POLICIES

On this page, you can read about our business policies. Please get in touch if you have any questions.

Who we are

Our website address is: www.priority.co.uk

Privacy Policy 

PMD POL 03: Format Issue 1 (05.18)

1. Policy objectives

1.1. To protect all Personal Information that Priority is the Controller of or processes on behalf of another Controller.

1.2. To protect the rights and freedoms of the Information Subjects whose Personal Information Priority is the Controller of or processes on behalf of another Controller.

1.3. To ensure appropriate controls are implemented that provide protection for Personal Information and are proportionate to their value and the threats to which they are exposed.

1.4. To ensure that Priority complies with and can demonstrate compliance with all relevant legal, customer and other third-party requirements relating to the processing of Personal Information in particular the Data Protection Act 2018 “DPA 2018” and the General Data Protection Regulations (EU 2016/679) “GDPR

2. Scope

2.1. This policy applies to the processing of Personal Information by any employees or suppliers of Priority

3. Responsibilities

3.1. It is the responsibility of the Data Protection Team to ensure that this policy is implemented and that any resources required are made available.

3.2. It is the responsibility of the Data Protection Team to monitor the effectiveness of this policy and report the results at management reviews.

3.3. It is the responsibility of Data Protection Team to ensure that a Personal Information Processing Register is maintained.

3.4. It is the responsibility of all employees, to adhere to this policy and report to the Data Protection Team any issues they may be aware of that breach any of its contents.

3.5. Priority has appointed a Data Protection Team that will:

Report directly to the Company Board of Directors;

Be involved properly and in a timely manner, in all issues which relate to the protection of Personal Information;

Have the full support of the Board of Directors in performing their tasks;

Be provided with all resources necessary to carry out the tasks required by the DPA 2018 and the GDPR;

Be provided with all the resources necessary to maintain their expert knowledge;

Have unlimited access to Personal Information processing operations;

Not receive any instructions from Senior Management regarding the exercise of the tasks required by the DPA 2018 and the GDPR;

Not be dismissed or penalised by the Senior Management for performing tasks and duties required of them by the DPA 2018 and the GDPR;

Not undertake any other tasks and duties that result in a conflict of interest.

3.6. It is the responsibility of the Data Protection Team to:

Inform and advise Senior Management, employees and any suppliers who undertake processing of Personal Information on behalf of Priority, of their obligations in regards to this policy and the requirements of the DPA 2018 and the GDPR;

Monitor Priority’s compliance with this policy, the DPA 2018 and the GDPR;

Ensure all employees have appropriate training with regards to processing of Personal Information;

Act as a contact point for the Information Commissioner’s Office on issues relating to the processing of Personal Information.

4. Definitions

Within this policy, the following definitions apply.

4.1. Asset: Any physical entity that can affect the confidentiality, availability and integrity of Personal Information.

4.2. Availability: The accessibility and usability of Personal Information upon demand by an authorised individual.

4.3. Automated decision-making: Processing of information that results in decisions being made about Information Subjects without any review of the information being made by an individual.

4.4. Beyond use: Controls placed on Personal Information that it is no longer necessary for Priority to keep where it is not reasonably feasible to delete the information. These controls must comply with guidance from the Information Commissioner’s Office (see Information Commissioner’s Office Guidance on GDPR Compliance).

4.5. Confidentiality: The restrictions placed on the access or disclosure of Personal Information

4.6. Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of a set of Personal Information.

4.7. High risk processing: Processing of Personal Information (in particular using new technologies) that is likely to result in a high risk to the rights and freedoms of Information Subjects (see Information Commissioner’s Office Guidance on GDPR Compliance).

4.8. Identifiable Natural Person: A natural person who can be identified directly or indirectly, in particular with reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

4.9. Information subject: An Identifiable Natural Person who has Personal Information that Priority is the Controller of or is a Processor of on behalf of a Controller.

4.10. Integrity: The accuracy and completeness of Personal Information.

4.11. Personal information: Any information relating to an Identifiable Natural Person.

4.12. Personal information protection principles: Principles that shall be applied in relation to all Personal Information as laid down in the DPA 2018, the GDPR and any subsequent amendments.

4.13. Processor: A natural or legal person, public authority, agency or other body which processes Personal information on behalf of a Controller.

4.14. Security incident: Any event that has a potentially negative impact on the confidentiality and/or integrity and/or availability of Personal Information or restrict the rights and freedoms of Information Subjects.

5. Associated documents

5.1. All associated documents referred to in this policy are highlighted in bold and underlined.

6. Policy

6.1. Application of the Personal Information protection principles

The following principles must be applied and compliance with them demonstrated in relation to all Personal Information that is accessed, stored or processed by employees, and employees or suppliers, while they are accessing or processing the Priority’s information assets and any Personal Information that Priority is the Controller of or processing on behalf of another Controller:

Personal information shall be processed lawfully, fairly and in a transparent manner;

Personal information shall be collected for specified, explicit and legitimate purposes and not processed in a manner that is incompatible with those purposes;

Any Personal Information collected shall be adequate, relevant and and limited to what is necessary in relation to the purposes for which it is processed;

Any Personal information processed shall be accurate, kept up-to-date (where necessary) and every reasonable step is taken to ensure that Personal Information that is inaccurate with regards to the purposes for which it is processed is erased or rectified without delay;

Personal information shall not be kept in form that permits identification of Information Subjects for longer than is necessary for purposes for the which the personal information is processed (Personal Information may be put Beyond Use where deletion is not reasonably feasible);

Appropriate technical and organisational measures shall be taken to ensure appropriate security of the Personal Information, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage;

All processes and operations that involve the processing of Personal Information must be designed to ensure that these principles can be achieved and are applied. Where any changes are required to Priority’s Assets that impact on the processing of Personal Information, a review of the Control Measures applied must be completed.

6.2. Registration with the Information Commissioner

It is the responsibility of the Data Protection Team to ensure that the appropriate registration is maintained with the Information Commissioner.

