IT Policy
I needed a password eight characters long so I picked Snow White and the Seven Dwarves
Purpose
This IT Security Policy (“Policy”) outlines Amberside Accounting Ltd.’s (the “Company”) approach to safeguarding client data and maintaining the confidentiality, integrity, and availability of its information technology systems. This Policy applies to all employees, contractors, consultants, and other personnel who use the Company’s IT systems to process, store or transmit data.
This policy is subject to periodic and annual review and following any significant IT event or when considering changes in procedures.
Policy Statement
The Company is committed to protecting its client’s confidential data and maintaining the integrity and availability of its IT systems. To achieve this, the Company will implement and maintain appropriate technical, administrative, and physical controls to safeguard client data and comply with all relevant regulations and standards.
Information Security Objectives
The Company’s information security objectives are as follows:
-
Ensure the confidentiality, integrity, and availability of all client data stored and processed by the Company.
-
Prevent unauthorised access to client data by implementing appropriate authentication and access control measures.
-
Maintain the availability of IT systems to ensure that client data is accessible to authorised personnel at all times.
-
Protect the Company’s IT systems from unauthorised access, disclosure, alteration, or destruction by implementing appropriate technical controls.
-
Comply with all relevant regulations and standards, including but not limited to the General Data Protection Regulation (GDPR), the Data Protection Act (DPA), and the ISO 27001 standard.
Acceptable Use Policy
All personnel who use the Company’s IT systems must do so in a responsible and professional manner, with due regard to the confidentiality, integrity, and availability of Company information and IT systems. The following guidelines must be observed:
-
Internet and Email Use – The Company’s internet and email systems must be used for business purposes only. Personal use is permitted but must not interfere with business operations or consume excessive bandwidth or storage space. All emails must be professional and courteous, and users must not send spam, phishing emails, or emails containing malicious software.
-
Social Media Use – The Company’s social media accounts must be used for business purposes only. Employees must not post anything that could harm the Company’s reputation or violate Company policies or regulations. Personal social media use must not interfere with work or violate any laws or regulations.
-
Personal Device Usage – Employees may use their personal devices to access Company information and systems only if authorized and in compliance with the Remote Access Policy and Mobile Device Management Policy.
Password Policy
All users of the Company’s IT systems must use strong passwords to access Company information and systems. The following guidelines must be observed:
-
Password Creation – Passwords must be at least 12 characters long and contain a combination of uppercase and lowercase letters, numbers, and special characters.
-
Password Management – Users must not share passwords with others, write them down, or store them in an unsecured location. Passwords must be changed at least every 90 days, or more frequently if required by the IT Manager.
-
Password Reset – Users who forget their passwords must follow the Company’s password reset procedures and validate their identity before a new password is issued.
Remote Access Policy
This remote access policy applies to all employees, contractors, and third-party vendors who require remote access to the Company’s systems and data. The purpose of this policy is to ensure the security and confidentiality of Company data when accessed remotely.
-
Approval and Authorization: Remote access to Company systems and data must be approved by management and authorized based on the employee's job role and business requirements. Employees must request remote access through the designated IT channels and follow the Company’s access procedures.
-
Device and Connection Requirements: Remote access must be made using Company-issued devices or personal devices that comply with the Company’s Bring Your Own Device (BYOD) policy. Personal devices must be approved by the IT department and meet the Company’s security standards, including up-to-date anti-virus software, firewalls, and encryption. All remote access must be made through secure and encrypted connections, such as Virtual Private Networks (VPNs), to ensure the confidentiality of Company data.
-
Multi-factor Authentication: All remote access must be secured with multi-factor authentication (MFA) to prevent unauthorized access. MFA methods can include the use of a smart card, token, or biometric identifier in addition to a username and password.
-
Security Requirements: All remote access must comply with the Company’s security policies and procedures, including password policies, data encryption, and access control. Employees must not share their login credentials or store them in an unsecured location. All data transferred between the remote device and the Company’s systems must be encrypted.
-
Monitoring and Auditing: All remote access sessions will be monitored and audited by the IT department to detect any suspicious activity or security breaches. Employees must not attempt to bypass the monitoring or auditing systems or tamper with any security controls.
-
Termination of Remote Access: Remote access to Company systems and data will be terminated when an employee's job role changes, when they leave the Company, or when their remote access privileges are revoked. Employees must immediately report any lost or stolen devices or any suspected security breaches involving remote access.
-
Compliance: Employees must comply with this remote access policy and any other Company security policies and procedures. Failure to comply may result in disciplinary action, including termination of employment, and legal consequences.
Roles and Responsibilities
All personnel who use the Company’s IT systems have a responsibility to safeguard client data and maintain the confidentiality, integrity, and availability of the IT systems. However, the following roles have specific responsibilities:
-
The IT Manager/Chief Information Security Officer is responsible for the implementation and maintenance of the Company’s IT security controls, including access control, encryption, anti-virus protection, intrusion detection and prevention systems, and network security.
-
All employees and contractors are responsible for following the Company’s IT security policies and procedures, including password management, data backup and recovery, and reporting security incidents.
