IT Security Policy

Last Updated: 28th May 2019

1.     Introduction

The security and integrity of our IT Systems (as defined below) is a priority for Travel Curious Ltd (“TCL”, “we/us/our”).  All our employees together with any authorised third parties, including without limitation, sub-contractors, consultants and contractors (together “Users”) are required to comply with this Policy, which is effective from the date above, but subject to being updated from time to time.

This policy outlines the standards that Users must observe when using our IT Systems, the circumstances in which we monitor use, and the action we will take in respect of breaches of this Policy.

Misuse of our IT Systems can damage the business and our reputation. Breach of this Policy will be taken seriously and could lead to disciplinary action, including for gross misconduct, potentially leading to summary dismissal or further legal action.

2.     Intended purpose

The purpose of this Policy is to establish a framework for managing risks and protecting the our IT infrastructure, computing environment, hardware, software and other relevant equipment (“IT Systems”) against all types of threats, internal or external, intentional or unintentional. 

Our key principle is to protect our IT Systems from unauthorised access and use and this is to be achieved through managing the three essential attributes of information security: Confidentiality, Integrity and Availability, which are the vital building blocks that enable us to safeguard information and data stored within our IT Systems.

This Policy should be read in conjunction with our Data Protection Policy and Data Breach Policy.

3.     Stakeholder Responsibilities

3.1.   Our IT Department shall be responsible for carrying out the installation, ongoing maintenance, upgrades and repairs, of our IT Systems and ensuring the security and integrity of those IT Systems, either directly or, via an authorised third party.  

3.2.   In furtherance of section 3.1 above, the IT Department shall be responsible for:

3.2.1.     investigating any security breaches and / or misconduct, and shall escalate to the CEO as appropriate, in accordance with our Data Breach Policy;

3.2.2.     regularly reviewing our IT security standards and ensuring the effective implementation of such standards, by way of periodic audits and risk assessments, with regular reports being made to senior management who shall be responsible for information security and general compliance with this Policy;

3.2.3.     ensuring organisational management and dedicated staff are responsible for the development, implementation and maintenance of this Policy;

3.2.4.     providing assistance as necessary to Users to help them in their understanding and compliance with this Policy, as well as keeping all Users aware and up to date on applicable law such as the Computer Misuse Act 1990;

3.2.5.     providing adequate data protection training and support in relation to IT security matters and use of the IT Systems, to all Users, for use of personal data in accordance with our Data Protection Policy;

3.2.6.     ensuring that the access to IT Systems granted to all Users takes into account their job role, responsibilities and any additional security requirements, so that only necessary access is granted for each User;

3.2.7.     dealing with all reports, whether from Users or otherwise, relating to IT security matters and carrying out a suitable response for the situation;

3.2.8.     implementing appropriate password controls, as further detailed in section 6.

3.2.9.     maintaining a complete list of all hardware items within the IT Systems.  All such hardware shall be labelled and the corresponding data shall be kept by the IT Department;

3.2.10.  ensuring that weekly backups of all data stored within the IT Systems are taken, and that all such backups are stored off premises at a suitably secure location; and

3.3.   The Users shall be responsible for: 

3.3.1.     informing the CTO immediately of any actual or potential security breaches or concerns relating to the IT Systems;

3.3.2.     informing the CTO immediately in respect of any technical or functional errors experienced relating to the IT Systems; and

3.3.3.     complying with this Policy, BYOD policy and all laws applicable to the Users relating to their use of the IT Systems and/or their own devices when accessing data held within the IT Systems.

3.4.   Users must not attempt to resolve an IT security breach on their own without  consulting the CTO first.

3.5.   Managers have a specific responsibility to ensure the fair application of this Policy and all members of staff are responsible for supporting colleagues and ensuring its success.

4.     Technical and organisational data security measures

The following technical measures are in place to protect the security of personal data and subject to our additional security measures outlined below, that are in place are as follows:

4.1.        All emails containing personal data must be encrypted;

4.2.        All emails containing personal data must be marked “confidential”;

4.3.        Personal data may only be transmitted over secure networks;

4.4.        Personal data may not be transmitted over a wireless network if there is a reasonable wired alternative;

4.5.        Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself and associated temporary files should be deleted;

4.6.        No personal data may be shared informally and if access is required to any personal data, such access should be formally requested from the Managing Director.