6.3. Personal Information Processing Register

Personal Information Processing Register must be maintained that contains information on:

All Personal Information that Priority is the Controller of regardless of whether it is processed by Priority or by a Processor engaged by Priority;

All Personal Information that Priority is a Processor of on behalf a Controller or other Processor;

The types of Information Subjects that the Personal Information relates to, the limit of the information collected and the source that it is obtained from;

The reason the processing is undertaken and the the legal grounds for doing so;

The types of processing employed and the methods and technologies used;

The details of any Processors used (where Priority is the Controller) or direct Sub-Processors used (where Priority is the Processor);

The country or region where the Personal Information is processed and stored;

All recipients of the Personal Information;

The period for which the Personal Information is retained and the justification for doing so;

Whether any Automated Processing is undertaken;

Whether the Personal Information falls into a Special Category and if so the processing justification offered by Article 9 of the GDPR that applies.

Whether the Personal Information is transferred in any way outside of the EEA and if so the countries/territories/organisations it is transferred to.

6.4. Consent to process Personal Information

Where Priority is a Controller of Personal Information and it undertakes processing of Personal Information requiring the consent of the Information Subject, a record of the consent must be obtained from the Information Subjects using a Personal Information Processing Consent Form, unless consent can be demonstrated by some other statement or a clear affirmative action.

The Personal Information Processing Consent Form will be based on the Privacy Notice + Consent Opt-in template. in all other circumstances;

6.5. When processing Personal Information obtained from an Information Subject

Where Priority has collected personal data directly from an Information Subject, they must be provided with a Privacy Notice at that contains at least the following information who consent to the processing of their Personal information of:

The contact details of the Data Protection Team at dpt@priority.co.uk;

The scope and legal justification of processing that will be undertaken with the information they provide;

Where the legal justification for processing the Personal Information is the Controller’s legitimate interest, details of the legitimate interest;

Where the legal justification for Processing the Personal Information is that the Information Subject has consented to the processing, the existence of a right to withdraw consent at any time, without affecting the lawfulness of the processing carried out prior to the withdrawal;

The categories of recipients who will have access to their Personal Information;

The time period for which their information will be stored or the criteria that will be applied to determine the time period;

Any planned transfers of their information to a third country or international organisation and information on the safeguards being applied and the means by which the Information Subject can obtain a copy of them or where they are available;

Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;

Whether any automated decision-making will be applied to their information and if so the logic that will be applied and the envisaged consequences for them;

Whether Priority is a joint Controller of the information and if so and overview of the agreement in place with other joint Controllers;

Their rights to:

request access to their information

request corrections be made to their information

request their information be deleted

request that processing of their information is restricted

request their information be transferred to another Controller

lodge a complaint with the Information Commissioner

and the means by which they can notify Priority to exercise one or more of these rights.

6.6. Processing of Personal Information obtained from third parties

Where Priority is a Controller of Personal Information and it undertakes processing of Personal Information obtained from a third party (i.e. not directly from the Information Subjects it relates to) then unless:

The Information Subject already has the information that Priority has obtained; or

The collection or disclosure of the information is authorised or required by EU or UK law; or

The disclosure of the information is restricted by due to the obligation of a professional body that has provided it or a requirement of EU or UK law;

It would require a disproportionate effort to provide the information.

Priority will provide the following information to Information Subjects about whom the Personal Information relates to:

The name and contact details of Priority’s Data Protection Team;

The scope and legal justification of processing that will be undertaken with the information they provide;

The categories of information that will be processed;

The categories of recipients who will have access to their Personal Information;

The source of the Personal Information and whether that source was publicly available;

The time period for which their information will be stored or the criteria that will be applied to determine the time period;

Where the legal justification for processing the Personal Information is the Controller’s legitimate interest, details of the legitimate interest;

Where the legal justification for Processing the Personal Information is that the Information Subject has consented to the processing, the existence of a right to withdraw consent at any time, without affecting the lawfulness of the processing carried out prior to the withdrawal;

Any planned transfers of their information to a third country or international organisation and information on the safeguards being applied and the means by which the Information Subject can obtain a copy of them or where they are available;

Whether any automated decision-making will the applied to their information and if so the logic that will be applied and the envisaged consequences for them;

Whether Priority is a joint Controller of the information and if so and overview of the agreement in place with other joint Controllers;

Their rights to:

request access to their information

request corrections be made to their information

request their information be deleted

request that processing of their information is restricted

request their information be transferred to another Controller

request to not be subject to a decision based solely on Automated Processing.

lodge a complaint with the Information Commissioner

and the means by which they can notify Priority to exercise one or more of these rights;

This information will be provided to Information Subjects either within one month of Priority obtaining the information or at the time of first communicating with the Information Subject (whichever is the soonest).

6.7. Accessing, processing and storage of Personal Information

The Data Protection Team must ensure that appropriate physical and technical controls are in place to:

Protect to confidentiality, integrity and availability of all Personal Information;

Prevent unlawful processing of Personal Information.

Personal information should be accessed, processed and stored only to:

Fulfil the needs of customers;

Comply with legal requirements;

Enable the effective implementation of the organisation’s ISMS.

Access to Personal Information must be provided in only where is necessary for individuals to undertake tasks assigned to them that require access.

6.8. Requests by Information Subjects to exercise their rights and freedoms

For all Personal Information that Priority is the Controller of:

All requests by Information Subjects whose Personal Information is processed by Priority, to exercise their rights and freedoms under the DPA 2018 and the GDPR will be managed in accordance with the Handling of Personal Information Requests Procedure.

Any information that needs to be provided to Information Subjects who submit requests will be provided in a concise, transparent, intelligent and easily accessible form, using clear and plain language.

Any information requested by Information Subjects in the relation to any of their Personal Information processed by Priority that Priority is legally obliged to provide, will be provided free of charge unless the request if manifestly unfounded or excessive, in which case Priority may change a reasonable fee for providing the information of refuse to act on the request.

Where the request covers the deletion of information that has been made public then Priority will take all reasonable steps possible to inform other Controllers who are processing the information to delete any copy of the information that they hold or any links they have to the information.

6.9. Transferring Personal Information

Any transfer of personal information to a third party must be carried out under a written agreement, setting out the scope and limits of the sharing.

In the event that Priority needs to transfer Personal Information to a non-EU country or an international organisation then:

The relevant Privacy Notices need to identify this;

The Information Subjects affected must be informed before the transfer takes place and provided with information regarding the safeguards that Priority will ensure are in place.

