Information Security Management System
Purpose and scope of the ISMS
The FiguringOutData.com Information Security Management System (ISMS) is a systematic approach to managing our sensitive company information in order to protect it from unauthorised access, use, disclosure, or destruction.
Its scope includes:
- Introduction to the organisation – our purpose and responsibilities of key Stakeholders
- Physical security – our controls that protect physical assets and prevent unauthorised access to sensitive areas.
- Human resources security – our policies and procedures to ensure that employees and contractors understand their responsibilities and are trained on how to manage information securely.
- Information access control – our controls to ensure that access to sensitive information is limited to authorized personnel only.
- Network security – our controls to protect the organization’s IT infrastructure from unauthorized access, attack, and disruption.
- Incident management – our procedures for detecting, reporting, and responding to security incidents.
- Business continuity planning – our procedures for ensuring that critical business operations can continue in the event of a disruption.
2. Our organisation and key Stakeholders
FiguringOutData.com Ltd is an Information Services company that provides data related services and data analytics training to other commercial, public sector and 3rd sector organisations.
Our Directors and Employees are responsible for ensuring that the business operates in a sustainable manner, that all business information is kept confidential, and is available and reliable – and that all employment processes relating to Information Security are in place and kept up-to-date.
Our sub-contractors (who are used occasionally for specialist work) are responsible for ensuring all business information they are involved with is kept confidential, and is available and reliable, and that all relevant employment processes relating to Information Security Policies and Procedures are followed.
3. Risk Assessment
We have identified the major risks that are relevant to the services that we provide. These are listed in a document that is separate to this ISMS (Risks and Mitigating Actions document).
Within it, each risk identified is ranked according to its significance. Each is accompanied by an assessment of the associated consequence should the business remain exposed to the risk – plus a statement of the controls put in place that mitigate the risk as far as possible.
The document also outlines the process for scanning for further risks, and the subsequent steps to evaluate their significance and respond accordingly.
4. Policies and Procedures
Data Protection Policy
Policy brief & purpose
Our Company Data Protection Policy refers to our commitment to treat all information with the utmost care and confidentiality.
With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.
This policy refers to all parties (employees, clients, suppliers etc.) who provide any information to us.
Who is covered under the Data Protection Policy?
Any person who is involved with Figuringoutdata.com. Generally, our policy refers to anyone we collaborate with or who acts on our behalf and may need occasional access to data.
As part of our operations, we need to obtain and process information. This information can include any offline or online data that makes a person identifiable such as names, addresses.
Our company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply.
Our data will be:
- Accurate and kept up-to-date;
- Collected fairly and for lawful purposes only;
- Processed by the company within its legal and moral boundaries;
- Protected against any unauthorised or illegal access by internal or external parties.
Our data will not be:
- Communicated informally;
- Stored for more than a specified amount of time
- Transferred to organisations, states or countries that do not have adequate data protection policies;
- Distributed to any party other than the ones agreed upon by the data’s owner (exempting legitimate requests law enforcement authorities).
In addition to ways of handling the data the company has direct obligations towards people to whom the data belongs. Specifically we must:
- Let people know which of their data is collected;
- Inform people about how we’ll process their data;
- Inform people about who has access to their information;
- Have provisions in cases of lost, corrupted or compromised data;
- Allow people to request that we modify, erase, reduce or correct data contained in our databases.
To exercise data protection we’re committed to:
- Restrict and monitor access to sensitive data;
- Develop transparent data collection procedures;
- Train employees in online privacy and security measures;
- Build secure networks to protect online data from cyberattacks;
- Establish clear procedures for reporting privacy breaches or data misuse;
- Include contract clauses or communicate statements on how we handle data;
- Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc.)
Acceptable Use Policy
The purpose of this policy is to outline the acceptable use of computer equipment at Figuringoutdata.com. These rules are in place to protect the employee and Figuringoutdata.com. Inappropriate use exposes Figuringoutdata.com to risks including virus attacks, compromise of network systems and services, and legal issues.
