Information Security Policy
Dated: Aug 2023
1.0 Statement of Intent
Server Room Environments Ltd (The Company) recognises the important of information security and in compliance with regulations, legislation, standards and approved codes of practice relating to safe data management in the delivery of its products and services.
2.0 Responsibilities for this Policy
The Directors of Server Room Environments are ultimately responsible for this policy. It is the responsibility of the Information Management Systems (IMS) Manager to ensure that all employees are suitably trained in information security matters. This includes providing training as required and the maintenance of training records. This means ensuring that permanent and temporary team members and contractors are aware of:
- The information security policies applicable in their work areas.
- Their individual responsibilities for information security.
- How to access advice on information security matters.
- All team members and contractors shall comply with information security procedures including the maintenance of data confidentiality and data integrity. Failure to do so may result in disciplinary action, including dismissal.
- Team leaders shall be individually responsible for the security of their physical environments where information is processed or stored.
- Each member of the team shall be responsible for the operational security of the information systems they use.
- Each system user shall comply with the security requirements that are currently in force, and shall also ensure that the confidentiality, integrity, and availability of the information they use are maintained to the highest standard.
For external parties requiring access to Company information systems, permission shall comply with all appropriate security policies.
3.0 Scope and Aims
This policy applies to all the Company information, information systems, networks, applications, locations and users or supplied under contract to it as well as any hardware such as laptops, mobile devices, tablets and more.
The aim of this policy is to set out the rules governing the secure management of Server Room Environments information assets by:
- Ensuring that all members of the team are aware of and fully comply with the relevant legislation as described in this policy.
- Creating and maintaining within the organisation a level of awareness of the need for information security as an integral part of the day to day business.
- Protecting information assets under the control of the organisation.
4.0 Commitments
It is the policy of the Company to comply fully with all relevant legal requirements, codes of practice and to carry out all measures reasonably practicable to meet, exceed or develop all necessary or desirable requirements and to continually improve information security management through the formal management in particular of:
- Office Firewalls and Gateways
- Secure Configuration
- Software Patching
- User Accounts
- Administrative Accounts
- Malware Protection
The policy is communicated to all employees, suppliers and contractors and is made available to the public.
Server Room Environments is committed to achieving this policy through the application of an Integrated Management System that embodies the requirements of ISO 9001:2015 and ISO 27001:2022. This involves the use of documented company processes, procedures and work instructions. It also means that training and development are provided to equip all staff with the skills and competencies necessary to deliver quality of service and product.
The Projects Director supported by consultants to Server Room Environments, have specific responsibility for providing the necessary organisation and resources to implement this policy.
In order to promote a positive commitment to quality, the management team ensures that its Quality Policy and targets and objectives are cascaded throughout the Company and are clearly understood. Employees are supported in their learning and development and are encouraged to put forward suggestions for improving the business operations.
All employees at Server Room Environments understand that they have a responsibility to adhere to Processes and to seek to continually improve the efficiency and quality of the services they give to Clients.
Copies of our Roles, Responsibilities & Authorities, Processes, and ISO Certificates can be forwarded to interested parties on request.
5.0 Legislation
The Company is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of the Company who may be held personally accountable for any breaches of information security for which they may be held responsible. The Company shall comply with the following legislation and other legislation as appropriate:
- The Health and Safety at Work Act (1974)
- The Data Protection Act (2018)
- The Copyright, Designs and Patents Act (1988)
- The Computer Misuse Act (1990)
- Human Rights Act (1998)
- Regulation of Investigatory Powers Act (2000)
- Freedom of Information Act (2000)
- The Data Protection (Processing of Sensitive Personal Data) Order (2000)
The Directors are responsible for staying up to date with existing laws and legislation that apply to the Company as well as new laws and regulations that may apply to the Company. The Directors are also responsible for communicating it to team members and other stakeholders.
6.0 Policy Framework
6.1 Personnel Security
6.1.2 Contracts of Employment
- Team member’s security requirements shall be addressed at the recruitment stage, and all contracts of employment shall contain a confidentiality clause.
- Information security expectations of team members shall be included within appropriate job definitions.
- All access rights shall be removed immediately on termination of the contract.
- All associated accounts shall be deleted or disabled on termination of the contract.
- All company assets must be returned immediately upon termination of the contract.
6.1.2 Intellectual Property Rights
The Company shall ensure that all software, applications, and operating systems are properly licensed in accordance with the publisher’s recommendations.