6.10. Compliance and Controls Assessments

To ensure that:

All controls employed to protect Personal Information is controlled or processed by Priority are maintained and effective;

Priority complies with the DPA 2018 and the GDPR

Audits will be completed annually as part of the company’s Interna Audit programme.

6.11. Arrangements with Joint Controllers

Where Priority is a joint Controller of any Personal Information then a Joint Controller Agreement (or an equivalent agreement) will be implemented with any joint Controllers;

6.12. Arrangements with Controllers

Where Priority undertakes processing on behalf of a Controller:

Personal Information Processing Agreement (or an equivalent agreement) will be implemented with any Processors,

No processing of information provided by the Controller will be undertaken without an explicit instruction from them.

6.13. Arrangements with Processors

Where Priority uses a supplier to undertake processing on its behalf:

Personal Information Processing Agreement (or an equivalent agreement) will be implemented with any Processors;

Personal Information Processor Assessment will be completed to assess whether they can provide sufficient guarantees to implement appropriate control measures that will ensure the processing they undertake complies with the DPA 2018 and the GDPR and protects the rights and freedoms on the Information Subjects whose information they process on behalf of Priority.

An audit of a supplier’s compliance with the DPA 2018 and the GDPR will be undertaken where:

The information obtained from a Personal Information Processor Assessment raises doubts as to the adequacy of the guarantees provided by a Processor; or

The supplier is undertaking High Risk Processing; or

A Personal Information Breach occurs that has a significant impact on the confidentiality or integrity or availability of any Personal Information and following an investigation of the root cause of the incident, the controls and processes employed by the supplier are identified as having been a contributing factor.

The audit will be completed using a Personal Information Processing Compliance Assessment Form.

6.14. High Risk Processing

data impact assessment must be completed for any High Risk Processing of Personal Information that Priority is a Controller of before any such processing is started.

The results of the data impact assessment must be recorded in the Personal Information Processing Register.

If a data impact assessment indicates that the processing would result in a high risk to the rights and freedoms of the Information Subjects whose Personal Information is being processed, then Data Protection Team must consult with the Information Commissioner’s office before any processing is started

6.15. Personal Information Breaches

In the event of a Security Incident that compromises the confidentiality, integrity of availability of any Personal Information actions shall be taken and records maintained in accordance with the Security Incident Management Procedure.

7. Policy Review

This policy shall be reviewed at least annually or if significant changes occur that might affect its continuing suitability, adequacy and effectiveness.

8. Policy Authorisation

Signed on behalf of Priority:

Position: Managing Director Date: 18th May 2018

 

Information Security Policy

PMD POL 02: Format Issue 1 (06.18)

1.0. Policy objective

1.1. To protect the information assets that Priority handles, stores, exchanges, processes and has access to, and to ensure the ongoing maintenance of their confidentiality, integrity and availability.

1.2. To ensure controls are implemented that provide protection for information assets and are proportionate to their value and the threats to which they are exposed.

1.3. To ensure the organisation complies with all relevant legal, customer and other third-party requirements relating to information security.

1.4. To continually improve the organisation’s Integrated Environmental and Information Security Management System (IMS) and its ability to withstand threats that could potentially compromise information security.

2.0. Scope

2.1. This policy and its sub-policies apply all people, processes, services, technology and assets detailed in the Scope. It also applies to all employees or subcontractors of information security critical suppliers who access or process any of the organisation’s information assets.

3.0. Core policy

3.1. The organisation believes that despite the presence of threats to the security of such information, all security incidents are preventable.

3.2. The organisation is committed to achieving the objectives detailed in the policy through the following means:

The implementation and maintenance of an ISMS that is independently certified as compliant with ISO 27001:2013;

The systematic identification of security threats and the application of a risk assessment procedure that will identify and implement appropriate control measures;

Regular monitoring of security threats and the testing/auditing of the effectiveness of control measures

The maintenance of a risk treatment plan that is focused on eliminating or reducing security threats;

The maintenance and regular testing of a Business Continuity Plan;

The clear definition of responsibilities for implementing the ISMS;

The provision of appropriate information, instruction and training so that all employees are aware of their responsibilities and legal duties, and can support the implementation of the ISMS;

The implementation and maintenance of the sub-policies detailed in this policy.

3.3. The appropriateness and effectiveness of this policy, and the means identified within it, for delivering the organisation’s commitments will be regularly reviewed by Top Management.

3.4. The implementation of this policy and the supporting sub-policies and procedures is fundamental to the success of the organisation’s business and must be supported by all employees and contractors who have an impact on information security as an integral part of their daily work.

3.5. All information security incidents must be reported to the Data Protection Team. Violations of this policy may be subject to the company’s Disciplinary Procedure, available in the Staff Handbook.

4.0. Policy Review

4.1. This policy and its sub-policies should be reviewed at least annually or if significant changes occur that might affect its continuing suitability, adequacy and effectiveness.

5.0. Policy Authorisation

Signed on behalf of Priority: Paul Butcher
Position: Managing Director
Date: June 2018 

6.0. Sub-policy index

7.0. Responsibilities 3

8.0. Definitions 4

9.0. Associated documents 5

10.0. Acceptable Use of Assets Policy 6

11.0. Access Control Policy 8

12.0. Backup Policy 12

13.0. Clear Desk and Clear Screen Policy 13

14.0. Communication Policy 14

15.0. Cryptographic Controls Policy 15

16.0. Information Classification, Labelling and Handling Policy 16

17.0. Mobile Devices Policy 17

18.0. Physical and Environmental Security Policy 19

19.0. Protection from Malware Policy 21

20.0. Suppliers Policy 23

21.0. Teleworking Policy 25

22.0. Use of Software Policy 27

 

7.0. Responsibilities

7.1. It is the responsibility of the MD to ensure that this policy is implemented and that any resources required are made available.

7.2. It is the responsibility of the IS Manager to monitor the effectiveness of this policy and report the results at management reviews.

7.3. It is the responsibility of the IS Manager to create and maintain an Asset and Risk Assessment Register and to ensure all assets that need to be covered by this policy are identified.

7.4. It is the responsibility of all employees and subcontractors, and employees and subcontractors of information security critical suppliers, to adhere to this policy and report to the Data Protection Team any issues they may be aware of that breach any of its contents.

