including best practices in handling personal information, during induction or shortly thereafter. This training includes all the sections in this document as well as the day-to-day email threats of phishing and unknown attachments.
Accounts for specific staff members
All staff members have logins to the IT infrastructure for their use only and these accounts provide the minimum level of access that is required to efficiently do their jobs. When staff members leave the business user accounts are immediately annexed.
Password Reset Policy
We encourage our staff members to reset access credentials at regular intervals and to use secure passwords containing where possible, containing: at least upper case, lower case, numbers and punctuation.
Encryption as Standard
We adopt a policy of encryption as standard at PHC Digital Ltd for all data both when being stored and when being transferred across the internet. We aim to encrypt everything with 256bit-AES encryption, only falling back to 128bit security where software will not allow it. We will always encrypt personal data before sending it between data processors.
All staff computers, laptops and external media (USB drives etc) are BitLocker encrypted with a secure password. We expect the same standard from any 3rd party suppliers. In the event of any device being stolen or mislaid no one can gain access to the device without secure passwords, there-by leaving the data on the device still secure.
Network Security
All infrastructure maintained by PHC Digital is secured by robust hardware or software firewalls with end client machines only having minimal access from the Internet as is required by business processes. Network devices are regularly updated, automatically where possible, to ensure that they stay up to date.
Physical Security
Physical security to the PHC Digital Ltd office is through a locked door and the building has extra layers of security lighting. We do not allow any access for customers/suppliers onto the site and hold all meetings away from the location that hardware and network devices are stored.
Paper based records are stored in a filing system, away from the physical entrance, in an area with no public access.
Access Controls
Access to hardware and physical access is on a “need-to-have” basis and only by authorised and trained staff.
Up-to-date software, patches and secure configurations
By default, all software and hardware used by PHC Digital Ltd and its staff is configured for security first including, where possible, automatic updates. Any software or hardware patches that are not able to be automatically applied should be assessed upon release for urgency and subsequently applied relating to the urgency of the patch and resource available.
Email and Internet Use
Email and Internet use is intended for work purposes only, although we do allow a level of personal use during lunch break and outside of working hours. Staff laptops are protected by world-class leading Internet Security software ESET Internet Security which is enabled in maximal protection mode.
Data Storage and Backup Systems
All data is stored on encrypted drives on staff PC’s and is also backed up to encrypted drives, as well as being backed up on a UK based provider in the Cloud for offsite backups.
Working away from the office and Mobile Systems
We permit our staff to work away from the office but reaffirm that the location should be secure and safe and that unprotected Wi-Fi networks should not be used for transferring personal data, even if encrypted.
Our staff use mobile telephones frequently for work and these are encrypted and protected by PIN access.
Backup Systems
We use onsite and offsite backup technology for staff laptops to ensure a high-quality level of redundancy. Backups are regularly random-sample tested to ensure that in the event of a disaster data should be able to be restored adequately.
Anti-Virus/Malware
We utilise world class leading ESET Internet Security software on all staff machines as well as a variety of Linux server software intrusion detection and prevention systems.
Hosted Linux Server Specific Protection
We host many Linux servers for our customers and protect these through proactive intrusion detection and prevention systems as well as reactive rootkit scanning software. Most servers (where possible) have automatic updating enabled to keep the server’s security up to date.
All server data is backed up remotely on a different service so that in the event of a server failure we can restore data securely and in a timely manner.
Security and Breach/Incident Management
Our staff are trained to look for the signs of any data breaches. In the case of a suspected breach staff will email gdpr@phc-digital.com with any details upon which point internal investigation will take place and then the processes and procedures outlined in the “GDPR Processes and Procedures” internal document will be followed, including notifying Data Controllers and the ICO where appropriate as soon as is viable.
3rd Party contractors and suppliers
We have written contracts with 3rd-party contractors and suppliers and as part of that they are expected, as a minimum, to adhere to the standards in this document as well as the standards outlined in the GDPR itself.
Data retention and Disposal
We only retain data as long as it is needed, usually inline with our HMRC responsibilities as a Ltd company, which are currently 7 years. After this time, we will hard delete all personal and project data.
We dispose of any paper-based records by using appropriate shredding and ensure any disks or other media is fully destroyed by incineration.
User Auditing and Logging
Where possible we log the actions of the users as the system activity on their computers. We also keep logs of possible firewall intrusions and attacks which can be reviewed regularly.
— End of Document