This policy applies to the use of information, electronic and computing devices, and network resources to conduct Figuringoutdata.com business or interact with internal networks and business systems, whether owned or leased by Figuringoutdata.com, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at Figuringoutdata.com and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with Figuringoutdata.com policies and standards, and local laws and regulation.
This policy applies to employees, contractors, consultants, temporaries, and other workers at Figuringoutdata.com, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by Figuringoutdata.com.
General Use and Ownership
Figuringoutdata.com proprietary information stored on electronic and computing devices whether owned or leased by Figuringoutdata.com, the employee or a third party, remains the sole property of Figuringoutdata.com. You must ensure through legal or technical means that proprietary information is protected in accordance with the Data Protection Standard.
You have a responsibility to promptly report the theft, loss or unauthorised disclosure of Figuringoutdata.com proprietary information.
You may access, use or share Figuringoutdata.com proprietary information only to the extent it is authorised and necessary to fulfil your assigned job duties.
Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by departmental policies on personal use, and if there is any uncertainty, employees should consult their supervisor or manager.
For security and network maintenance purposes, authorised individuals within Figuringoutdata.com may monitor equipment, systems and network traffic at any time, per Figuringoutdata.com’s Audit Policy.
Figuringoutdata.com reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
Security and Proprietary Information
System level and user level passwords must comply with the Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
All computing devices must be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less. You must lock the screen or log off when the device is unattended.
Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware.
The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).
The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.
The following activities are strictly prohibited, with no exceptions:
- Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by Figuringoutdata.com.
- Unauthorised copying of copyrighted material including, but not limited to, digitisation and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Figuringoutdata.com or the end user does not have an active license is strictly prohibited.
- Accessing data, a server or an account for any purpose other than conducting Figuringoutdata.com business, even if you have authorised access, is prohibited.
- Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.
- Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
- Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorised to access.
Email and Communication Activities
When using company resources to access and use the Internet, users must realise they represent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that “the opinions expressed are my own and not necessarily those of the company”.
Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).
Use of unsolicited email originating from within Figuringoutdata.com’s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by Figuringoutdata.com or connected via Figuringoutdata.com’s network.
Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).
Always run the Corporate standard, supported anti-virus software.
NEVER open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then “double delete” them by emptying your Trash.
Delete spam, chain, and other junk email without forwarding, in with Figuringoutdata.com’s Acceptable Use Policy.
Never download files from unknown or suspicious sources.
Avoid direct disk sharing with read/write access unless there is absolutely a business requirement to do so.
Back-up critical data and system configurations on a regular basis and store the data in a safe place.
Data Breach policy
This policy mandates that any individual who suspects that a theft, breach or exposure of Figuringoutdata.com protected or sensitive data has occurred must immediately provide a description of what occurred to the Data Controller by phone or via e-mail to firstname.lastname@example.org.
The Data Controller will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred.
This policy applies to all whom collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle personally identifiable.
As soon as a theft, data breach or exposure containing Figuringoutdata.com protected or sensitive data is identified, the process of removing all access to that resource will begin.
The Data Controller will assemble a response team to handle the breach or exposure and determine the root cause – determine how the breach or exposure occurred; the types of data involved; the number of internal/external individuals and/or organisations impacted.
He/She will then decide how to communicate the breach to those directly affected.
This policy covers appropriate use of any email sent from a Figuringoutdata.com email address and applies to all employees, vendors, and agents operating on behalf of Figuringoutdata.com.
All use of email must be consistent with Figuringoutdata.com policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices.
Figuringoutdata.com email account should be used primarily for Figuringoutdata.com business-related purposes; personal communication is permitted on a limited basis, but non-Figuringoutdata.com related commercial uses are prohibited.
Figuringoutdata.com data contained within an email message or an attachment must be secured according to the Data Protection Standard.
Email should be retained only if it qualifies as a Figuringoutdata.com business record. Email is a Figuringoutdata.com business record if there exists a legitimate and ongoing business reason to preserve the information contained in the email.
