Purpose

The protection of our information is of primary importance to our organisation. Maintaining the confidentiality, integrity, and availability (CIA) of the information we use ensures that the operations we perform, and the services we provide, continue to meet our business objectives, comply with regulatory and legal requirements, and fulfil the requirements of our stakeholders. It also ensures that any personal data we process about our employees and customers is kept secure, minimising any potential risks or harm that may be caused by a breach of that data.

Management is committed to the security of our information, and have developed and approved this information security policy in line with the requirements of the ISO 27001 standard for information security, and our organisation’s business requirements.

This document sets out the approved information security policy so that it can be clearly communicated to all employees, contractors, and other relevant third-parties.

Scope

This policy shall apply to all the business processes and information processing activities that fall within the scope of our organisation’s Information Security Management System (ISMS). For simplicity, we consider all work-related activities of employees, contractors, or other relevant third-parties to be within the scope of this policy document unless explicitly excluded.

Audience

All employees, contractors, and other relevant third-parties shall adhere to this Information Security Policy while performing work-related activities as part of their day-to-day duties. For the purposes of this document, policy instructions directed at employees shall also apply to contractors, and other relevant third-parties, and shall be collectively referred to as “users”. Where discussing the classification and handling of information, users with overall responsibility for the data shall be referred to as the “data owner”.

Communication

This Information Security Policy shall be communicated to all employees and agency staff as part of our employee induction programme, and periodically following any changes to the policy. All contractors and other relevant third- parties shall be provided with a copy of this policy document as part of the process for contracting services, and shall be re-issued with updated versions periodically following any changes to the policy.

Disciplinary Process

Where an employee, contractor, or other relevant third-party performs an activity or activities in breach of this Information Security Policy, they shall be subject to the disciplinary process documented in the Company Manual or the applicable service contract.

Improvement

Management is committed to the continual improvement of our Information Security Policy, and shall review this document on an annual basis, or whenever an independent review of our organisation’s ISMS reveals a non-conformance or opportunity for improvement. The Management Review shall determine if this policy continues to meet the requirements of our organisation.

Management also endeavours to plan our business operations so that our information and information assets are not misused, either intentionally or unintentionally. This is done by identifying and assigning separate duties throughout our critical business activities to guard against misuses such as fraud, or errors in data processing activities, etc.

Where a user identifies potential conflicts or misuse of information or information assets due to improper planning and assignment of duties, users should raise their concern immediately with their line manager, or the ISMS Manager.

 

1. Classification & Handling of Information

To ensure that the information we process is handled appropriately and securely, it is important that all users know how to identify the sensitivity of the data, and follow our requirements for how to handle that data. This section sets out how our organisation classifies our information, and how users should handle that information.

Data Classifications

All data shared with customers should be converted to PDF before sending unless it’s a collaborative document, in this case it should contain a label “draft” or “work in progress”. In addition to the table below, users shall review and adhere to the data handling principles set out in the supporting document, Data Handling & Retention Guidelines. This will ensure that even unclassified data is properly handled and protected.

Confidentiality Level Description Typical Examples Labelling Legal/Regulatory Considerations Handling Availability/Disposal
Public Information that is or can be made publicly available. publishing and marketing materials, website content, published financial statements, social media communication and content, advertised job titles and roles, product catalogues and brochures No labelling required. We are a remote-first company and the only public data, printed on physical medium is marketing material that can be publicly shared. Material that can be shared publicly (video & content) is placed on Intranet and marked adequately. Other information that can be shared can be found in Evercam Trust Center Internal content regulations (Company Manual) no restriction on copying, printing and distribution No requirement for source destruction;

No data retention requirements on published data;

Retain a redundant copy of published data for reference purposes when required.