8.0. Definitions

8.1. Anti-virus software: Software used to prevent, detect and remove malware. Anti-virus can also mean anti-malware and/or anti-spyware.

8.2. Asset: Any physical entity that can affect the confidentiality, availability and integrity of the organisation’s information assets.

8.3. Availability: The accessibility and usability of an information asset upon demand by an authorised entity.

8.4. Computer systems: A system of one or more computers and associated software, often with common storage, including servers, workstations, laptops, storage and networking equipment.

8.5. Confidential information: Any type of information that has been specified by the organisation’s Information Classification, Labelling and Handling Policy as requiring protection through the application of cryptographic controls when it is stored or transferred electronically.

8.6. Confidentiality: The restrictions placed on the access or disclosure of an information asset.

8.7. Data protection principles: Principles that shall be applied in relation to all personal information as laid down in the Data Protection Act 1998 and any subsequent amendments.

8.8. Electronic communication facilities (ECF): Any asset that can be used to electronically transfer information.

8.9. Electronic messages: The electronic transfer of information by means such as email, texts, blogs, message boards and instant messaging.

8.10. Equipment: Any asset that can be used to electronically store and/or process information.

8.11. Information asset: Any information that has value to the organisation’s stakeholders and requires protection.

8.12. Information processing facility (IPF): Any network of assets that can be used to electronically store, process or transmit information.

8.13. Information security critical supplier (ISCS): Any supplier of goods or services that as part of their scope of supply will potentially have unsupervised access to any of the organisation’s premisesaccess to the one or more of the organisation’s information assetsor provides software or hardware used in the organisation’s information processing facilities or electronic communication facilities.

8.14. Integrity: The accuracy and completeness of an information asset.

8.15. Mail server: A system based on software and hardware that sends, receives and stores electronic mail.

8.16. Malware: Malicious software, such as viruses, trojans, worms, spyware, adware, macros, mail bombs and rootkits which are specifically designed to disrupt or damage a computer system.

8.17. Mobile device: Laptop computers, tablet computers, smart telephones, mobile telephones and any other handheld or portable devices capable of processing or transmitting information.

8.18. Operating facility: Any physical location containing assets owned by the organisation that the organisation controls, including buildings, offices, departments and locations affiliated with the organisation that are used to create, access, store or process any of the organisation’s information assets.

8.19. Personal information: Information that relates to a living individual who can be identified from the information, or from other information which is in the possession, or is likely to come into the possession, of the organisation.

8.20. Remote users: Users accessing the organisation’s assets at locations other than its operating facilities, such as home offices, shared locations, hotels and where users are travelling, including standalone access and remote connections to the organisation’s information processing facilities.

8.21. Restricted access: Any physical location where access is restricted to named personnel only.

8.22. Security incident: Any event that has a potentially negative impact on the confidentiality and/or integrity and/or availability of an information asset.

8.23. Software: All programs and operating information used by equipment, including those being developed in accordance with the customer’s requirements for the user.

8.24. Supply of goods and services agreement: A legally binding contract between the organisation and a supplier for the supply of a defined scope of goods and services.

8.25. Teleworker: Any person that undertakes teleworking on behalf of the organisation.

8.26. Teleworking: The access, processing and storage of information assets at locations that are not under the control of the organisation.

8.27. User: An individual or organisation that uses one or more of the organisation’s assets, including software once it is post-General Availability (GA).

8.28. Visual aids: Any asset used to display information to the occupants of a room.

9.0. Associated documents

9.1. All associated documents referred to in this policy are highlighted in bold and underlined.

10.0. Acceptable Use of Assets Policy

10.1. This sub-policy specifies the controls that need to be applied to:

Authorise the use of any asset owned by, or under the control of, the organisation; and

Minimise the risks to information security arising from the misuse or unauthorised use of the organisation’s assets.

10.2. Use of electronic communication facilities (ECFs)

All users of ECFs must be authorised to do so in accordance with the organisation’s Access Control Policy.

Users must only use assets to access and transfer information for which they have been authorised in accordance with the Access Control Policy and the Information Classification, Labelling and Handling Policy.

Users must apply extreme caution when opening email attachments received from unknown senders. If in doubt, please ask a member of the Data Protection Team for advice.

Users must not:

o Disclose user IDs and personal passwords which give access to the organisation’s information assets unless authorised by the MD;
o Allow any third party to access the organisation’s ECFs;
o Use any access method other than the method provided to them by the organisation;
o Deliberately cause damage to any of the organisation’s ECFs, including maliciously deleting, corrupting or restricting access to the data contained therein;
o Deliberately introduce viruses or other harmful sources of malware into the organisation’s ECFs;
o Deliberately access external sources that are not authorised and not related to the organisation’s activities;
o Knowingly access, download or store materials from the internet that are illegal, immoral, unethical or deemed to be indecent or gross in nature;
o Send unsolicited, unauthorised or illegal materials to any internal or external recipient;
o Install, modify, delete or remove software in a way that contravenes the Use of Software Policy;
o Download any electronic files whose size exceeds any guidance provided by the Data Protection Team;
o Assist or create a potential security breach or disruption to the organisation’s ECFs in any way;
o Use any ECFs for any personal reasons, other than those authorised by the organisation.

Any user supplied equipment must be approved by the Data Protection Team for connection to any of the organisation’s ECFs.

The organisation reserves the right to monitor the use of all ECFs.

11.0. Access Control Policy

11.1. This sub-policy specifies the access controls that need to be applied to all information assets that contain information held by the organisation.

11.2. Access to the information assets, operating facilities and information processing facilities

Access to information assets, operating facilities and information processing facilities must only be provided to individuals who need it to complete tasks specified in their Job Description or as instructed by a Company Director.

All user access must be attributed to an identifiable person.

All unsupervised access to information assets, operating facilities and information processing facilities must be authorised by the person specified in, and recorded on, the Access Control Register.

The Data Protection Team is responsible for:

o Ensuring no single person can access, modify or use the organisation’s assets without authorisation or detection;
o Authorising and recording the use of any software that might be capable of overriding this sub-policy;
o Authorising and recording access to any software source codes;
o Authorising and recording individual user access to information processing facilities, electronic communication facilities, mobile devices, operating facilities and restricted access areas using an Asset and Access Control Review Form;
o Ensuring that individuals who enable and disable access to an organisation asset do not have access to any software that monitors the use of the asset;
o Ensuring that the access control for specific assets and information processing facilities meets the security requirements of each information asset owner;
o Regularly reviewing the logs of system administrator access and actions.

