Cyber Security Policy

Introduction

The purpose of this policy page is to document the threats posed to our business by cyber criminals, to describe in broad terms how our business can be protected from such threats and who is responsible for ensuring that protection is in place.


Threats

Common threats faced by businesses to their information infrastructure and the data it houses are

  1. Disgruntled staff/former staff members
  2. Amateur hackers
  3. Criminal hackers and saboteurs
  4. Burglars and vandals
The dangerous outcomes of these threats are; the privacy of individuals being compromised or fraud committed against them or in their name and/or market manipulation where the data stolen concerns market sensitive information.


What we are protecting

Hardware

The company network is made up of several pieces of equipment that are necessary for the business to operate. Access to this equipment must be secured so the data that goes through it is not stolen or corrupted preventing successful use.


Information

The business holds data that is both market sensitive and data that is sensitive to individual’s privacy. Access to this data must be restricted to only those that require it.


Common Vulnerabilities

Vulnerability Example Risk Mitigation
Hardware with known security vulnerabilities Internet enabled medical devices with vulnerabilities have been used by unauthorised persons to access medical data on a network Firmware on all network devices should be kept up to date and visitors with devices should be restricted from network access
Operating systems with known security vulnerabilities Operating system manufacturers regularly identify potential security vulnerabilities in their software and issue updates to prevent these from being exploited. Regular installation of the latest updates.
Irresponsible use of email or the internet A user downloads and opens an email attachment that is in fact a virus The responsibilities of users of the company network are described in detail in the telephone, email and internet policy document Staff are reminded of their responsibilities regularly and all user machines have the necessary software to protect against such threats Visitors have restricted internet access and no access to the internal network All email is scanned for possible threats via a third party.
Deliberate attack on the data held by the system by disgruntled employee An employee with the necessary access deletes or changes sensitive data using company software that interacts with it Such information is encrypted to the necessary industry standards and access is restricted to those who need it in accordance with the Data Protection Acts of 1998 and 20032. Data is protected from permanent loss or corruption by our back up strategy.
Physical attack on the network by thieves or vandals Hardware is protected from theft and acts of vandalism by multiple layers of physical security. Duplicate key hardware is also in place and kept physically separate for additional security against other threats such as fire. Users machines are also protected by some physical security, although are less of a risk as they can be easily replaced if damaged or stolen and usually do not house sensitive data.
Unmonitored remote work stations A remote workstation has a virus which attempts to transmit itself to the network when connected Access to the network from remote is kept to a minimum. Those working remotely are responsible for the security of the remote machine and data from such machines are monitored for malicious activity.
Denial of service Attack An attack such as the one reported against dyn Risk of such an attack is low and the consequences of such an attack are negligible, but if it were to occur we could move our online services.

Policy Violation Procedure

Any staff member found in violation of this policy will be subject to the company’s disciplinary procedures and where in violation of the law will be reported to the relevant authorities. Due to the varying severity of such violations, the action taken by the company will be judged on a case by case basis.


Security Incident handling procedure

As in all cases of security while the company endeavours to do everything it can to prevent the attacks and outcomes described the preventative measures are not always successful. In the case of a successful attack being perpetrated the following steps will be taken in each case;


Data loss (deleted from the active system) Data will be restored to the active system using one of our backups.
Data integrity breach Data on the active system will be compared to back up data and overridden with the backup data if a change is suspicious.
Data theft In accordance with advise from the ICO (Information Commissioner’s Office) in their document ‘Guidance on data security breach management’ Individuals and organisations affected by theft of company data will be informed as soon as possible with advice on what they should do to protect themselves from the stolen data being used against them.
Virus / Malware detection Attempts will be made to establish what the virus/malware is, what it is doing and where it came from before being removed.
Physical Theft/Damage Equipment will be replaced as soon as possible to prevent disruption to the operation of the business.

In any case of a breach of security, the root cause will be found and steps put in place to prevent the same kind of breach happening again.