Security Policy

1. Purpose

  • This policy provides a framework for the management of information security throughout eCareersGrad. It applies to:
    • All those with access to our information systems, including staff, visitors and contractors
    • Any systems attached to our computer or telephone networks and any systems supplied by us
    • All information (data) processed by us pursuant to our operational activities, regardless of whether it is processed electronically or in paper (hard copy) form, any communications sent to or from us and any information (data) held on systems external to our network
    • All external parties that provide services to us in respect of information processing facilities and business activities
    • Principal information assets including the physical locations from which eCareersGrad operates.

2. Aims and Commitments

  • eCareersGrad recognises the role of information security in ensuring that users have access to the information they require in order to carry out their work. Computer and information systems underpin all our activities.
  • Any reduction in the confidentiality, integrity or availability of information could prevent us from functioning effectively and efficiently. In addition, the loss or unauthorised disclosure of information has the potential to damage our reputation and cause financial loss.
  • To mitigate these risks, information security is an integral part of information management, whether the information is held in electronic or hard-copy form.
  • eCareersGrad is committed to protecting the security of its information and information systems in order to ensure that:
    • The integrity of information is maintained, so that it is accurate, up to date and ‘fit for purpose’;
    • Information is always available to those who need it and there is no disruption to our business;
    • Confidentiality is not breached, so that information is accessed only by those authorised to do so;
  • In order to meet these aims, eCareersGrad is committed to implementing security controls that conform to best practice as set out in the ISO 27001:2022 Information Security Techniques – Code of practice for information security management.
  • Information security risk assessments are performed for all information systems on a regular basis in order to identify key information risks and determine the controls required to keep those risks within acceptable limits.
  • We are committed to providing sufficient education and training to users to ensure they understand the importance of information security and, in particular, exercise appropriate care when handling confidential information.
  • Specialist advice on information security is and will be made available throughout the business.
  • An information security specialist will advise on best practice and coordinate the implementation of information security controls.
  • eCareersGrad will establish and maintain appropriate contacts with other organisations, law enforcement authorities, regulatory bodies, and network and telecommunications operators in respect of its information security policy.
  • Breaches of information security will be recorded and reported to appropriate bodies, who will take action and inform the relevant authorities.
  • This Policy and all other supporting policy documents will be communicated as necessary throughout eCareersGrad to meet its objectives and requirements.

3. Responsibilities

  • Users of eCareersGrad information are made aware of their own individual responsibilities for complying with our departmental policies on information security.
  • Agreements with third parties involving accessing, processing, communicating or managing any of our information, or information systems, cover all relevant security requirements and be covered in contractual arrangements.

4. Risk Assessment and the Classification of Information

  • The degree of security control required depends on the sensitivity or criticality of the information. The first step in determining the appropriate level of security therefore is a process of risk assessment, in order to identify and classify the nature of the information held, the adverse consequences of security breaches and the likelihood of those consequences occurring.
  • The risk assessment identifies information assets; defines the ownership of those assets; and classifies them, according to their sensitivity and/or criticality across eCareersGrad as a whole. In assessing risk, eCareersGrad considers the value of the asset, the threats to that asset and its vulnerability.
  • Where appropriate, information assets are labelled and handled in accordance with their criticality and sensitivity.
  • Rules for the acceptable use of information assets are identified, documented and implemented.
  • Information security risk assessments are repeated periodically and carried out as required during the operational delivery and maintenance of our infrastructure, systems and processes.

4.1 Personal Data

  • Personal data must be handled in accordance with the Data Protection Act 2018 (DPA).
  • The DPA requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

5. Protection of Information Systems and Assets

  • Confidential information should be handled in accordance with the requirements set out in section 6 below.

6. Protection of Confidential Information

  • Identifying confidential information is a matter for assessment in each individual case. Broadly, however, information will be confidential if it is of limited public availability; is confidential in its very nature; has been provided on the understanding that it is confidential; and/or its loss or unauthorised disclosure could have one or more of the following consequences:
    • Financial loss – e.g. a fine by the ICO, a legal claim for breach of confidence
    • Reputational damage – e.g. adverse publicity, complaints about breaches of privacy.

6.1 Storage

  • Confidential information should be kept secure, using, where practicable, dedicated storage (e.g. file servers) rather than local hard disks, and an appropriate level of physical security.
  • File or disk encryption should be considered as an additional layer of defence, where physical security is considered insufficient.