11.3. Control of access to information processing facilities

Managers\Directors are responsible for:

o Arranging access with the Data Protection Team as part of the induction of new starters, and as part of any role changes within the organisation;
o Arranging the removal of access by notifying the Data Protection Team of leavers from the organisation and as part of any role changes;
o Ensuring access to any asset is not provided to an individual who has not received formal training in the Information Security Policy;
o Ensuring individual access privileges are reviewed upon a change of role or change in responsibilities;
o Recording the status of each user’s access privileges in the Access Control Register;
o Ensuring redundant user access IDs are not issued to other users;
o Ensuring the immediate removal of all access rights of a user on termination of their Employment Contract or Supply of Goods and Services Agreement, or in the event of a security incident that relates to their access rights.

The Data Protection Team is responsible for:

o Responding in a timely manner to requests for the activation and deactivation of user account access made to them by the managers;
o Configuring and reviewing user access to the organisation’s assets and information processing facilities as specified in the Access Control Register;
o Removing any expired or unused accounts;
o Testing that deactivated, deleted and removed accounts are no longer accessible;
o Implementing access control systems and mechanisms for the organisation’s assets and information processing facilities as directed by the Data Protection Team;
o Logging and monitoring all access to the organisation’s assets & information processing facilities and providing access logs where requested to do so;
o Ensuring that access log files cannot be edited or deleted.

Any password rules and user security controls implemented must satisfy the following criteria:

o Passwords must be at least eight characters in length;
o Passwords must be a combination of lower case, upper case, numbers and where possible, special characters;
o Passwords must automatically expire every ;
o Historic passwords cannot be repeated;
o Users must be asked to change their passwords on initial access or if access needs to be re-established for any reason;
o Passwords must be obscured on any access point that displays them, typically marked with an asterisk;
o Password files or data must be stored in encrypted secure areas and encrypted whilst transferred;
o All displays must have a timeout of five minutes or less where the user is prompted to enter a password to access the system.

11.4. Access to remote users

All users must adhere to the Physical and Environmental Protection PolicyMobile Devices Policy and Acceptable Use of Assets Policy when using the organisation’s assets in remote locations.

Remote access to the organisation’s network and information processing facilities must:

o Only be provided to authorised users;
o Only be used with approved assets, in accordance with the Acceptable Use of Assets PolicyTeleworking Policy and Mobile Devices Policy;
o Be set to timeout after of inactivity;

11.5. Access to the organisation’s operating facilities

Access to the organisation’s operating facilities must be authorised by the Data Protection Team.

Access to the organisation’s operating facilities will be processed and granted by the Data Protection Team.

Access controls must be implemented at all the organisation’s operating facilities and must be:

o Appropriate and proportionate to the area under control;
o Updated at set intervals to prevent the transfer of access methods to unauthorised persons and third parties;
o Monitored and logged for security purposes.

All employees are responsible for:

o Strictly adhering to the access controls for each location;

o Not tailgating or allowing tailgating through any secure access door;
o Not forcibly opening doors and other access controls;
o Not deliberately holding open a controlled access door by wedging, latching or placing an item against it;
o Promptly reporting any problems relating to access controls to the Data Protection Team;
o Accompanying visitors that are in their care at all times, and not allowing them to enter any unauthorised location;
o Immediately reporting to a member of the Data Protection Team and challenging, if confident and safe to do so, any person who is suspected of being in an area that they are not authorised to be in.

Authorisation must be granted by a member of the Data Protection Team to keep open a controlled access door for longer than the time required for an individual to enter or exit the area.

11.6. Visitors and suppliers

All visitors must:

o Sign in at reception;

o Be accompanied by a member of the organisation’s staff at all times;

o Not attempt to access any of the organisation’s assets and information processing facilities or view any of the organisation’s information without authorisation to do so.

All suppliers working on the premises must:

o Sign in at reception;

o Be managed and approved in accordance with the Suppliers Policy;

o Not access areas other than those identified as appropriate to perform the contracted tasks;

o Not access or view any information that has not been provided as part of the contracted task.

12.0. Backup Policy

12.1. This sub-policy specifies the controls that need to be applied to ensure that copies of all software and information assets stored using electronic media, are taken and held so that the risk to their confidentiality, availability and integrity is minimised.

12.2. Electronic files

Backup copies of all electronic files that contain information assets, including previous versions, must be made daily, stored offsite and retained for two days – using two tapes used alternately.

All backup copies of electronic files must be encrypted in accordance with the Use of Cryptographic Controls Policy and as specified in the Electronic Data Backup Register.

All users must ensure that all electronic files are stored on the organisation’s information processing facilities.

Backups must be made in accordance with the Information Classification, Labelling and Handling Policy.

12.3. Storage of backups

The backup copies are stored in a remote location, at a sufficient distance to escape any damage from a disaster at the main site.

The backup information is given an appropriate level of physical and environmental protection consistent with the standards applied at the main site.

Any third parties used to store and maintain backups comply with the Suppliers Policy.

12.4. Testing of backups

Backups of software and electronic files, and media used to store them, must be tested at least annually in accordance with the Business Continuity Plan and the Electronic Data Backup Register.

13.0. Clear Desk and Clear Screen Policy

13.1. This sub-policy specifies the controls that need to be applied to minimise the risks to information security arising from unauthorised access to the organisation’s information assets located on desks, visual aids and display screens.

13.2. Paper assets, visual aids and portable storage media

Information assets held on paper or portable storage media must be stored in cabinets and/or drawers, in accordance with the Information Classification, Labelling and Handling Policy, when not in immediate use and whenever the room they are being used in is vacated unless the room is vacated in accordance with the Fire Evacuation Procedure.

All information assets stored on visual aids should be removed from display immediately after used and before vacating the room in which they are held.

13.3. Display screens

Equipment that utilises display screens must have a screensaver enabled with password protection that activates automatically after five minutes of inactivity.

Users of equipment that utilises display screens must enable a screensaver whenever they leave the room in which they are held.