The Figuringoutdata.com email system shall not to be used for the creation or distribution of any disruptive or offensive messages. Employees who receive any emails with this content from any Figuringoutdata.com employee should report the matter to one of the Company Directors immediately.
Users are prohibited from automatically forwarding Figuringoutdata.com email to a third party email system. Individual messages which are forwarded by the user must not contain Figuringoutdata.com confidential or above information.
Using a reasonable amount of Figuringoutdata.com resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email.
Figuringoutdata.com employees shall have no expectation of privacy in anything they store, send or receive on the company’s email system.
Password construction policy
The purpose of this guidelines is to provide best practices for the created of strong passwords.
This guideline applies to employees, contractors, consultants, temporary and other workers, including all personnel affiliated with third parties. This guideline applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, voicemail, and local router logins.
Statement of Guidelines
We recommend a minimum of 14 characters in your password. In addition, we highly encourage the use of passphrases, passwords made up of multiple words. Examples include “It’s time for vacation” or “block-curious-sunny-leaves”. Passphrases are both easy to remember and type, yet meet the strength requirements. Poor, or weak, passwords have the following characteristics:
- Contain eight characters or less.
- Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.
- Contain number patterns.
In addition, every work account should have a different, unique password. To enable users to maintain multiple passwords, we highly encourage the use of ‘password manager’ software that is authorised and provided by the organisation. Whenever possible, also enable the use of multi-factor authentication.
Password security policy
The purpose of this policy is to establish a standard for creation of strong passwords and the protection of those passwords.
The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Figuringoutdata.com facility, has access to the Figuringoutdata.com network, or stores any non-public Figuringoutdata.com information.
All user-level and system-level passwords must conform to the Password Construction Guidelines.
Users must use a separate, unique password for each of their work related accounts. Users may not use any work related passwords for their own, personal accounts.
User accounts that have system-level privileges granted through group memberships or programs such as sudo must have a unique password from all other accounts held by that user to access system-level privileges. In addition, it is highly recommend that some form of multi-factor authentication is used for any privileged accounts
Passwords should be changed at least every month.
Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential Figuringoutdata.com information.
Passwords may be stored only in “password managers” authorised by the organisation.
Do not use the “Remember Password” feature of applications (for example, web browsers).
Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.
Application developers must ensure that their programs contain the following security precautions:
- Applications must support authentication of individual users, not groups.
- Applications must not store passwords in clear text or in any easily reversible form.
- Applications must not transmit passwords in clear text over the network.
- Applications must provide for some sort of role management, such that one user can take over the functions of another without having to know the other’s password.
Multi-factor authentication is highly encouraged and should be used whenever possible, not only for work related accounts but personal accounts also.
Remote Access Policy
The purpose of this policy is to define rules and requirements for connecting to Figuringoutdata.com’s network from any host. These rules and requirements are designed to minimize the potential exposure to Figuringoutdata.com from damages which may result from unauthorised use of Figuringoutdata.com resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical Figuringoutdata.com internal systems, and fines or other financial liabilities incurred as a result of those losses.
This policy applies to all Figuringoutdata.com employees, contractors, vendors and agents with a Figuringoutdata.com-owned or personally-owned computer or workstation used to connect to the Figuringoutdata.com network. This policy applies to remote access connections used to do work on behalf of Figuringoutdata.com, including reading or sending email and viewing intranet web resources. This policy covers any and all technical implementations of remote access used to connect to Figuringoutdata.com networks.
It is the responsibility of Figuringoutdata.com employees, contractors, vendors and agents with remote access privileges to Figuringoutdata.com’s corporate network to ensure that their remote access connection is given the same consideration as the user’s on-site connection to Figuringoutdata.com.
General access to the Internet for recreational use through the Figuringoutdata.com network is strictly limited to Figuringoutdata.com employees, contractors, vendors and agents (hereafter referred to as “Authorised Users”). When accessing the Figuringoutdata.com network from a personal computer, Authorised Users are responsible for preventing access to any Figuringoutdata.com computer resources or data by non-Authorised Users. Performance of illegal activities through the Figuringoutdata.com network by any user (Authorised or otherwise) is prohibited. The Authorised User bears responsibility for and consequences of misuse of the Authorised User’s access. For further information and definitions, see the Acceptable Use Policy.