6.1.3 Asset Management
Company devices include any computer, laptop, tablet, or mobile phone that can access company data. It is Company policy to ensure that these devices comply with the following criteria:
- Have anti-malware installed.
- Not be jailbroken.
- Only run operating systems and firmware from well-known and approved suppliers who provide regular security updates across all operating platforms.
- Only run software packages and Apps from well-known and approved suppliers and official applications stores that provide regular security updates.
- Periodically all software and Apps installed are reviewed, with obsolete or unused software deleted or disabled
Devices and their installed software are reviewed periodically and compared to the Approved App and Software List (IMSFMS023).
6.2 Antivirus and Malware Protection
All computing devices connected to the company information systems are installed with antivirus software. This includes desktop computers, laptops and servers which shall be protected by Webroot anti-virus software.
Mobile phones and tablets shall not connect to Company-hosted information sources except via a third-party Cloud arrangement where the Company is satisfied as to the information security arrangements of the third party e.g. Google and Microsoft. Internet browsing shall be protected by Webshield (a function within Webroot).
6.3 Access Management, Administrator and User Accounts
- Only authorised personnel who have a justified and approved business need shall be given administrator access to restricted areas containing information systems or stored data.
- User accounts are reviewed periodically (employee start, exit, and at least annually) to check if they are required.
- Access to information shall be restricted to authorised users who have a bona-fide business need to access the information.
- Team members can only access laptops, computers and servers including applications they contain, by entering a unique username and password.
- Team members shall only have admin privileges if they have a bona-fine case. The IMS Manager shall have final review on whether someone should be granted administrator privileges.
- Administrator accounts shall not be used for accessing emails or for web browsing.
- Administrator accounts shall be regularly reviewed by the IMS Manager to assess if the individuals still have a business need for privileged access.
- All administrator accounts shall enable two-factor authentication for access to all admin accounts on all accounts, applications, and machines where feasible.
- The boundary between the business systems and the Internet or other non-trusted networks is protected by a firewall, configured to meet the threat landscape, and regularly monitored by the IT supplier and network maintenance provider.
- All administrative accounts must have a strong password
**For new network devices, the default passwords are changed and managed by our IT supplier and network maintenance provider. The IT supplier provides confirmation of this change before usage.
Administrator accounts are only provided for performing specific tasks such as installing new software or changing configuration settings.
Administrator accounts are only provided to be used for temporary periods and not for permanent use during daily non-administrative tasks.
Administrator accounts are only provided to be used for temporary periods and not for permanent use during daily non-administrative tasks. For example, the employee has two accounts: one for daily-tasks and one for administrative tasks.
Only authorised personnel who have a justified and approved business need shall be given administrator access to restricted areas containing information systems or stored data. This is reviewed during on-boarding and is related to the job description and business needs.
Administrator accounts are only provided for performing specific tasks such as installing new software or changing configuration settings.
A list of accounts is maintained with the permission status – user and administrative.
The Company regularly reviews administrative and user accounts usage and privileges to ensure that they are aligned to the job description, roles and activities of employees.
6.4 Software Patching
Operating system software patching is set for automatic download and installation. Application software management will be set as available for either automatic download and installation or manual download and installation. The IMS Manager is responsible for monitoring operating system and software supplier websites and information portals for update information and for ensuring critical updates are applied within 14 days of release.
6.5 Externally Accessible Services
The Company periodically reviews externally accessible services from internet routers and hardware firewalls to ensure unnecessary services are disabled. Internet routers and hardware firewall devices are set to block all other services from being advertised to the internet when first configured and are periodically reviewed. Internet routers are configured with remote access disabled when installed and are periodically reviewed.
6.6 Tablet and Mobile Applications
Users are only authorised to download Apps from the official App Stores for the company Apple iOS and Microsoft Windows devices. The Approved App and Software List (IMSFMS023) defines applications that are approved for download to tablet and mobile devices. Company tablet and mobile devices are reviewed and audited periodically to ensure that only approved Apps are present.
6.7 Cyber Essentials
Server Room Environments shall comply with the requirements of Cyber Essential certification. For this it is important to ensure that Server Room Environments has adequate controls in place to maintain the standard and that these are reviewed on a regular basis.
7.0 Further Information
Further information and advice on this policy can be obtained from IMS Manager. Comments and suggestions to improve security are always welcome.
This policy is reviewed annually by the directors and management team or sooner if appropriate.
For other policies see our Integrated Management System page.
Ref: IMS-5.2-Information Security Policy