This policy is designed to be the overarching Information Security Policy for Higgs Boson Consultants LLP and is the primary policy under which all other technical and security policies reside.
The policy is designed to ensure that Higgs Boson Consultants LLP complies with all relevant compliance legislation in respect of information security. The policy will describe specific Higgs Boson Consultants LLP rules on information security and reference any subservient guidelines that will describe policy in more detail.
- Policy Statement
The purpose and objective of this Information Security Policy is to protect Higgs Boson Consultants LLP information assets from all threats, whether internal or external, deliberate or accidental, it also describes measures to ensure business continuity, minimise damage and maximise return on investment. Information will be protected from a loss of: confidentiality, integrity and availability.
This policy is intended for all staff and any visitors using Higgs Boson Consultants LLP IT systems, data or any other information asset. For the purposes of this Policy the term “staff” will be taken to mean paid employees, volunteers, authorised associate members, honorary members and visitors to Higgs Boson Consultants LLP.
- Roles and Responsibilities
- The Higgs Boson Consultants LLP Board is the designated owner of the Information Security Policy
- The Policy is approved by the Managing Directors of Higgs Boson Consultants LLP
- The Data Protection Officer for Higgs Boson Consultants LLP is Technical Director, Dr Matthew Mills
- The Information Security Manager for Higgs Boson Consultants LLP is Technical Director, Dr Matthew Mills
- The Information Guardian for Higgs Boson Consultants LLP is the Technical Director, M Dr Matthew Mills
- The Data Controller for Higgs Boson Consultants LLP is the Director, Dr Matthew Mills
Higgs Boson Consultants LLP is registered with The ICO, the UK’s independent body set up to uphold information rights:
- Security Number: CSN2050318
We will always supply copies of your data, free of charge; in a recognised open format should you require it.
We commit to the following five standards of data housekeeping:
- You can contact Higgs Boson Consultants LLP Ltd at any time, by phone, email, or in writing to request details of the data Higgs Boson Consultants LLP holds about you or your organisation
- You can make changes to, or delete, any of the data Higgs Boson Consultants LLP holds about you or your organization at any time
- We will only store your data for as long as is necessary, and we will delete your data once our relationship ends, or as long as is required legally
- We will always keep your data secure and maintain the highest security standards when managing and processing your data
- We will always document the way your data is updated, processed and controlled
- Information Security Policy Ownership and Responsibility
The roles and responsibilities of the designated Information Security Manager are to manage information security and to provide advice and guidance on implementation of the Information Security Policy. The Designated Owner of the Information Security Policy has direct responsibility for maintaining and reviewing the Information Security Policy.
It is the responsibility of all staff to implement the Information Security Policy within their area of responsibility.
- Audit and review
The Information Security Manager will be responsible for arranging and monitoring regular audits of all aspects of the Information Security Policy. The results of audits will be recorded and logged. Audits will be carried out no less than annually.
The Information Security Policy will be reviewed annually by the Information Security Manager and approved by the Higgs Boson Consultants LLP Board.
- Regulatory and Legislative Requirements
The Information Security Policy is designed to ensure that all regulatory and legislative requirements will be met. Annex A provides a list of all relevant legislation and guidance to which this Policy refers.
- Internet and Email Usage
All users of the Higgs Boson Consultants LLP network are required to be aware of the Higgs Boson Consultants LLP Policies and Business Guidelines available in the Higgs Boson Consultants LLP Knowledge base.
All Higgs Boson Consultants LLP staff and team members are expected to use IT resources in accordance with Policies and Business Guidelines available in the Higgs Boson Consultants LLP Knowledge base.
The use of email and the Internet within Higgs Boson Consultants LLP is overseen by the Information Security Manager. Every new member of staff will be required to meet with the Information Security Manager and have an IT induction before using Higgs Boson Consultants LLP systems.
All members of staff are expected to have read, understood and to adhere to this Policy. Breaches of any of the policy rules should be passed to the Information Security Manager.
- Authentication and Authorisation
All members of staff will be issued with email accounts on the domain @Higgs Boson Consultants LLP.ltd.uk. Staff, may apply for a server account subject to approval by the Information Security Manager. Passwords and accounts details must not be shared or disclosed to any third party. server accounts will only allow access to areas appropriate to the account holder’s job and responsibilities. Temporary visitors to Higgs Boson Consultants LLP will not be granted access to a server account. Physical access to the buildings and offices will only be allowed if accompanied by a member of the Higgs Boson Consultants LLP team.