Authorised Users will not use Figuringoutdata.com networks to access the Internet for outside business interests.
Database access security policy
This policy states the requirements for securely storing and retrieving database usernames and passwords (i.e., database credentials) for use by a program that will access a database running on one of Figuringoutdata.com’s networks.
Software applications running on Figuringoutdata.com’s networks may require access to one of the many internal database servers. In order to access these databases, a program must authenticate to the database by presenting acceptable credentials. If the credentials are improperly stored, the credentials may be compromised leading to a compromise of the database.
This policy is directed at all system implementer and/or software engineers who may be coding applications that will access a production database server on the Figuringoutdata.com Network.
In order to maintain the security of Figuringoutdata.com’s internal databases, access by software programs must be granted only after authentication with credentials. The credentials used for this authentication must not reside in the main, executing body of the program’s source code in clear text. Database credentials must not be stored in a location that can be accessed through a web server.
Database user names and passwords may be stored in a file separate from the executing body of the program’s code. This file must not be world readable or writeable.
Database credentials may reside on the database server. In this case, a hash function number identifying the credentials may be stored in the executing body of the program’s code.
Database credentials may be stored as part of an authentication server (i.e., an entitlement directory), such as an LDAP server used for user authentication. Database authentication may occur on behalf of a program as part of the user authentication process at the authentication server. In this case, there is no need for programmatic use of database credentials.
Database credentials may not reside in the documents tree of a web server.
Passwords or pass phrases used to access a database must adhere to the Password Policy.
If stored in a file that is not source code, then database user names and passwords must be read from the file immediately prior to use. Immediately following database authentication, the memory containing the user name and password must be released or cleared.
The scope into which you may store database credentials must be physically separated from the other areas of your code, e.g., the credentials must be in a separate source file. The file that contains the credentials must contain no other code but the credentials (i.e., the user name and password) and any functions, routines, or methods that will be used to access the credentials.
For languages that execute from source code, the credentials’ source file must not reside in the same browseable or executable file directory tree in which the executing body of code resides.
Every program or every collection of programs implementing a single business function must have unique database credentials. Sharing of credentials between programs is not allowed.
Database passwords used by programs are system-level passwords as defined by the Password Policy.
Software Installation Policy
The purpose of this policy is to outline the requirements around installation software on Figuringoutdata.com computing devices. To minimise the risk of loss of program functionality, the exposure of sensitive information contained within the Figuringoutdata.com computing network, the risk of introducing malware, and the legal exposure of running unlicensed software.
This policy applies to all Figuringoutdata.com employees, contractors, vendors and agents with a Figuringoutdata.com-owned mobile devices. This policy covers all computers, servers, smartphones, tablets and other computing devices operating within Figuringoutdata.com.
Software must be selected from an approved software list, maintained by Figuringoutdata.com, unless no selection on the list meets the requester’s need.
Figuringoutdata.com will obtain and track the licenses, test new software for conflict and compatibility, and perform the installation.
Web application security policy
The purpose of this policy is to define web application security assessments within Figuringoutdata.com. Web application assessments are performed to identify potential or realised weaknesses as a result of inadvertent mis-configuration, weak authentication, insufficient error handling, sensitive information leakage, etc. Discovery and subsequent mitigation of these issues will limit the attack surface of Figuringoutdata.com services available both internally and externally as well as satisfy compliance with any relevant policies in place.
This policy covers all web application security assessments requested by any individual, group or department for the purposes of maintaining the security posture, compliance, risk management, and change control of technologies in use at Figuringoutdata.com.
All web application security assessments will be performed by delegated security personnel either employed or contracted by Figuringoutdata.com.
