Information Security Policy 

Updated - 29/11/2023

General Notices

This policy applies to all users of any and all IT resources provided by and administered by EnsiliTech, as well as associated persons of EnsiliTech, including staff members, contractors, directors, and anyone else carrying out business for the company. For the remainder of this policy, the term ‘User(s)’ means any of the aforementioned associated persons.

This policy applies to all systems used to store, process, or transmit Company information, including but not limited to computers, servers, laptops, mobile devices, networks, databases, cloud services, and any other IT infrastructure owned, operated, or used by the Company.

The continued confidentiality, integrity and availability of information systems underpin the operations of the Company. A failure to secure information systems would jeopardise the ability of the Company to fulfil its mission and have greater long-term impact through the consequential risk of financial or reputational loss.

This Information Security Policy provides the guiding principles and responsibilities of all members of the Company required to safeguard its information systems. Other supporting Company policies, procedures and guidelines will give greater detail on specific subject areas.

The executive and IT teams will lead the Company commitment to deliver a successful implementation of information security management, but this will only be possible if all members of the Company community are aware of and carry out their own personal responsibilities.

Purpose of Policy

The intention of this policy is to:

Protect the information systems managed by the Company from security threats and mitigate risks that cannot be directly countered, ensuring the confidentiality, integrity, and availability of Company data.

Ensure that all Users are aware of and able to comply with relevant UK and EU legislation related to information security, data protection, and privacy.

Educate and empower all users to understand their personal responsibilities in protecting the confidentiality and integrity of the data they access, and to comply with this policy and other supporting policies.

Safeguard the reputation and business of the Company by ensuring its ability to meets its legal obligations and to protect it from liability or damage through misuse of its IT facilities, including data breaches or unauthorised access.

Promote a culture of continuous improvement in information security by conducting timely reviews of policies and procedures in response to feedback, changes in legislation, emerging threats, and other factors, in order to enhance ongoing security measures and practices.

Awareness and Communication

All authorised users will be provided with information about this policy and supporting policies and guidelines when their account is issued. Updates to guidance will be communicated through the Company's internal website and will be highlighted at major points of interaction with systems, as deemed appropriate for the change. This may include email notifications, system alerts, or other forms of communication to ensure that users are aware of any updates or changes to the information security policies and guidelines. It is the responsibility of all users to regularly review and comply with the most current version of the policies and guidelines to maintain a secure information environment at Ensilicated Technologies Ltd.

Information Security Principles

The following principles provide a framework for the security and management of the Company’s information and information systems.

Information Classification: All information should be classified in accordance with the Information Classification Framework, as well as any legislative, regulatory, or contractual requirements that may increase the sensitivity of the information and its security requirements.

Data Stewardship: Data Stewards are responsible for writing and maintaining business definitions and help develop quality checks to ensure the data is fit for purpose. For research related work, they should ensure their data is classified and, in partnership with Data Custodians, the information is treated in line with its classification level with appropriate procedures and systems in place to cater for this. Where personal data are stored, appropriate consent for storage and processing must be gathered and recorded.

Proper Handling of Information: All individuals covered by the scope of this policy must handle information appropriately in accordance with its classification level, relevant laws, regulations, and policies.

Need-to-Know Principle: Information should only be made available to those individuals who have a legitimate need for access in order to perform their job duties or responsibilities. Access to information should be granted based on role-based permissions and least privilege principles.

Unauthorised Access Protection: Information should be protected against unauthorised access and processing. This includes implementing appropriate technical, administrative, and physical safeguards such as strong authentication, access controls, and audit trails to prevent unauthorised access or data breaches.

Data Loss Prevention: Measures should be in place to protect information against loss and corruption. This may include regular data backups, redundant storage, and disaster recovery plans to ensure business continuity in case of data loss or system failure.

Secure Disposal of Information: Information should be disposed of securely and in a timely manner, in accordance with the appropriate measures based on its classification level. This may include shredding, secure deletion, or other approved methods for disposal of information in compliance with relevant data protection regulations.

Breach Reporting: Any breaches of this policy must be reported by anyone who becomes aware of the breach in a timely manner, following the Company's established incident reporting procedures. Reporting breaches promptly allows for timely investigation, containment, and mitigation of potential security incidents.

IT security awareness training: Relevant training will be in place to assist staff in their day-to-day handling of information.

By adhering to these principles, the Company aims to ensure the confidentiality, integrity, and availability of its information assets and maintain a secure information environment.

Legal and Regulatory Obligations

Ensilicated Technologies Ltd. and its staff/users/members must adhere to all current UK legislation as well as regulatory and contractual requirements. The Company provides policy statements and guidance for staff in relation to compliance with relevant legislation to help prevent breaches of the Company’s legal obligations. However, individuals are ultimately responsible for ensuring that they do not breach legal requirements.

Users of the Company’s online or network services, or when using or processing Information Assets, are individually responsible for their activity and must be aware of the relevant legal requirements when using such services.

Information Classification

An Information Classification levels framework should be established, which are part of the Information Security Principles. The ICF includes definitions from the Data Protection Policy.

Category – Highly Restricted

Description

Highly confidential information whose inappropriate disclosure would be likely to cause serious damage or distress to individuals and/or constitute unfair/unlawful processing of “sensitive personal data” under the Data Protection Act; and/or seriously damage the Company’s interests and reputation; and/or significantly threaten the security/safety of the Company and its staff/students.

