Information Security/Data Protection Policy
1. Purpose
Information security is of paramount importance to Apple Transcription Ltd and therefore the organisation has sought to demonstrate this commitment through alignment with the ISO 27001:2017 standard. The Management Team has ensured that management commitment and required resources are allocated to make sure information security controls are implemented and an Information Security Management System (ISMS) established to minimise the risk to Apple Transcription Ltd and our partners, employees and stakeholders. Furthermore, the organisation will continually review and improve its approach to information security to ensure that it can effectively respond to the evolving landscape of threats which face the organisation.
In this policy, ‘Information Security’ is defined as:
Preserving
This means that management, all full time or part time Employees/Staff, sub-contractors, project consultants and any external parties have, and will be made aware of, their responsibilities (which are defined in their job descriptions or contracts) to preserve information security, to report security incidents or breaches and to act in accordance with the requirements of the ISMS. All Employees/Staff will receive information security awareness training and more specialised Employees/Staff will receive appropriately specialised information security training.
The Availability
This means that information and associated assets should be accessible to authorised users when required and therefore physically secure. The computer network must be resilient and Apple Transcription Ltd must be able to detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems and information. There must be appropriate Disaster Recovery (DR) and Business Continuity Management (BCM) Plans.
Confidentiality
This involves ensuring that information is only accessible to those authorised to access it and therefore to prevent both deliberate and accidental unauthorised access to Apple Transcription Ltd information and its IT systems.
And Integrity
This involves safeguarding the accuracy and completeness of information and processing methods, and therefore requires preventing deliberate or accidental, partial or complete, destruction or unauthorised modification, of either physical assets or electronic data. There must be appropriate contingency and data backup plans and security incident reporting. Apple Transcription Ltd must comply with all relevant data-related legislation in those jurisdictions within which it operates.
Of The Physical (Assets)
The physical assets of Apple Transcription Ltd including, but not limited to, computer hardware, data cabling, telephone systems, filing systems and physical data files.
And Information Assets
The information assets include information printed or written on paper, transmitted by post or shown in films, or spoken in conversation, as well as information stored electronically on servers, website(s), extranet(s), intranet(s), PCs, laptops, mobile phones and PDAs, as well as on CD ROMs, floppy disks, USB sticks, backup tapes and any other digital or magnetic media, and information transmitted electronically by any means. In this context, ‘data’ also includes the sets of instructions that tell the system(s) how to manipulate information (i.e. the software: operating systems, applications, utilities, etc).
Of Apple Transcription Ltd
Furthermore, Apple Transcription Ltd will establish and maintain the confidentiality, integrity and availability of information assets and systems, including computers, applications and networks, owned or operated by Apple Transcription Ltd by:
- Introducing a consistent approach to security training, ensuring that all members of staff fully understand their own responsibilities.
- Conducting risk assessment exercises and ensuring treatment plans are established for risks above the risk threshold.
- Creating and maintaining within the organisation a level of awareness of the need for Information Security as an integral part of the day to day operations.
- Protecting information assets under the control of the organisation through the establishment of security controls outlined in the organisation’s statement of applicability
- Allocating access rights on an “as needed” basis in line with the organisational access control policy
- Managing security incidents in line with a formal incident management security procedure.
- Documenting and rehearsing business continuity procedures to ensure the availability of corporate data and services.
- Ensuring changes made throughout the organisation are managed to avoid adversely impacting organisational security.
- Ensuring that all members of staff are aware of and fully comply with the relevant contracts and legislation
- Regular reviewing risks and non-conformities and ensuring appropriate treatments and corrective actions are completed.
- Operating an annual management review meeting to review the effectiveness of the ISMS and ensure appropriate resources are committed to continually operate and improve the management system.
- Performing internal and external audits of the ISMS to validate that security controls are effective and improvements are made where required.
2. ISMS Scope
The Scope of Apple Transcription Ltd Information Security Management System covers all Apple Transcription Ltd people, processes and technical systems across all locations.
The polices apply to all forms of information assets and information systems belonging to Apple Transcription Ltd or held by Apple Transcription Ltd pertaining to its partners, employees and stakeholders. It also governs security controls applied by Apple Transcription Ltd to safeguard the connectivity of its support operations department to its customer’s remote data processing facilities and networks.
3. ISMS Objectives
ISMS Objectives are established, reviewed and tracked by the Apple Transcription Ltd Management Team as part of management review meetings. Objectives will be identified which align with the SMART Methodology and will be Specific, Measurable, Achievable, Relevant and Time bound.
4. Risk Management
The Data Protection Officers are responsible for ensuring that risks are identified, evaluated, reviewed and treated in line with the Apple Transcription Ltd risk assessment methodology and the requirements of the ISO 27001:2017 standard.
5. Incident Management
The Apple Transcription Ltd ISMS System will act as the single point of contact for all security events and incidents. Security incidents will be managed in line with the incident management policy and the major incident procedure will be invoked where required. Where the security event is of a criminal nature Apple Transcription Ltd will report the security incident to the relevant authorities.
6. Continual Improvement
The ISMS will be continually reviewed to ensure its effectiveness is maintained. This will include:
- An internal audit schedule to review the effectiveness of security controls and identified corrective actions
- Opportunities to identify feedback and opportunities for improvement
- An annual review of all policies and procedures within the ISMS
7. Roles & Responsibilities
7.1. Overall Ownership of Information Security
Ultimate responsibility for Information Security rests with the Apple Transcription Ltd management team/Data Protection Officers, but on a day-to-day basis the Data Protection Officers shall be responsible for managing and implementing the policy and related procedures. Other day to day tasks of the DPO Include:
- Reporting to other members of the Apple Transcription Ltd the state of IT security within the organisation.
- Maintaining a current copy of the Apple Transcription Ltd Information Security/Data Protection Policy (this document) and make it available to employees/ staff, stakeholders and interested parties.
- Ensuring all staff are aware of their information security responsibilities and awareness of information security issues are raised periodically.
- Scheduling internal and external audits to verify Apple Transcription Ltd ISMS meets the standards to achieve its objectives and create remediation plans where necessary.
7.2. Responsibilities of ALL Staff
All staff must be aware of the Apple Transcription Ltd Information Security Policy, Acceptable Use Policy and their legal responsibilities.
It is vital that all employees carefully read the section pertaining to their position. If anything is not clear or understood it is the employee’s responsibility to request clarification from their manager or the Directors. Failure to comply with this Information Security Policy constitutes a disciplinary matter in line with the Apple Transcription Ltd Disciplinary Procedures.
8. Further Information
If you require any additional information or have any queries regarding Apple Transcription Ltd Information Security Policy or related policies please contact the Directors on 0161 850 0595 or info@appletranscription.co.uk