-
The HR Manager is responsible for ensuring that all new employees and contractors receive appropriate IT security training and that all personnel are aware of their responsibilities under this Policy.
IT Security Controls
The Company will implement the following technical and administrative controls to safeguard client data and maintain the confidentiality, integrity, and availability of its IT systems:
-
Access Control – The Company will implement appropriate access control measures to prevent unauthorised access to client data, including password management, two-factor authentication, and role-based access control where feasible.
-
Encryption – The Company will encrypt all sensitive data in transit and at rest using industry-standard encryption algorithms.
-
Anti-virus Protection – The Company will implement and maintain anti-virus protection software to detect and remove malicious software.
-
Intrusion Detection and Prevention – The Company will implement and maintain intrusion detection and prevention systems to monitor network traffic and detect and prevent unauthorised access to the IT systems.
-
Network Security – The Company will implement and maintain appropriate network security controls to protect the IT systems from unauthorised access, including firewalls, virtual private networks (VPNs), and network segmentation.
-
Data Backup and Recovery – The Company will implement and maintain appropriate data backup and recovery procedures to ensure the availability of client data in the event of a disaster or system failure.
Incident Management
The Company will maintain an incident management process to detect, respond to, and recover from IT security incidents. The process will include the following steps:
-
Reporting – All personnel who detect or suspect an IT security incident must report it to the IT Manager or the Company’s incident management team.
-
Investigation – The IT Manager or the incident management team will investigate the incident to determine its cause and scope.
-
Containment – The IT Manager or the incident management team will take appropriate measures to contain the incident and prevent further damage or unauthorised access.
Incident Report Plan
This incident report plan applies to all employees, contractors, and third-party vendors of the chartered accountancy practice. The purpose of this plan is to ensure that any security incidents are promptly detected, contained, and reported to the appropriate authorities.
1. Incident Reporting:
All employees must report any suspected or actual security incidents to the designated IT security personnel immediately. Incidents can include but are not limited to:
- Unauthorized access to company data or systems
- Malware or virus infections
- Theft or loss of company devices containing sensitive data
- Phishing attempts or social engineering attacks
- Denial of service (DoS) or distributed denial of service (DDoS) attacks
2. Incident Response:
Upon receiving an incident report, the IT security personnel will take the following steps:
- Contain the incident to prevent further damage or spread of the incident.
- Document the incident with as much detail as possible, including the date and time of the incident, the devices or systems affected, and the type of incident.
- Assess the impact of the incident, including the severity and the extent of the damage.
- Notify the relevant parties, including management, affected employees, and external stakeholders (such as clients, regulators, or law enforcement) as required.
- Investigate the incident to identify the root cause and implement remedial actions.
- Restore the affected systems and data to their previous state or implement alternative solutions if necessary.
3. Post-Incident Review:
After the incident has been resolved, the IT security personnel will conduct a post-incident review to identify any gaps in the security protocols and improve the company's security posture. The review will include the following steps:
- Analyze the incident data to identify any recurring patterns or trends.
- Review the effectiveness of the company's security policies and procedures.
- Implement any necessary changes or improvements to prevent similar incidents from occurring in the future.
- Communicate the findings and recommendations to the relevant parties, including management, employees, and external stakeholders.
4. Compliance:
All employees must comply with this incident report plan and any other company security policies and procedures. Failure to comply may result in disciplinary action, including termination of employment, and legal consequences.
Data Retention and Disposal Policy
This data retention and disposal policy applies to all employees, contractors, and third-party vendors of the chartered accountancy practice. The purpose of this policy is to ensure that company data is properly stored, retained, and destroyed when it is no longer needed.
1. Data Retention:
All company data must be stored in compliance with the relevant laws, regulations, and industry standards. The retention periods for different types of data will be defined as follows:
- Financial records: 6 years from the end of the financial year to which the records relate.
- Client information: 6 years after the end of the client relationship, or longer if required by law or contractual obligations.
- Employee records: 6 years after the end of employment, or longer if required by law or contractual obligations.
2. Data Disposal:
All company data that is no longer required must be disposed of securely to prevent unauthorized access, disclosure, or loss. The data disposal procedures will include the following steps:
- Identify the data that is no longer required based on the retention periods and business requirements.
- Determine the appropriate disposal method, which may include secure deletion, shredding, or physical destruction.
- Ensure that the data is disposed of securely, using approved methods and tools.
- Document the disposal process, including the date and method of disposal and the name of the authorized person who carried out the disposal.
3. Compliance:
All employees must comply with this data retention and disposal policy and any other company security policies and procedures. Failure to comply may result in disciplinary action, including termination of employment, and legal consequences.
Mobile Device Management Policy
This mobile device management policy applies to all employees, contractors, and third-party vendors of the chartered accountancy practice who use mobile devices to access company systems and data. The purpose of this policy is to ensure that company data is secure when accessed through mobile devices.
1. Device Requirements:
All mobile devices used to access company systems and data must meet the following requirements:
- Devices must be approved by the IT department.