- Location Security
All external doors to Higgs Boson Consultants LLP working locations will be security locked at ALL times. Internal offices must be locked independently when not in use and offices that are involved in processing sensitive data will be subject to greater security processes, which will be detailed in individual project policy. Staff will be issued with USB cards and keys that are appropriate to their level of work. Staff are responsible for their keys and USB cards and to notify the Higgs Boson Consultants LLP admin team immediately in the event of loss. Staff must not share or give keys and USB cards to any third parties.
- Network and Systems IT Security
The Higgs Boson Consultants LLP Information Security Manager audits and monitors the Higgs Boson Consultants LLP systems and has access to the administration systems. Full details of the structure, operation and responsibilities for the network and computer systems are contained in the Higgs Boson Consultants LLP Business Guidelines.
The Higgs Boson Consultants LLP Board will be responsible for authorising the System Level Security Policy and the Information Security Manager is responsible for ensuring that the systems are risk assessed, audited and tested.
- Computers, Software and Hardware
Control measures for Higgs Boson Consultants LLP hardware and software are defined in the Higgs Boson Consultants LLP Business Guidelines. All staff are expected to have read and understood the Higgs Boson Consultants LLP IT Security Policy. Managers will ensure that their staff are adhering to the Higgs Boson Consultants LLP IT Security Policy. Any breaches will be reported in the first instance to the Information Security Manager.
- Information Handling
All staff are required to understand and adhere to the Higgs Boson Consultants LLP confidentiality agreement when they commence employment. A copy of this agreement will be given to staff at the induction meeting. Staff are expected to comply with this agreement at ALL times.
The confidentiality agreement is enforceable in respect of both electronic and hard copy data files. Staff are expected at ALL times to observe due diligence and care when handling and processing ANY data.
All staff are required during the course of their employment to have taken part in self guided training in relation to the Data Protection Act 1998.
All projects will be subjected to a formal risk assessment which will include information and data handling.
Higgs Boson Consultants LLP provides cross cut shredders for the secure disposal of any hard-copy work that requires disposal.
- Application Development and Validation
Any new software application should where practical be subject to validation and control. Proper risk assessment should be employed on all projects that are developing new applications.
- Back-up and Archiving
All data must be archived appropriately when they are no longer required within Higgs Boson Consultants LLP.
Hard-copy data must be boxed, recorded and removed to offsite secure storage. The security level of offsite archive storage must be the subject of a risk assessment which takes into account the nature of the nature of the data to be stored.
Electronic data must not be archived unless all identifiers have been removed. Identifier data, if kept must be encrypted. The nature and security to be used on the archive data will be subject of a risk assessment and be of an appropriate level.
Back-up of all Electronic data is detailed in full in the Higgs Boson Consultants LLP Business Guidelines.
- Exceptional Projects
Each project undertaken by Higgs Boson Consultants LLP will be subject to a full risk assessment both prior to start up and reviewed during the operation of the project. All Higgs Boson Consultants LLP projects will be subject to the level of Security as detailed in the Higgs Boson Consultants LLP Business Guidelines unless it is deemed upon risk analysis that the project requires a greater level of security.
Any Higgs Boson Consultants LLP project that is deemed to be “exceptional” will require a separate security policy and provision made to ensure that the data are secured appropriately. The Information Security Manager will be responsible for ensuring that the project specific security policy will be written, implemented, reviewed and tested.
Higgs Boson Consultants LLP staff must ensure that all projects are risk assessed and any exceptional requirements are notified to the Information Security Manager.
Encryption will not be used on standard electronic storage unless a risk assessment highlights the need. If required Cryptographic controls will be complaint with the current international standards.
Staff wishing to take work away from Higgs Boson Consultants LLP for example taking a lecture to a conference will be required to store their work on an encrypted USB memory storage device.
No data of a sensitive nature and no personally identifiable data will be removed from Higgs Boson Consultants LLP systems under any circumstances.
- Remote access and Home Working
Higgs Boson Consultants LLP staff are allowed to access non-sensitive data from approved locations. There is no access remotely to any of the drives that store sensitive data. Any member of staff wishing to work from home must fulfill the requirements supplied by the Information Security Manager.
- Disaster Recovery and Business Continuity
Higgs Boson Consultants LLP has a disaster recovery plan in place and a risk assessment is in place and business continuity planning forms part of that plan. The plan will be reviewed annually.
Regulation and Governance: This policy was written with Reference to the following:
- The Computer Misuse Act (1990)
- The Data Protection Act (1998)
- The General Data Protection Regulation (GDPR) (EU) (2016)
- The Regulation of Investigatory Powers Act (2000)
- The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations (2000)
- The Freedom of Information Act (2000)