Examples

  • Sensitive personal data relating to identifiable living individuals

  • Individual’s bank details

  • Large aggregates (>1000 records) of personal data such as personal contact details

  • Non-public information that facilitates protection of individuals’ safety or security of key functions and assets e.g. network passwords and access codes for higher risk areas

 

Category – Restricted

Description

Confidential information whose inappropriate disclosure would be likely to cause a negative impact on individuals and/or constitute unfair/unlawful processing of “personal data” under the Data Protection Act; and/or damage the Company’s commercial interests, and/or have some negative impact on the Company’s reputation.

Examples

  • Personal data relating to identifiable living individuals

  • Staff contact details

  • Research data or information or IP with commercial value/obligation

 

Category – Internal Use

Description

Information not considered being public, which should be shared only internally but would not cause substantive damage to the Company and/or individuals if disclosed.

 

Examples

  • Non-confidential internal correspondence, e.g. routine administration such as meeting room and catering arrangements

  • Final working group papers and minutes

  • Internal policies and procedures

Compliance and Incident Notification

Compliance with the information security policy at Ensilicated Technologies Ltd. is imperative for all users of information systems. Any breach of information security is a serious matter that may result in the loss of confidentiality, integrity, or availability of personal or other confidential data. Such breaches could lead to criminal or civil action against the Company, as well as potential business loss and financial penalties.

In the event of an actual or suspected breach of this policy, it must be immediately reported to the executive team or the IT Security Manager in accordance with the incident investigation procedure. All reported security incidents will be thoroughly investigated, and appropriate actions will be taken in line with this policy, the Acceptable Use Policy, Company disciplinary policy, and relevant laws and regulations.

If the breach involves personal data, the Data Protection team must be promptly notified in accordance with the Company's Data Protection Policy.

Compliance with this policy should also be incorporated as a contractual requirement with any third party that may have access to Company systems or data.

By promptly reporting and addressing breaches, and ensuring compliance with this policy, the Company aims to safeguard its information assets, protect against potential legal and financial risks, and maintain a secure information environment for the benefit of all users.

Responsibilities

Individuals

Individuals must adhere to the Acceptable Use Policy and follow relevant supporting procedures and guidance. An individual should only access systems and information they have a legitimate right to and not knowingly attempt to gain illegitimate access to other information. Individuals must not aid or allow access for other individuals in attempts to gain illegitimate access to data. In particular, individuals should adhere to the information security ‘dos and don'ts’ outlined below.

Do use a strong password and change it if you think it may have been compromised

Don’t give your password to anyone

Do report any loss or suspected loss of data

Don’t reuse your Company password for any other account

Do be on your guard for fake emails or phone calls requesting confidential information – report anything suspicious

Don’t open suspicious documents or links

Do keep software up to date and use antivirus on all possible devices

Don’t undermine the security of Company systems

Do be mindful of risks using public Wi-Fi or computers

Don’t provide access to Company information or systems

Do ensure Company data is stored on Company systems

Don’t copy confidential Company information without permission

Do password protect and encrypt your personally owned devices

Don’t leave your computers or phones unlocked

Data Protection Officer (DPO)

In accordance with the GDPR the Company has appointed a Data Protection Officer to carry out the DPO role as defined in the legislation. The DPO is responsible for providing advice and assistance on all matters relating to data protection, including drafting data protection statements for forms and questionnaires, advising on requests for access to personal data, responding to queries on data protection issues, overseeing the Company's data protection compliance.

Information Asset Owner

Information Asset Owners are responsible for ensuring their information assets are identified, included on the Company Information Asset Register and compliant with this policy and relevant data protection legislation.

Data Stewards

The responsibilities of a Data Steward is to understand the full breadth of the information they are responsible for and classify it in line with information security principle and comply with Research Data policy.

Ensure that data custodians who maintain information systems holding or processing their data are aware of any additional requirements that may be required to safeguard data above and beyond normal user data.

Data Custodians

Data custodians are responsible for the information systems that hold data and are typically systems administrators. In addition to their individual responsibilities they must:

Ensure that the physical and network security of systems is maintained.

Ensure that the systems they maintain are suitably configured, maintained and developed.

Ensure that the data are appropriately stored and backed up.

Ensure that appropriate access controls are in place to meet the requirements of Data Stewards.

Understand and document risks, take suitable steps to mitigate and ensure that these are understood by Information Asset owners.

Document operational procedures and responsibilities of staff.

Publish procedures for users of the systems to allow secure access and usage.

Ensure that systems are compliant with legal and other contractual requirements.

Executive Team

Is responsible for the Information Security Policy and will provide specialist advice to the Company, in particular Data Custodians and Data Stewards. The Executive will advise on appropriate security measures for any new types of information systems that are introduced in order to aid clarity of the policy.

Internal Audit

Internal Audit will ensure that suitable reviews take place of the processes of Data Custodians and the classifications.

Definitions

Company - Ensilicated Technologies Ltd.

Staff – Any person, currently employed by the Company, or engaged on a contract of service. Include full time, part time, remote workers, casual workers, directors, contractors, founders, and representatives.

Visitor / User(s) – An individual, other than Staff, who uses the Company IT Systems in any way.

Company IT Systems – any of the Company’s IT facilities, including email, connection from premises to the Internet and other networks, and all computers, laptops, other mobile devices, and any other related software and hardware.

Information Asset Owner - These will be individuals in the Company who hold the responsibility for ensuring that IT assets in their particular area are processed and shared in line with the Information Management Policy Framework.

Data Steward - Subject matter experts who are responsible for business definitions and the quality of data sets within a data domain (e.g. defining terms such as “applicant,” or “course” in the student registry domain). For research related work, the most senior EnsiliTech staff member associated with a research project is the Data Steward for that project and is ultimately responsible for research data management.

Data Custodian - Data Custodians are responsible for the safe custody, transport, storage of the data and implementation of business rules. Examples are systems administrators and executive team members.