4.7.        All hardcopies of personal data, along with any electronic copies stored on physical media should be stored securely;

4.8.        No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of us or not, without authorisation;

4.9.        Personal data may only be transferred to devices belonging to employees, agents, contractors, or other parties working on behalf of us where the party in question has agreed to comply fully with our Data Protection Policy and the GDPR;

4.10.     Network and database activity will be monitored for any possible security breach including intrusion;

4.11.     All electronic copies of personal data should be stored securely using passwords and encryption; and

4.12.     All passwords used to protect personal data should be changed regularly and should must be secure.

5.     Access to IT Systems

5.1.   There shall be logical access controls designed to manage electronic access to data and IT System functionality based on authority levels and job functions(e.g. granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all Users, periodic review and revoking / changing access promptly when employment terminates or changes in job functions occur).

5.2.   All IT Systems shall only be accessible by a secure log-in system as deemed suitable by the IT Department. Such suitable systems may include, without limitation, secure passwords, fingerprint identification and facial recognition.

5.3.   The IT Department shall conduct regular system audits or event logging and related monitoring procedures to proactively record User access and activity on the IT Systems for routine review.

5.4.   IT Systems that are not intended to be part of everyday use by most Users (including without limitation, servers, networking equipment and infrastructure) and any other areas where personal data may be stored (e.g. data centre or server room facilities) shall be designed to: 

• protect information and physical assets from unauthorised physical access;

• manage, monitor and log movement of persons into and out of the relevant facilities; 

• guard against environmental hazards such as heat, fire and water damage.

5.5.   All IT Systems (and in particular mobile devices including, but not limited to, laptops, netbooks, tablets, PDAs and mobile telephones) shall be protected with a secure password or such other form of secure log-in system as the IT Department may deem appropriate. Such alternative forms of secure log-in may include fingerprint identification and facial recognition.

6.     Passwords and Access Security

6.1.   The IT Department shall implement password controls designed to manage and control password strength, expiration and usage including prohibiting Users from sharing passwords and requiring that Our passwords that are assigned to Users:  

• be at least 8 characters in length;

• not be stored in readable format on our IT Systems; 

• must be changed every 3 months;

• must have defined complexity; 

• must have a history threshold to prevent reuse of recent passwords;         

• newly issued passwords must be changed after first use.

6.2.   Users must keep passwords confidential and not share it with anyone else.

6.3.   If a User forgets their password, this should be reported to the IT Department.  The IT Department will take the necessary steps to restore the User’s access to the IT Systems which may include the issuing of a temporary password which may be fully or partially known to the member of the IT Staff responsible for resolving the issue.  A new password must be set up by the User immediately upon the restoration of access to the IT Systems.

6.4.   Users may not use any software which may allow outside parties to access the IT Systems without the express consent of the IT Manager.  Any such software must be reasonably required by the User for the performance of their job role and must be fully inspected and cleared by the IT Manager.

6.5.   Users may connect their own devices (including, but not limited to, mobile telephones, tablets and laptops) to our network subject to the approval of the IT Department and our BYOD Policy.  Any and all instructions and requirements provided by the IT Department governing the use of Users’ own devices when connected to our network must be followed at all times.  Users’ use of their own devices shall be subject to, and governed by, all relevant company policies (including, but not limited to, this Policy) while those devices are connected the network or to any other part of the IT Systems.  The IT Department shall reserve the right to request the immediate disconnection of any such devices without notice.

7.     Hardware 

7.1.   All mobile devices (including, without limitation, laptops, tablets and mobile telephones) should be kept securely by Users. Users should not leave such mobile devices unattended other than at their homes or at our premises. 

7.2.   All non-mobile devices which are used for business purposes (including, without limitation, desktop computers, workstations and monitors) shall, wherever possible and practical, be secured in place with a suitable locking mechanism. 

7.3.   No Users shall have access to any IT Systems not intended for normal use by Users (including such devices mentioned above) without the express permission of the IT Manager.  Under normal circumstances whenever a problem with such IT Systems is identified by a User, that problem must be reported to the IT Department.  Under no circumstances should a User attempt to rectify any such problems without the express permission (and, in most cases, instruction and/or supervision) of the IT Manager.

7.4.   The IT Department shall maintain a complete asset register of all IT Systems.  All IT Systems shall be labelled and the corresponding data shall be kept on the asset register.

8.     Software

8.1.   All software installation on to the IT Systems shall be the responsibility of the IT Department.  Users are not permitted to install any software on to the IT Systems unless expressly approved in writing by the IT Department.

