Information Security Policy
- To protect the information assets that Monicam Ltd t/a SCI handles, stores, exchanges, processes and has access to, and to ensure the ongoing maintenance of their confidentiality, integrity and availability.
- To ensure controls are implemented that provide protection for information assets and are proportionate to their value and the threats to which they are exposed.
- To ensure the organisation complies with all relevant legal, customer and other third-party requirements relating to information security.
- To continually improve the organisation’s Information Security Management System (ISMS) and its ability to withstand threats that could potentially compromise information security.
- This policy applies to all people, processes, services, technology and assets involved in the design, build, installation, commissioning, integration and maintenance of building management systems within the UK and Europe.
- It also applies to all employees or subcontractors of information security critical suppliers who access or process any of the organisation’s information assets.
- The organisation believes that despite the presence of threats to the security of such information, all security incidents are preventable.
- The Directors of Monicam Ltd t/a SCI are committed to achieving the objectives detailed in the policy through the following means:
- The implementation and maintenance of an ISMS that is independently certified as compliant with ISO 27001:2017;
- The systematic identification of security threats and the application of a risk assessment procedure that will identify and implement appropriate control measures;
- Regular monitoring of security threats and the testing/auditing of the effectiveness of control measures;
- The maintenance of a risk treatment plan that is focused on eliminating or reducing security threats;
- The maintenance and regular testing of a Business Continuity Plan;
- The clear definition of responsibilities for implementing the ISMS;
- The provision of appropriate information, instruction and training so that all employees are aware of their responsibilities and legal duties, and can support the implementation of the ISMS;
- The implementation and maintenance of the policies detailed in this policy.
- The appropriateness and effectiveness of this policy, and the means identified within it, for delivering the organisation’s commitments will be regularly reviewed by Top Management.
- The implementation of this policy and the supporting policies and procedures is fundamental to the success of the organisation’s business and must be supported by all employees and contractors who have an impact on information security as an integral part of their daily work.
- All information security incidents must be reported to the Managing Director Violations of this policy may be subject to the organisation’s Disciplinary and Appeals Policy and Procedure.
- It is the responsibility of the Managing Director to ensure that this policy is implemented and that any resources required are made available.
- It is the responsibility of the Compliance Manager to monitor the effectiveness of this policy and report the results at management reviews.
- It is the responsibility of the Compliance Manager to create and maintain an Asset and Risk Assessment Register and to ensure all assets that need to be covered by this policy are identified.
- It is the responsibility of all employees and subcontractors, and employees and subcontractors of information security critical suppliers, to adhere to this policy and report to the Compliance Manager any issues they may be aware of that breach any of its contents.
- Anti-virus software: Software used to prevent, detect and remove malware. Anti-virus can also mean anti-malware and/or anti-spyware.
- Asset: Any physical entity that can affect the confidentiality, availability and integrity of the organisation’s information assets.
- Availability: The accessibility and usability of an information asset upon demand by an authorised entity.
- Automated decision making: Processing of information that results in decisions being made about Information Subjects without any review of the information being made by an individual.
- Beyond use: Controls placed on Personal Information that it is no longer necessary for Monicam Ltd (t/a SCI) to keep where it is not reasonably feasible to delete the information. These controls must comply with guidance from the Information Commissioner’s Office (see Information Commissioner’s Office Guidance on GDPR Compliance).
- Computer systems: A system of one or more computers and associated software, often with common storage, including servers, workstations, laptops, storage and networking equipment.
- Confidential information: Any type of information that has been specified by the organisation’s Information Classification, Labelling and Handling Policy as requiring protection through the application of cryptographic controls when it is stored or transferred electronically.
- Confidentiality: The restrictions placed on the access or disclosure of an information asset.
- Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of a set of Personal Information.
- Electronic communication facilities (ECF): Any asset that can be used to electronically transfer information.
- Electronic messages: The electronic transfer of information by means such as email, texts, blogs, message boards and instant messaging.
- Equipment: Any asset that can be used to electronically store and/or process information.
- High risk processing: Processing of Personal Information (in particular using new technologies) that is likely to result in a high risk to the rights and freedoms of Information Subjects (see Information Commissioner’s Office Guidance on GDPR Compliance).
- Identifiable Natural Person: A natural person who can be identified directly or indirectly, in particular with reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- Information asset: Any information that has value to the organisation’s stakeholders and requires protection.
- Information processing facility (IPF): Any network of assets that can be used to electronically store, process or transmit information.
- Information security critical supplier (ISCS): Any supplier of goods or services that as part of their scope of supply will potentially have unsupervised access to any of the organisation’s premises, access to the one or more of the organisation’s information assets, or provides software or hardware used in the organisation’s information processing facilities or electronic communication facilities.
- Information security incident: Any event that has a potentially negative impact on the confidentiality and/or integrity and/or availability of an information asset.
- Information subject: An Identifiable Natural Person who has Personal Information that Monicam Ltd (t/a SCI) is the Controller of or is a Processor of on behalf of a Controller.
- Integrity: The accuracy and completeness of an information asset.
- Mail server: A system based on software and hardware that sends, receives and stores electronic mail.
- Malware: Malicious software, such as viruses, trojans, worms, spyware, adware, macros, mail bombs and rootkits which are specifically designed to disrupt or damage a computer system.
- Mobile device: Laptop computers, tablet computers, smart telephones, mobile telephones and any other handheld or portable devices capable of processing or transmitting information.
- Operating facility: Any physical location containing assets owned by the organisation that the organisation controls, including buildings, offices, departments and locations affiliated with the organisation that are used to create, access, store or process any of the organisation’s information assets.
- Personal Information: Any information relating to an Identifiable Natural Person.
- Personal Information protection principles: Principles that shall be applied in relation to all Personal Information as laid down in the Data Protection Act 2018, the General Data Protection Regulation (EU 2016/679) and any subsequent amendments.
- Processor: A natural or legal person, public authority, agency or other body which processes Personal information on behalf of a Controller.
- Remote users: Users accessing the organisation’s assets at locations other than its operating facilities, such as home offices, shared locations, hotels and where users are travelling, including standalone access and remote connections to the organisation’s information processing facilities.
- Restricted access: Any physical location where access is restricted to named personnel only.
- Software: All programs and operating information used by equipment, including those being developed in accordance with the customer’s requirements for the user.
- Supply of goods and services agreement: A legally binding contract between the organisation and a supplier for the supply of a defined scope of goods and services.
- Teleworker: Any person that undertakes teleworking on behalf of the organisation.
- Teleworking: The access, processing and storage of information assets at locations that are not under the control of the organisation.
- User: An individual or organisation that uses one or more of the organisation’s assets, including software once it is post-General Availability (GA).
- Visual aids: Any asset used to display information to the occupants of a room.
- All associated documents referred to in this policy are highlighted in bold and underlined.
- This policy and its supporting policies should be reviewed at least once a year or if significant changes occur that might affect its continuing suitability, adequacy and effectiveness.