- Devices must be password-protected and configured with encryption and remote wipe capabilities.
- Devices must have up-to-date anti-virus and anti-malware software.
- Devices must be updated regularly with the latest software and security patches.
2. Access Control:
Mobile device access to company systems and data must be controlled and monitored to prevent unauthorized access. The access control procedures will include the following steps:
- Employees must use their unique login credentials to access company systems and data.
- Access levels will be granted based on the employee's job role and business requirements.
- The IT department will monitor and audit mobile device access to detect any suspicious activity or security breaches.
3. Data Protection:
All company data accessed through mobile devices must be protected to prevent unauthorized access, disclosure, or loss. The data protection procedures will include the following steps:
- Employees must not store company data on their personal devices unless approved by the IT department.
- Company data must be encrypted when stored or transmitted through mobile devices.
- Employees must report any lost or stolen devices containing company data immediately to the IT department.
4. Compliance:
All employees must comply with this mobile device management policy and any other company security policies and procedures. Failure to comply may result in disciplinary action, including termination of employment, and legal consequences.
Business Continuity Plan
This business continuity plan applies to all employees, contractors, and third-party vendors of the chartered accountancy practice. The purpose of this plan is to ensure that essential business functions can continue in the event of a disaster or disruption.
1. Business Impact Analysis: The chartered accountancy practice will conduct a business impact analysis (BIA) to identify critical business processes and systems, define recovery time objectives (RTOs) and recovery point objectives (RPOs), and assess the potential impacts of various disruptions.
2. Risk Management: The chartered accountancy practice will implement risk management measures to mitigate the impact of potential disruptions. The risk management measures may include:
• Regular backups of critical data and systems.
• Redundant systems and equipment to ensure availability and resilience.
• Alternative work locations for employees to continue essential business functions.
3. Communication and Coordination: The chartered accountancy practice will establish communication and coordination protocols to ensure that all stakeholders are informed and involved in the business continuity plan. The communication and coordination protocols may include:
• Notification procedures for employees, clients, vendors, and regulators.
• Contact information for key personnel and stakeholders.
• Procedures for remote access to company systems and data.
4. Activation and Testing: The chartered accountancy practice will activate and test the business continuity plan regularly to ensure that it is effective and up-to-date. The activation and testing procedures may include:
• Simulated exercises and scenarios to test the plan's effectiveness.
• Regular reviews and updates to the plan to reflect changes in business requirements and technology.
• Evaluation of the plan's effectiveness and identification of areas for improvement.
5. Compliance: All employees must comply with this business continuity plan and any other company security policies and procedures. Failure to comply may result in disciplinary action, including termination of employment, and legal consequences.
Training and Awareness Policy
This training and awareness policy applies to all employees, contractors, and third-party vendors of the chartered accountancy practice. The purpose of this policy is to ensure that employees are aware of their security responsibilities and trained on the security protocols and procedures.
1. Mandatory Training: All employees must complete mandatory security training and awareness sessions regularly. The training will cover the following topics:
• Password management and data protection.
• Phishing and social engineering attacks.
• Mobile device security and remote access.
• Incident reporting and response procedures.
• Compliance with relevant laws, regulations, and industry standards.
2. Incident Reporting: All employees must report any suspected or actual security incidents to the designated IT security personnel immediately. The incident reporting procedures will include the following steps:
• Employees must be trained on how to identify security incidents and how to report them.
• The IT security personnel will investigate the incident and follow the necessary procedures to contain and mitigate the impact.
3. Employees must not attempt to investigate or resolve security incidents on their own without authorization.
4. Compliance: All employees must comply with this training and awareness policy and any other company security policies and procedures. Failure to comply may result in disciplinary action, including termination of employment, and legal consequences.
Third Party Access Policy
This third-party access policy applies to all employees, contractors, and third-party vendors of the chartered accountancy practice who require access to the company's systems and data. The purpose of this policy is to ensure that third-party vendors, contractors, and partners comply with the company's security standards and policies.
1. Third Party Access Approval:
Third-party access to the company's systems and data must be approved by management and authorized based on the vendor's business requirements and the company's security standards. The approval procedures will include the following steps:
- Vendors must sign agreements that include security and data protection requirements.
- Vendors must undergo security assessments to ensure compliance with the company's security policies and procedures.
- Vendors must follow the company's security protocols and procedures when accessing the company's systems and data.
- Third-party access will be limited to the necessary access level to perform their job functions.
2. Monitoring and Auditing:
All third-party access to the company's systems and data will be monitored and audited by the IT department to detect any suspicious activity or security breaches. The monitoring and auditing procedures will include the following steps:
- The IT department will monitor and audit third-party access to detect any suspicious activity or security breaches.
- The IT department will assess the effectiveness of the monitoring and auditing systems and implement any necessary changes or improvements.
- The IT department will document and report any security incidents involving third-party access to the company's systems and data.
3. Compliance:
All employees, contractors, and third-party vendors must comply with this third-party access policy and any other company security policies and procedures. Failure to comply may result in disciplinary action, including termination of employment, and legal consequences.