13.4. Reproduction devices (printers, photocopiers and scanners)

Media used, or created using reproduction devices, must be removed from them immediately after use.

14.0. Communication Policy

14.1. This sub-policy specifies the rules that must be applied with regards to internal and external communications relevant to the IMS and in accordance with the Communication Procedure.

14.2. Communication with third parties

Any enquiries received from third parties relating to information security or the organisation’s IMS must be immediately referred to the MD or, in their absence, a member of the Data Protection Team.

Any information exchanged with third parties must be done in accordance with the Information Classification, Labelling and Handling Policy and the Information Classification, Labelling and Handling Rules.

Supply of information about the organisation’s IMS, including policies, procedures and specific control measures employed must be approved by a member of the Data Protection Team.

14.3. Employee briefings

The IMS Officer will deliver a briefing to all employees on information security matters at least once a year, or if any significant issues arise or decisions are made that have consequences for employees.

Employees will be encouraged to raise any concerns they have relating to information security matters at employee briefings.

15.0. Cryptographic Controls Policy

15.1. This sub-policy specifies the cryptographic controls that must be applied to confidential information.

General principles

The organisation’s computer systems and information processing facilities must be appropriately protected to prevent unauthorised access by applying a level of encryption to sensitive or critical information which is proportionate to the level of business risk.

All confidential information transferred outside of the organisation must be encrypted prior to transfer.

All removable media, including memory sticks, must be encrypted.

Mobile device hard drives must be encrypted.

Mobile devices must be protected by passwords or PIN codes or biometrics.

Emails must be encrypted whenever confidential information is contained or attached.

Attachments to emails must be encrypted whenever confidential information is contained.

15.2. Encryption of data in transit

Confidential information in transit must always be encrypted. Data which is already in the public domain, or would be of no adverse significance if it were to be so, may be sent unencrypted.

15.3. Encryption for information transferred outside the UK

Regulatory controls for any country outside the UK to which data is exported should be checked to ensure that cryptographic legislation will not be contravened. The company does not send any data outside the UK at present.

15.4. Avoiding adverse impacts from encryption

Encryption keys will be stored such that all information encrypted by the organisation can be decrypted if required. At present the company holds no such information

Access to encryption keys must be controlled as per the Access Control Policy.

The persons with access to encryption keys must be recorded in the Access Control Register.

16.0. Information Classification, Labelling and Handling Policy 

16.1. This sub-policy specifies the labelling, storage, copying and distribution controls that need to be applied to all information assets that are processed and stored by the organisation.

16.2. Classification

It is the responsibility of the MD to maintain the Information Classification, Labelling and Handling Rules to ensure that:

Information assets can be easily classified and that classification considers their value, criticality, legal requirements and sensitivity to unauthorised disclosure or modification;

The rules can be applied practically by all information asset owners, employees and third parties with whom the organisation exchanges or provides access to information assets.

16.3. Labelling

Upon creation or receipt from a third party, all information assets must be labelled in accordance with the Information Classification, Labelling and Handling Rules.

Whenever an information asset is modified, consideration must be given as to whether the labelling applied to it should be changed.

16.4. Copying

The copying of all information assets should be avoided wherever possible. Where copying is necessary (i.e. to comply with the Backup Policy), copying must be done in accordance with Information Classification, Labelling and Handling Rules.

16.5. Distribution

Information assets should only be distributed:

To comply with client requirements;

To comply with legal requirements;

On a need to know basis.

Where distribution is necessary, it must be done in accordance with Information Classification, Labelling and Handling Rules.

16.6. Destruction

Destruction of an information asset must be done in accordance with the Control of Documented Information Procedure.

17.0. Mobile Devices Policy

17.1. This sub-policy specifies the controls that need to be applied to:

Control the use of any mobile devices owned by, or under the control of, the organisation; and

Minimise the risks to information security arising from the misuse or unauthorised use of mobile devices.

17.2. Issuing of mobile devices

The issue of any mobile device to a user must be authorised by the Data Protection Team and recorded on the Mobile Telephone Numbers List.

All users must sign and return a Mobile Device User Agreement.

17.3. Use of mobile devices

All users of mobile devices must comply with the Acceptable Use of Assets PolicyClear Desk and Clear Screen PolicyBackup PolicyTeleworking Policy and the Use of Software Policy.

Mobile devices must only be used in connection with authorised business use.

A mobile device must only be used by the user to whom it was supplied. Users must not allow a mobile device issued to them to be used by any other individuals including other employees, suppliers, friends, associates or relatives.

In an emergency situation, a user may allow an individual to make a supervised call from a mobile or smart telephone.

Users must immediately notify the Data Protection Team if a mobile device is known or suspected to be lost or stolen.

Mobile devices must not be used or stored in environments or areas where there is a reasonable risk of them becoming damaged by impact, water ingress, extreme temperatures or electromagnetic fields.

When not in use, mobile devices must be retained in a secure environment. This may include a lockable store cupboard with controlled access, or lockable metal cabinets.

When mobile devices are taken away from buildings controlled by the organisation, users must ensure that they take adequate precautions at all times to protect the equipment against theft or accidental damage.

When transporting mobile devices, care should be taken not to draw attention to their existence to minimise the likelihood of street crime.

Mobile devices should only be transported in the bags or cases with which they were supplied. Replacement bags or cases must only be obtained from the Data Protection Team.

Mobile devices must be carried as hand luggage when travelling.

Mobile devices must not be left unattended at any time in a vehicle or public place.

Mobile devices must always be protected from unauthorised use by an access password in accordance with the Access Control Policy.

Mobile devices must not be used to store passwords, safe/door combinations, or classified, sensitive or proprietary information.

Mobile devices must not be used to transfer information via wireless networks that have not been approved by the Data Protection Team.

17.4. Return of mobile devices

Upon request by the Data Protection Team, termination of contract or change of role, a user must return any mobile devices they have been issued with to the Data Protection Team.

All mobile devices must be returned to the Data Protection Team and recorded on the Mobile Telephone Numbers List..

All users must complete their Mobile Device User Agreement upon return.

18.0. Physical and Environmental Security Policy

This sub-policy specifies the controls that need to be applied to all operating facilities and assets located at them to:

Protect the organisation’s assets from physical and environmental threats; and

Reduce the risk of damage, loss and theft to the organisation’s assets; and

Reduce the risk of unauthorised access to the organisation’s operating facilities.