Internal Information that is intended for internal business use only. Unauthorised disclosure of internal information may pose some risk of reputation damage to our organisation. meeting agendas and minutes, contracts, operational documentation, policies and procedures, training material, employee training records, internal email communication, Intranet content, contact directories, purchasing data (payments authorisations, invoices) Due to the volume of internal data generated, labelling is not required. All unlabelled data shall be considered to be internal unless specifically labelled “Confidential” or “Highly Confidential” GDPR; Contractual obligations; ePrivacy Regulations 2011; Data Protection and Privacy Laws in the UK, USA, Australia, Singapore Access rights restricted when necessary;

Shall only be printed/copied where absolutely necessary;

Shall only be emailed externally with prior approval of data owner or where it is part of an approved business process;

Shall only be saved to and stored on approved business systems, devices and removable media;

Physical media and paper records shall be transferred in our data transfer policy outlined in Information Security Policy

Digital records shall not be moved or deleted without prior approval from data owner;

Physical media and paper shall not be relocated or destroyed without prior approval from the data owner;

When no longer required printed records shall be shredded using the secure shredding facilities;

Devices and removable media containing internal data shall be returned to IT or a line manager for secure disposal.

Confidential Information that is intended for internal business use only. Unauthorised disclosure of confidential information may pose moderate risk of reputation damage and/or financial costs such as fines or penalties. customer personal data eg. customer records, analytics that contain extensive PII etc.; employee personal data eg. HR records, disciplinary records, quarterly reviews, etc.; unpublished financial records and reports; procurement/tender process documentation; source code; proprietary company data Documents of this nature created by Evercam should be labelled as “Confidential” in the footer of a document and in the file name. Any documents received from customers and labelled as “Confidential” should be treated as such. For digital records data owners shall save confidential data only to the organisation’s units and/or folders specifically designed for confidential data. Access rights shall be approved by the owner as required. GDPR; Data Protection Act 2018; Contractual obligations; Data Protection and Privacy Laws in the UK, USA, Australia, Singapore Access restricted and approved only by data owner;

Shall not be printed/copied unless approved by the data owner;

Shall not be printed to printers located in unsecured areas or general working areas;

Shall only be shared with authorised third parties with a non-disclosure and confidentiality agreement in place;

Shall only be emailed internally or externally with approval of data owner or where it is part of an approved business process;

Digital records shall only be shared externally using approved encrypted transfer method in line with our Data Transfer Policy

Shall only be saved to and stored on approved business systems;

Shall only be saved to and stored on approved and encrypted devices and removable media;

Physical media and paper records shall be transferred in our Data Transfer Policy.

Digital records shall not be moved or deleted without prior approval from data owner;

Physical media and paper shall not be relocated or destroyed without prior approval from the data owner;

When no longer required printed records shall be shredded using the secure shredding facilities;

Encrypted devices and removable media containing confidential data shall be returned to IT or a line manager for secure disposal.

Highly Confidential Information that is intended for internal business use only. Unauthorised disclosure of highly confidential information may pose significant risk to the organisation and users, resulting in data breach, reputational damage and/or significant financial costs. special categories of personal data eg. medical records generic and biometric data, trade union memberships, ethical origin, religious believes; financial data eg. credit and debit card information; passwords, pincodes, security tokens; corporate negotiations, funding information Documents of this nature, created by Evercam should be labelled as “Highly Confidential” in the footer of a document and in the file name. Any documents received from customers and labelled as “Highly Confidential” should be treated as such. For digital records data owners shall save confidential data only to the organisation’s units and/or folders specifically designed for confidential data. Access rights shall be approved by the owner as required. GDPR; Data Protection Act 2018; Contractual obligations; Data Protection and Privacy Laws in the UK, USA, Australia, Singapore, Copyright and Related Rights Act 2000 Access restricted and approved only by data owner;

Access is strictly monitored;

Shall not be printed/copied unless approved by the data owner;

Shall not be printed to printers located in unsecured areas or general working areas;

Must be claimed immediately at the approved printer or be released for printing by PIN, ID and/or password authentication at the printer;

Shall only be shared with authorised third parties with a non-disclosure and confidentiality agreement in place;

Shall not be emailed other than in situation where on-time passwords and/or PIN is required;

Digital records shall only be shared externally using approved encrypted transfer method in line with our Data Transfer Policy;

Shall only be saved to and stored on approved business systems;

Shall only be saved to and stored on approved and encrypted devices and removable media;

Physical media and paper records shall be transferred in our Data Transfer Policy.

Digital records shall not be moved, changed or deleted without prior approval from data owner;

Physical media and paper shall not be relocated,marked or destroyed without prior approval from the data owner;

When no longer required printed records shall be shredded using the secure shredding facilities;

Encrypted devices and removable media containing highly confidential data shall be returned to IT or a line manager for secure disposal.

