Arbworks Tree Services
This policy applies to all information, information systems, networks, applications, locations and users of Arbworks Ltd under contract to it.
1. Responsibilities for Information Security
1.1 Ultimate responsibility for information security rests with the Director.
1.2 All staff shall comply with information security procedures including the maintenance of data confidentiality and data integrity. Failure to do so may result in disciplinary action.
1.3 The Information Security Policy shall be maintained, reviewed and updated by the Director. This review shall take place annually.
1.4 Each member of staff shall be responsible for the operational security of the information systems they use.
1.5 Each system user shall comply with the security requirements that are currently in force, and shall also ensure that the confidentiality, integrity and availability of
the information they use is maintained to the highest standard.
1.6 Contracts with external sub-contractors that allow access to the organisation’s information systems shall be in operation before access is allowed. These contracts shall ensure that the contractors shall comply with all appropriate security policies.
2.1 Arbworks Ltd is obliged to abide by all relevant UK legislation.
The requirement to comply with this legislation shall be devolved to employees and agents of the company, who may be held personally accountable for any breaches of information security for which they may be held responsible. Satellite and Terrestrial Works Ltd shall comply with the following legislation and other legislation as appropriate:
The Data Protection Act (1998)
The Data Protection (Processing of Sensitive Personal Data) Order 2000
The Copyright, Designs and Patents Act (1988)
The Computer Misuse Act (1990)
The Health and Safety at Work Act (1974)
Human Rights Act (1998)
Regulation of Investigatory Powers Act 2000
Freedom of Information Act 2000
Health & Social Care Act 2001
3. Information Security Awareness Training
Information security awareness training shall be included in the staff induction process.
An ongoing awareness programme shall be established and maintained in order to ensure that staff awareness is refreshed and updated as necessary.
4. Access Controls
Only authorised personnel who have a justified and approved business need shall be given access to restricted areas containing information systems or stored data.
5. Equipment Security
In order to minimise loss of, or damage to, all assets, equipment shall be physically protected from threats and environmental hazards.
6. Information Risk Assessment
Once identified, information security risks shall be managed on a formal basis. They shall be recorded within a baseline risk register and action plans shall be put in place to effectively manage those risks. The risk register and all associated actions shall be reviewed at regular intervals. Any implemented information security arrangements shall also be a regularly reviewed feature of the Company’s risk management programme. These reviews shall help identify areas of continuing best practice and possible weakness, as well as potential risks that may have arisen since the last review was completed.
7. Protection from Malicious Software
The Company shall use software countermeasures and management procedures to protect itself against the threat of malicious software. All staff shall be expected to co-operate. fully with this policy. Users shall not install software on the organisation’s property without permission from the Director.
Users breaching this requirement may be subject to disciplinary action.
8. User media
Removable media of all types that contain software or data from external sources, or that have been used on external equipment, require the approval of the Director before they may be used on the Company’s systems. Such media must also be fully virus checked before being used on the Company’s equipment. Users breaching this requirement may be subject to disciplinary action.
9. Monitoring System Access and Use
An audit trail of system access and data use by staff shall be maintained and reviewed on a regular basis.
The Regulation of Investigatory Powers Act (2000) permits monitoring and recording of employees’ electronic communications (including telephone communications) for the following reasons:
Establishing the existence of facts
Investigating or detecting unauthorised use of the system
Preventing or detecting crime
Ascertaining or demonstrating standards which are achieved or ought to be achieved by persons using the system (quality control and training)
In the interest of national security
Ascertaining compliance with regulatory or self-regulatory practices or procedures
Ensuring the effective operation of the system
Any monitoring will be undertaken in accordance with the about act and the Human Rights Act.
10. System Change Control
Changes to information systems, applications or networks shall be reviewed and approved by the Director
11. Intellectual Property Rights
The Company shall ensure that all information products are properly licensed and approved by the Director. Users shall not install software on the organisation’s property without permission from the Director. Users breaching this requirement may be subject to disciplinary action.
12. Business Continuity and Disaster Recovery Plans
The Company shall ensure that all business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, application, systems and networks.