18.2. Physical protection of operating facilities

Using appropriate methods, all the organisation’s operating facilities must be secured at all times to prevent unauthorised access.

All operating facilities must be protected by an intruder alarm system that is remotely monitored by .

All external windows and doors must be kept shut and locked at all times unless authorised by the Data Protection Team.

18.3. Environmental protection of operating facilities

All the environmental vulnerabilities and controls associated with the organisation’s operating facilities are identified in the Asset and Risk Assessment Register.

All relevant operating facilities are protected by suitable fire alarm systems and have a fire evacuation procedure in place.

All systems identified as being vulnerable to power outages should be protected by uninterruptable power supplies (UPS), such as a generator or battery backup, as follows:

Generators must have the capability to meet the requirements of the Business Continuity Plan;

Battery backup must be able to provide at least 30 minutes of uptime to the systems utilising their power.

All systems that need to be maintained in a temperature controlled environment must be suitably located where air conditioning facilities are available that are:

Implemented with monitoring/backup to pro-actively alert/failsafe in the event of failure;

Adequately maintained to ensure reliability.

18.4. Protection of assets at operating facilities

All network servers must be placed in locations designated as restricted access in the Access Control Policy.

All cable/wiring locations must be appropriately secured to prevent interception of data and damage to the network infrastructure.

All hard copy files must be stored in cabinets in accordance with the Clear Desk and Clear Screen Policy and the Information Classification, Labelling and Classification Policy.

All assets must be maintained in accordance with manufacturers’ and suppliers’ recommendations or as identified from an Improvement Log. Maintenance requirements and their status will be recorded in the Equipment and Maintenance Register.

All areas designated as restricted access in the Access Control Policy must be clearly signposted at all entrance points to them. Entrances to these areas must be physically controlled at all times to prevent access by non-authorised personnel.

19.0. Protection from Malware Policy

19.1. This sub-policy specifies the controls that need to be applied to all computer systems and the mobile devices that can connect to the organisation’s information processing facilities to protect them against malware threats from sources such as viruses and spyware applications.

19.2. Installation of anti-virus software on computer systems and mobile devices

It is the responsibility of the Data Protection Team to ensure that effective anti-virus software is installed and appropriately updated on all computer systems and mobile devices that have access to the organisation’s information processing facilities and store and transmit information assets, regardless of whether the organisation actively manages and maintains them.

All computer systems and mobile devices must not be used or handed over to a user unless they have up-to-date and operational anti-virus software installed.

All anti-virus software installed must have real-time scanning protection to files and applications running on the computer system or mobile device. The scanning must automatically assess the threat posed by any electronic files or software code downloaded onto a computer system or mobile device.

All anti-virus software must be configured to ensure it can detect, remove and protect against all known types of malware.

All anti-virus software must be configured to automatically start on device power-up and to continuously run for the duration that the computer system or mobile device is powered.

All anti-virus software must be configured to run automatic updates provided by the anti-virus software supplier.

All anti-virus software must be configured to conduct periodic scans of the computer system or mobile device on which it is installed.

All anti-virus software must be configured to generate log files, and to store these log files either locally on the computer system or mobile device or centrally on a organisation-wide anti-virus server (if applicable). All logs must be kept for a minimum of .

19.3. Installation of anti-virus software on mail servers

Mail servers must have either an external or an internal anti-virus scanning application that scans all mail destined to and from the server. Local anti-virus scanning may be disabled during any backup or system downtime periods if an external anti-virus application still scans inbound emails during this period.

19.4. Other processes, systems and tools to deter malware

All computer systems and mobile devices must run the organisation’s approved operating system at its latest supported version with all relevant updates and patches installed.

Web filtering must be implemented to reduce the potential access to websites that may contain malicious code.

Web browsers must be configured to reduce the possibility of issues arising from mobile code.

19.5. Requirements of users

Any activity intended to create and/or distribute malware on an information processing facility, computer system or mobile device is strictly prohibited.

All users must not in any way interfere with the anti-virus software installed on any computer system or mobile device.

All users must immediately report any issues, or suspected issues relating to malware and any anti-virus warnings and alerts communicated to them from a computer system or mobile device.

All users must check the authenticity of attachments/software to be installed from internet sources.

Users must not install applications that arrive on unsolicited media.

Users must seek advice from the Data Protection Team if their computer system or mobile device requests them to install or update software such as Java and ActiveX.

20.0. Suppliers Policy

20.1. This sub-policy specifies the controls that need to be applied to all suppliers who can compromise the security of the organisation’s information assets.

20.2. This sub-policy does not apply to services supplied by individuals under the terms of an Employment Contract issued by the organisation.

20.3. Information security critical suppliers (ISCS)

The use of all ISCS must be approved by the MD. This approval must be completed and recorded in accordance with the Improvement Procedure.

Up-to-date records relating to the status of information about ISCS security controls, certifications and key personnel must be maintained in the Approved Suppliers Register.

All information security risks identified that relate to the use of ISCS must be assessed and recorded in the Asset and Risk Assessment Register in accordance with the Information Asset and Risk Management Procedure.

ISCSs must not deliver goods or services that are not covered within the scope of a current Supply of Goods and Services Agreement. The current Supply of Goods and Services Agreement must include the following information:

o The scope of goods and services supplied by the ISCS covered by the agreement;

o The obligations of the ISCS to protect the organisation’s information assets in respect of availability, integrity and confidentiality;

The obligations of the ISCS to comply with the organisation’s Information Security Policy and relevant processes, policies and procedures in its ISMS, including acknowledgement of documents supplied by the organisation;

The minimum information security controls implemented and maintained by the ISCS to protect the organisation’s information assets and the arrangements for monitoring their effectiveness;

The arrangements for reporting and managing security incidents, as per the Security Incident Management Procedure;

The arrangements for managing changes to any assets, as per the Change Control Procedure;

The contact names of the persons employed by the organisation and ISCS with responsibility for information security;

The defect resolution and conflict resolution processes.