Web applications are subject to security assessments based on the following criteria:
- New or Major Application Release – will be subject to a full assessment prior to approval of the change control documentation and/or release into the live environment.
- Third Party or Acquired Web Application – will be subject to full assessment after which it will be bound to policy requirements.
- Point Releases – will be subject to an appropriate assessment level based on the risk of the changes in the application functionality and/or architecture.
- Patch Releases – will be subject to an appropriate assessment level based on the risk of the changes to the application functionality and/or architecture.
All security issues that are discovered during assessments must be mitigated based upon the following risk levels.
- High – Any high risk issue must be fixed immediately or other mitigation strategies must be put in place to limit exposure before deployment. Applications with high risk issues are subject to being taken off-line or denied release into the live environment.
- Medium – Medium risk issues should be reviewed to determine what is required to mitigate and scheduled accordingly. Applications with medium risk issues may be taken off-line or denied release into the live environment based on the number of issues and if multiple issues increase the risk to an unacceptable level. Issues should be fixed in a patch/point release unless other mitigation strategies will limit exposure.
- Low – Issue should be reviewed to determine what is required to correct the issue and scheduled accordingly.
Backup and recovery policy
The purpose of this policy is to establish a standard practice for backing up and recovery of sensitive data in order to maintain business continuity in the face of a disaster event.
The scope of this policy includes all personnel who are responsible for the management of data secured in company databases.
In order to minimise the risk of data loss in the event of a disaster, all data relating to company operations and client services will be stored within the Microsoft Azure Cloud using a SQL Managed Instance given the in-built business continuity features that help to mitigate against various unplanned scenarios.
Each Managed Instance will also be backed up manually on a weekly basis to a SQL Server ‘bacpac’ file which will be stored within a Cloud Storage Account. This is a default backup frequency which will apply unless backups are required more frequently.
Recovery will therefore involve restoration of SQL databases using the Built-in automated backups and Point in Time Restoration available through the managed instances. Should this be unavailable, restoration will involve the rebuild of the relevant managed instances using the most recent manual backup file.
5. Implementation, monitoring and review of controls and mitigation measures
In the Risks and Mitigating Actions document referenced in Section 3 (separate to this ISMS) we outline the following:
- How our ongoing activities are reviewed for potential risk and how any action required is implemented and reviewed for effectiveness in order to establish a sustainable on-going offset and mitigation process.
- How measurement of our performance against our declared Information Security Objectives is undertaken.
- How we ensure that personnel have the necessary training, skills and equipment to effectively develop, maintain and follow Information Security Policies and Procedures.
- The scope of internal audits needed to review progress and assist in the improvement of processes and procedures.
- How objectives are reviewed at regular Management Review meetings.
- How Information Security Policies and Objectives are kept in line with the strategic direction of the company.
- How the management system underpinning our Information Security Policies and Procedures is integrated into the organisations business processes.
- How the communication addressing the importance of our Information Security Policies and Procedures is managed.
- The approach to embedding a culture of continuous improvement in relation to strengthening Information Security – the practices involved and the measurement of outcomes.
6. Training and awareness
Training and awareness programs are held internally for all new employees and sub-contractors which address the importance of information security and their role in and responsibility for protecting company assets by adhering to our Information Security Policies and Procedures.
Three principal documents are maintained; this ISMS, the Risks and Mitigating Actions document which contains all our policies and procedures relating to the risks associated with Information management; and a log of incidents, tests, system updates, and password changes.
These documents are essential for training and education as well as for auditing, reporting, and demonstrating compliance with regulatory requirements.
We regularly review all our documents to ensure they remain effective and relevant to our needs. We consider whether there have been any changes in our risk profile, business environment, ways of operating, or in regulatory requirements – and whether they necessitate a change to any of our Information Security Policies and Procedures.
The date of the next document review is: 01/06/23.
8. On-going steps
At the time of drafting this document, FiguringOutData.com is accredited to the level of Cyber Essentials in relation to Information Security accreditation.
The next step is to apply for Cyber Essentials Plus and then ISO 27001 accreditation.