Union Street Information Security Policy
The board of Union Street Technologies, located at The Courtyard, 37 Sheen Road, Richmond, Surrey TW9 1AJ, is committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout its organisation. Union Street’s information security management systems (ISMS) are intended to be an enabling mechanism for information sharing, for electronic operations, and for reducing information-related risks to acceptable levels.
To safeguard the security of its data assets, as well as those of any third parties the company interacts with, Union Street continually reviews its Information Security Management Systems (ISMS) to ensure they are compliant with the ISO/IEC 27001 standard for information security management.
Union Street has voluntarily chosen to comply with the internationally recognised ISO/IEC 27001 standard. It provides a stable framework to help the company balance efficiency with security as it increases in size. By adhering to the standard’s rigorous set of requirements, Union Street has been able to establish a highly organised, risk-based methods of managing personnel, IT systems and processes in a way that ensures sensitive data is protected.
The scope of the Union Street ISMS covers the following areas:
- All home and office based workers directly employed by Union Street, including contractors who work directly for the company
- All departments within the company and all of its assets
- The Richmond office and the policies and procedures within the Union Street ISMS that affect home workers and those that otherwise may be working outside of the Richmond office
- All physical areas within the perimeter of the business, which is the outer gate and the containing walls
- Interfaces and dependencies between activities performed by the organisation, and those that are performed by other organisations
- All interested parties including any contractual, business, legal or regulatory requirements for Union Street, with the exception of any historical contracts that do not fully take account of the Union Street ISMS. In such cases the company will, on an ongoing basis, seek to update contracts as they renew (or earlier as decided by the business) so that they are in scope. Prior to renewal, these contracts shall not be considered in scope as there may be aspects that do not comply to Union Street’s ISMS, although Union Street will act in the spirit of the ISMS in regard to these
Union Street’s Risk Assessment, Statement of Applicability and Risk Treatment Plan identify how information-related risks are controlled. The SSO is responsible for the management and maintenance of the risk treatment plans. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks that would usually be identified on the risk register
The COO (accountable) shall, with the IT Manager (responsible), execute and maintain business continuity and contingency plans.
For Union Street data backup procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this Information Security Policy. All of these areas are covered in the Union Street ISMS and are supported by its policies and procedures.
Union Street’s security objectives are developed in accordance with the wider business objectives, the context of the organisation, the results of risk assessments and the risk treatment plans as well as continual improvement and necessary business change.
All Staff of Union Street are expected to comply with this Information Security Policy and with the ISMS that implements this policy. All Employees, will ordinarily receive appropriate training in the next available monthly training session after employment commences where unexpected absence does not prevent attendance. The consequences of breaching the information security policy are set out in the Organisation’s disciplinary policy (in accordance with point 7.2.3 from annex A of the ISO/IEC 27001 guidelines) and in contracts and agreements that are in scope with third parties.
The ISMS is subject to continuous, systematic review and improvement.
Union Street has established a Review Board, chaired by the SSO and including all key Top Management, which continually reassess Union Street’s ISMS and other ISMS related areas as required and agreed.
Union Street is committed to maintaining certification of its ISMS according to guidelines specified by the ISO/IEC 27001 standard in data security.
This Information Security Policy will be reviewed as required to respond to any changes in the risk assessment or risk treatment plan at least annually.
In this policy, ‘information security’ is defined as:
This means that management, all full time or part time employees/staff, sub-contractors, project consultants and any external parties are made aware of their responsibilities (which are defined in their job descriptions or contracts) to preserve information security, to report security breaches (as per the controls from section 16 of Annex A and the supporting policies, processes and procedures for them) and to act in accordance with the requirements of the ISMS. All Employees/Staff will receive information security awareness training and more specialised Employees/Staff will receive appropriately specialised information security training.
This means that information and associated assets should be accessible to authorised users when required and not available to unauthorised individuals and therefore physically secure. The computer network is resilient and Union Street is able to respond to incidents according to agreed service levels (such as viruses and other malware) that threaten the continued availability of assets, systems and information. There are appropriate business continuity plans in place for identified scenarios.
This involves ensuring that information is only accessible to those authorised to access it and therefore to preventing both deliberate and accidental unauthorised access to Union Street’s information and its systems (file servers, networks, data repositories, telephony systems, and websites).
This involves safeguarding the accuracy and completeness of information and processing methods and, therefore, requires reasonably reducing the chance of deliberate or accidental, partial or complete, destruction or unauthorised modification, of either physical assets or electronic data, taking account that the cost of implementing security controls should not outweigh the benefit of them to the business. There are appropriate contingency plans for all systems, data backup plans and security incident reporting. Union Street complies with all relevant data-related legislation in those jurisdictions within which it operates.
The physical assets of Union Street include, but are not limited to, computer hardware, data cabling, telephone systems, filing systems and physical data files.
Information assets include information printed or written on paper, transmitted by post or shown in films, or spoken in conversation, as well as information stored electronically on servers, website(s), extranet(s), intranet(s), PCs, laptops, mobile phones and PDAs, as well as on CD ROMs, floppy disks, USB sticks, backup tapes and any other digital or magnetic media, and information transmitted electronically by any means. In this context, ‘data’ also includes the sets of instructions that tell the system(s) how to manipulate information (i.e. the software: operating systems, applications, utilities, etc.).
The ISMS is the Information Security Management System, of which this Information Security Policy, the Information Security Manual and other supporting and related documentation is a part, and which has been designed in accordance with the specifications contained in ISO27001:2013.
A SECURITY BREACH is any incident or activity that causes, or may cause, a break down in the availability, confidentiality or integrity of the physical or electronic information assets of Union Street.