8.2.   All software installed on to the IT Systems shall be kept sufficiently up to date in order to ensure that the security and integrity of the IT Systems is not compromised.

9.     Vulnerability Assessment and Anti-Virus

9.1.   The IT Department shall carry out regular vulnerability assessments, and utilise patch management, threat protection technologies and scheduled monitoring to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.

9.2.   Users shall use an up to date reputable anti-virus software tool to regularly check their computer and to scan all downloads and email attachments before they are opened.

9.3.   Any files being sent to third parties outside of us, whether by email, on physical media or by other means (e.g. FTP or shared cloud storage) must be scanned for viruses before being sent or as part of the sending process, as appropriate. 

9.4.   All storage media (e.g. USB memory sticks or removable disks of any kind) used by Users for transferring files must be company or personally owned and used exclusively for work. Connected devices must be virus-scanned before any files may be transferred.  Such virus scans shall be performed upon connection / insertion of media. Once transfer is complete the removable device shall be formatted.  

9.5.  The IT Department shall implement network security controls that provide for the use of enterprise firewalls and layered DMZ architectures, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.

9.6.   Where any virus is detected by a User this must be reported immediately to the CTO (this rule shall apply even where the anti-virus software automatically fixes the problem).  The IT Department shall promptly take any and all necessary action to remedy the problem.  In limited circumstances this may involve the temporary removal of the affected computer or device. Wherever possible a suitable replacement computer or device will be provided within the same day.

9.7.   Where any User deliberately introduces any malicious software or virus to the IT Systems this will constitute a criminal offence under the Computer Misuse Act 1990 and will be handled as appropriate under the Company’s disciplinary procedures.

10. Data Protection

10.1.        The collection, holding and processing of all personal data (as defined in the General Data Protection Regulation 2016(“GDPR”)) by us will be carried out in compliance with (i) the GDPR and (ii) Our Data Protection Policy.

10.2.        The IT Department shall ensure there are data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for personal data that is:

• transmitted over public networks (i.e. Internet) or when transmitted wirelessly; or

• at rest or stored on portable or removable media (i.e. laptop computers, CD/DVD USB drives, back-up tapes). 

10.3.        No personal data should be transferred to any unregistered device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on our behalf where the party in question has agreed to comply fully with the letter and spirit of this Policy and of GDPR (which may include demonstrating to us that all suitable technical and organisational measures have been taken).

10.4.        The IT Department shall ensure operational procedures and controls to provide for the secure disposal of any part of the IT Systems or any media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from our possession.

10.5.        Where any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of.  Hardcopies should be shredded, and electronic copies should be deleted securely using secure deletion software.

10.6.        The IT Department shall ensure appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (for example, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures).

10.7.        Users shall store all files in their personal Travel Curious’ G-Suite Drive which is continuously backed-up and version controlled. Files containing personal details should not be stored outside the local G-Suite Drive folder.

10.8.        Where personal data held by us is used for marketing purposes, it shall be the responsibility of the Data Compliance Officer / Data Protection Officer to ensure that no data subjects have added their details to any marketing preference databases including, but not limited to, the Telephone 03Preference Service, the Mail Preference Service, the Email Preference Service, and the Fax Preference Service.  Such details should be checked at least annually.

10.9.        Only Users that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by us.

10.10.     All Users that have access to, and handle personal data on our behalf, shall adhere to our Data Protection Policy.

11. Business Continuity

We shall have in place adequate business resiliency / continuity and disaster recovery procedures designed to maintain information we manage and services we render following recovery from foreseeable emergency situations or disasters.  

12. Training

Security awareness training for Users shall be provided by the IT Department. Training will be provided at different levels for different Users based on their role.  

13. Reporting IT Security breaches

All concerns, questions, suspected breaches or known breaches shall be referred immediately to us. Under no circumstances should a User attempt to resolve an IT security breach on their own.  Users may only attempt to resolve IT security breaches under the instruction of, and with our express permission. All IT security breaches, whether remedied by us or by a User under our direction, shall be fully documented.

14. Implementation of this Policy

This Policy shall be deemed effective as of the date stated at the top of this Policy. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

15. References

• Computer Misuse Act 1990 - http://www.legislation.gov.uk/ukpga/1990/18/pdfs/ukpga_19900018_en.pdf

• Guide to the General Data Protection Regulation (GDPR) - 
  https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/