The information security controls detailed above should include the following considerations:

Subcontracting of the supply of goods and services by the ISCS to third parties;

Access control to the organisation’s assets by ISCS employees and subcontractors;

Resilience, recovery and contingency arrangements to ensure the availability of any assets including any data processing facilities provided by the ISCS and/or the organisation;

Accuracy and completeness controls to ensure the integrity of the assets, information or information processing equipment/facilities provided by the ISCS and/or the organisation;

Processes and/or procedures for transferring information and/or information processing facilities between the ISCS, the organisation and other third parties;

Screening checks undertaken on ISCS employees and subcontractors;

Awareness training for ISCS employees and subcontractors;

Any legal and regulatory requirements, including data protection, intellectual property rights and copyright, and a description of how it will be ensured that they are met;

ISCS obligation to periodically deliver an independent report on the effectiveness of controls.

It is the responsibility of the to create and maintain an Approved Suppliers Register.

It is the responsibility of the to ensure that all suppliers are provided with up-to-date copies of the organisation’s policies and procedures that are relevant to them.

It is the responsibility of the to ensure that the information security controls specified in the Supply of Goods and Services Agreement are audited at a frequency of not less that once every 12 months by a qualified auditor in accordance with the Supplier Audit Procedure.

20.4. Other suppliers

21.0. Teleworking Policy

21.1. This sub-policy specifies the controls that need to be applied to teleworking to minimise the risks to information security arising from the access, processing and storage of information assets at locations that are not under the control of the organisation.

21.2. Teleworking authorisation

All teleworking must be approved by .

The scope of a teleworker’s teleworking must be defined to include:

Authorised locations for teleworking, e.g. home, hotels, travelling etc.;

Equipment and electronic communication facilities to be used;

Access controls to the organisation’s information processing facilities;

Any specific controls to be applied, e.g. use of equipment by other individuals.

21.3. Accessing the organisation’s information processing facilities from teleworking locations

Teleworkers must comply with the Access Control PolicyAcceptable Use of Assets PolicyMobile Devices Policy and the Protection from Malware Policy when connecting to the organisation’s information processing facilities whilst teleworking.

Remote access to the organisation’s information processing facilities will be authorised by the MD.

Remote access to the organisation’s information processing facilities will be .

21.4. organisation-provided equipment for teleworking

Where equipment is provided to the teleworker for teleworking, the teleworker must comply with the Acceptable Use of Assets PolicyMobile Devices Policy and Use of Software Policy

21.5. Use of teleworker-owned equipment for teleworking

Teleworkers are permitted to use their own equipment in accordance with the Access Control Policy provided:

The equipment is approved for use by the MD;

The equipment is only used in accordance with the approved scope of their teleworking and Section 16.2 of this sub-policy;

The equipment is not set to automatically connect to wireless networks;

All information assets are not saved locally on the equipment and are only accessed and saved on the organisation’s information processing facilities;

All equipment used has the current version of its operating system installed, defined as a version for which security updates continue to be produced and made available for the equipment;

All equipment has anti-virus software installed that meets the requirements of the Protection from Malware Policy;

All equipment has comprehensive password protection implemented for account access, application access and screensavers;

All equipment is configured to “auto lock” after an inactivity period of 5 minutes.

The teleworker is responsible for ensuring the equipment is not accessed by any unauthorised person while the equipment is being used for work purposes.

Teleworkers must take extra care when using any equipment for teleworking to protect it from theft and damage.

The teleworker must report any loss or theft of any equipment that has been used for teleworking to the .

The teleworker must notify the of the disposal of any equipment and be willing to pass, by mutual agreement, the equipment to the for the purpose of removing any of the organisation’s information assets that may still reside on it.

Information Security Policy

PMD POL 02: Format Issue 1 (06.18)

 

 

22.0. Use of Software Policy

22.1. This sub-policy specifies the controls that need to be applied covering the use and installation of software on any assets owned by or under the control of the organisation to minimise risks to information security arising from the misuse of software or the use of unauthorised or illegally obtained software.

Use of software

Software must only be used in connection with authorised business use.

Users of software must be authorised to so in accordance with the Access Control Policy.

Users must not make copies of any software provided by the organisation without the express written consent of the software publisher and the organisation.

22.2. Installation of software

Installation of software onto an asset must be authorised by the Data Protection Team and must be done in accordance with the Change Control Procedure and Backup Policy.

Users must not install, or in any way make use of, software from sources other than those provided by the organisation unless authorised to do so by the Data Protection Team.

Any software installed must carry a valid license that covers the scope of use.

 

 

Environmental Policy

PMD POL 01: Format Issue 1 (06.18)

Priority Newstrade Mailing & Digital Print is a professional and environmentally conscious organisation, which acknowledges the impact that our operations may potentially have on the environment. The clear objective of the Company is to minimise any impact on the environment by:

Preventing pollution, reducing waste and ensuring that wherever practical, measures are implemented to protect and preserve natural habitats, flora and fauna;

Considering the effects that our operations may have on the local community;

Taking action to eliminate or reduce, as far as practicable, any potentially adverse environmental impacts;

Promoting environmental awareness amongst our suppliers, contractors and partners by implementation of operational procedures;

Seeking to work in partnership with the community by behaving in a considerate and socially responsible manner;

Ensuring effective and expedient incident control, investigation and reporting

Management and supervisory staff have responsibilities for the implementation of the policy and must ensure that environmental issues are given adequate consideration in the planning and day-to-day supervision of all work.

The Company will fully comply with the duties placed upon it within the requirements of Statutory Legislation, whilst at all times complying with, as a matter of best practice, the requirements and duties set out within Approved Guidance as issued by the Environment Agency and other organisations.

All employees and sub-contractors are expected to co-operate and assist in the implementation of this policy, whilst ensuring that their own works, so far as is reasonably practicable, are carried out without risk to themselves, others or the environment. This includes co-operating with management on any environment related matter.

The Company will take all practical steps to ensure that potential hazards and risks to the environment are identified and that suitable and effective prevent and control measures are implemented. All employees will be provided with the necessary resources, equipment, information, instruction and training to fulfill the requirements of this policy.

The Directors have overall responsibility for all environmental matters. The operation of this policy and the associated procedures will be monitored and reviewed on a regular basis to ensure that they remain current and applicable to our activities.

Policy Authorisation

Signed on behalf of Priority:

Position: Managing Director Date: 18th May 2018

 

 

COOKIES POLICY