6.2 Access

  • Confidential information must be stored in such a way as to ensure that only authorised persons can access it.
  • All users must be authenticated. Users must follow good security practices in the selection and use of passwords.
  • Where necessary, additional forms of authentication should be considered.
  • To allow for potential investigations, access records must be kept for a minimum of six months, or for longer, where considered appropriate.
  • Users with access to confidential information must be security vetted, as appropriate, in accordance with existing policies.
  • Physical access must be monitored, and access records maintained.

6.3 Remote access

  • Where remote access is required, this must be controlled via a well-defined access control policy and tight access controls provided to allow the minimum access necessary.
  • Any remote access must be controlled by secure access control protocols using appropriate levels of encryption and authentication.

6.4 Copying

  • The number of copies made of confidential information, whether on portable devices or media or in hard copy, should be the minimum required, and, where necessary, a record kept of their distribution. When no longer needed, the copy must be deleted or, in the case of hard copies, destroyed.
  • All copies should be physically secured e.g. stored in a locked cupboard drawer or filing cabinet.

6.5 Disposal

  • Policies and procedures must be in place for the secure disposal/destruction of confidential information.

6.6 Use of portable devices or media

  • Procedures must be in place for the management of removable media in order to ensure that they are appropriately protected from unauthorised access.
  • The permission of the information owner must be sought before confidential information is taken off site. The owner must be satisfied that the removal is necessary and that appropriate safeguards are in place e.g. encryption.
  • In the case of personal data, the ICO recommends that all portable devices and media should be encrypted where the loss of the data could cause damage or distress to individuals.
  • The passphrase of an encrypted device must not be stored with the device

6.7 Exchange of Information and use of Email

  • Controls must be implemented to ensure that electronic messaging is suitably protected.
  • Email must be appropriately protected from unauthorised use and access.
  • Email must only be used to send confidential information where the recipient is trusted, the information owner has given their permission, and appropriate safeguards have been taken e.g. encryption.

6.8 Cryptographic controls

  • Procedures must be in place to support the use of cryptographic techniques and to ensure that only authorised personnel may gain access to confidential information.

6.9 System planning and acceptance

  • A risk assessment must be carried out as part of the business case for any new ICT system that may be used to store confidential information. The risk assessment must be repeated periodically on any existing systems.

6.10 Backup

  • Information owners must ensure that appropriate backup and system recovery procedures are in place. Backup copies of all important information assets must be taken and tested regularly in accordance with such an appropriate backup policy.

6.11 Further information

6.12 Hard Copies

  • Documents containing confidential information mustt be marked as ‘Confidential’ or with another appropriate designation e.g. ‘sensitive’, etc, depending on the classification system adopted.
  • Wherever practicable, documents with confidential information must be stored in locked cupboards, drawers or cabinets. Where this is not practicable, and the information is kept on open shelving, the room must be locked when unoccupied for any significant length of time.
  • Confidential information must not be removed from eCareersGrad unless it can be returned on the same day or stored securely overnight.
  • Confidential documents must be shredded in a confidential manner prior to disposal.

6.13 Enforcement

  • There must be a written policy in place at the local level for the handling of confidential information, whether electronic or hard copy, and a copy of the procedures must be provided to every user so that they are aware of their responsibilities.
  • Any failure to comply with the policy may result in disciplinary action.
  • Any loss or unauthorised disclosure must be promptly reported to the owner of the information.
  • Computer security incidents involving the loss or unauthorised disclosure of confidential information held in electronic form must be reported to eCareersGrad’s Security officer – and investigated.
  • If the loss or unauthorised disclosure involves personal data, whether electronic or hard copy, our Data Protection Officer must also be informed by e-mail (support@ecareersgrad.co.uk).

7. Compliance

  • eCareersGrad has established this policy to promote information security and compliance with relevant legislation, including the DPA. We regard any breach of information security requirements as a serious matter, which may result in disciplinary action.
  • Compliance with this policy must form part of any contract with a third party that may involve access to eCareersGrad’s network or computer systems or data.
  • Relevant legislation includes, but is not limited to:
    • The Computer Misuse Act (1990)
    • The Regulation of Investigatory Powers Act (2000)
    • The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations (2000)
    • The Freedom of Information Act (2000)
    • The Special Educational Needs and Disability Act (2001)
    • The Data Protection Act (2018).