 

1.1  Transferring Data

The handling requirements for the identified confidentiality levels of data are provided at a high level in the table above. This section provides detail on our approved policy for transferring data.

1.1.1   Digital data

Where there is a requirement to transfer internal, confidential, or highly confidential digital data outside of our organisation, the following shall apply:

Where users encrypt individual files as email attachments, the encryption key must be sent to the recipient using a second channel, such as SMS, or phone call. Users must never send both the data and the encryption key via email.

1.1.2   Physical data

Where there is a requirement to transfer internal, confidential, or highly confidential data in physical format such as paper records, backup media, tape, CD/DVD, USB, etc. the following shall apply:

1.2  Protecting Data From Loss

Even where users adhere to the handling requirements set out in the table above, the daily use, coping, and sharing of information may result in unintended loss, or data leakage. To minimise the likelihood of data leakage, the following policies shall apply:

 

2. Securing Working Environments

Whether in the office or at home, physical security measures are essential for ensuring that our users, information, and information assets are protected at all times. This section sets out our requirements for physical security.

2.1  Security in the Office

When working from our designated offices or warehouses, the following policies shall apply:

2.2  Security at Home

When working from home, it can be difficult to implement physical security measures. Wherever possible, users should follow this set of recommendations:

2.3  Security in Public or Shared Spaces

When working in public areas, or other shared spaces such as co-working environments, it can be even more difficult to implement physical security measures than in a home environment. The following policies apply for working in public and shared spaces:

3. Using Information Assets

Our organisation provides approved equipment and services to users so that they can carry out their work-related duties. The equipment and services are our information assets, and this section sets out the policies for using those assets appropriately.

3.1  Monitoring

To ensure that our information and information assets are accessed and used in a secure way that minimises any information security risks, and that we meet our legal and regulatory requirements, our organisation retains the right to carry out monitoring of our equipment and services. These monitoring activities are not productivity monitoring activities, and any examination of user account activity shall be done only with appropriate management and/or HR approval.

In order to carry out monitoring activities, we may:

Users shall comply with our monitoring activities as follows:

3.2  Securing Equipment & Records

While using equipment and services, the following policies shall apply:

3.3  Using Equipment

Our organisation allows the use of personal devices for company use under certain conditions. This is typically known as a Bring Your Own Device (BYOD) policy, and allows users to continue to carry out their duties in situations where access to the equipment and services at our offices may not be possible, or may be impractical. For example, where home working is enforced due to movement restrictions, or where the user is a third-party who may need to use their own computer equipment to carry out the required work. However, the use of personal devices is risk assessed in line with our Risk Management Process, and may not be permitted in some situations, such as with users responsible for processing highly confidential information. The use of personal devices is therefore subject to management review and approval.

The following section sets our general security requirements for using both company and personal equipment.

3.3.1   Company equipment

When using company computers, laptops, or mobile phones, the following policies apply:

3.3.2   Personal equipment

When using personal computers, laptops, or mobile phones, the following policies apply:

3.4  Returning Equipment & Records

When leaving the organisation or completing a contract for services, the following policies apply:

3.5  Using the Internet

Acceptable use of our internet service is set out in our Company Manual. Policies governing the secure use of internet services provided by users working from home, or at remote working sites, hotspots, etc. are outside the scope of this document. The following is a set of recommendations for users in these scenarios, and should not be considered exhaustive:

3.6  Using Email

Acceptable use of our email service is set out in our Company Manual. Policies governing the secure use of personal email while working from home on personal devices is outside the scope of this document. The following is a set of recommendations for users working from home and using their own equipment:

3.7  Using Company Social Media

Acceptable use of social media services is set out in our Company Manual. Policies governing the secure use of personal social media while working from home on personal devices is outside the scope of this document. Users working from home and using their own equipment should keep the following in mind when using social media services:

4. Controlling Access to Information Assets

Our organisation uses various authentication information such as passwords, security tokens, 2FA, and PIN codes to authenticate our users, and to secure our services and equipment from unauthorised use. The following policies apply for securing authentication information:

5. Identifying & Reporting Incidents

While performing work-related activities, a situation may arise where a user suspects that a security incident has taken place. Users may notice some of the following: