See Science Ltd: Information Security Policy

June 2023

1. Aim of this Information Security Policy

The aim of this Information Security Policy is to provide clarity about what is expected of See Science Ltd team members when it comes to data security and use of company systems and applications.

It should enable them to understand how they can maintain the security of both data and applications.

The policy provides clear guidelines on:

  • The use of company-issued devices
  • The use of personal devices
  • Email security
  • Creating and storing passwords
  • Transferring data.

2. Data held on See Science Ltd devices and systems

The following policy is designed to be appropriate to protect the types of data held on See Science Ltd devices and systems.

See Science Ltd devices and systems are only used to store following types of information.

2.1 Personal information

  • The names, email addresses and job roles of people who have requested information from See Science Ltd and have given their consent may be acquired and held (see See Science's Privacy Policy for more details).
  • Other personal information, including home addresses, any type of financial information or other information that could be considered to be confidential, is never stored on See Science Ltd devices and systems.

2.2 Organisation information

  • Only information about organisations which is readily accessible in the public domain is held on See Science Ltd devices and systems.
  • Other information about organisations, including financial information or any other data that could be considered to be confidential, is never stored on See Science Ltd devices and systems.

3. Device security

3.1 Company devices

It is vital that all team members maintain the security of devices provided by See Science.

  • All devices must be protected with an adequate password (see 5. Password management below).
  • Effective anti-virus software installed and kept up to date.
  • All other software must be kept up to date with the latest software releases and patches.
  • Devices must be locked/secured when not in use or unattended.
  • Company-owned devices must not be removed from See Science premises without prior management-level approval.
  • If company devices are removed from the business premises, the Data and IT Controller must be notified immediately if the device is lost or stolen, so that appropriate action can be taken.
  • Third-party applications must not be installed on company-owned devices without management-level approval.
  • The personal use of company-owned devices is only permitted for pre-approved purposes and to access pre-approved websites and social media.

3.2 Personal devices

Whenever personal devices are used for work purposes or to access work information, users must follow this guidance:

  • The personal device must be protected with an adequate password (see 5. Password management below).
  • The personal device must have effective anti-virus software installed and kept up to date.
  • All other software must be kept up to date with the latest software releases and patches.
  • Personal devices must be secured and not left unattended at any time.

4. Email security

To avoid cyber-attacks via email such as phishing, See Science team members must always follow these email security guidelines:

  • The legitimacy of all emails must be established – is the email actually from who it claims to be?
  • Attention should be given to errors in grammar or spelling in emails – these are often an indicator that the email is not authentic.
  • Emails with 'clickbait' titles must not be opened.
  • All emails which cannot be confirmed as legitimate should be deleted or quarantined (effective anti-virus software may be able to perform this function in the background).
  • Team members must not open any attachments or click on any links included in emails which cannot be verified as authentic.
  • Any concerns that the integrity of company systems may been compromised via a suspicious email must be reported as soon as possible to the Data and IT Controller.

5. Password management

Passwords are the first line of defence in IT security. If hackers or unauthorised users are able to guess or discover passwords this can give them access to the entire IT infrastructure.

See Science team members must follow these guidelines for the creation and use of passwords:

  • Passwords must be a minimum of 8 characters in length.
  • Common passwords or one-word passwords (eg password, abcdefgh, 987654, admin etc) must not be used.
  • Passwords must not be written down.
  • If the business has implemented a password management tool, such as 1Password, team members must make use of this to create and store random, secure passwords.
  • See Science passwords must not be reused for non-work-related purposes.
  • Multi-factor authentication should be used wherever this is provided.
  • Passwords must not be shared with another team member.
  • If possible, each team member should have an individual account for company applications or systems that they use.

6. Secure data transfer

See Science Ltd does not store any data that could be considered as confidential or valuable (see above). However, the following guidelines apply in any possible future situation where a team member may need to securely transfer data.

This is important not only from an IT perspective but also in order to fulfil See Science's data protection duties under GDPR.

  • Confidential data should only be transferred to other employees or third parties when absolutely necessary.
  • Before sending confidential data the recipient's information must be verified and it must be confirmed that the receiving devices and systems have sufficient security measures in place.
  • All transfers of confidential data must be authorised at management level.
  • Before initiating any transfer of confidential data the sender must ensure that the correct form of encryption is used for the data transfer (if this is specified) and that the correct transfer method is used (if this is specified).
  • All data transfers must be carried out in accordance with GDPR and any confidentiality agreements which may be in place.

7. Complaints or queries about this policy

You can make a complaint to us at enquiries@see-science.co.uk if you think this policy is incorrect or fails to address IT issues that are relevant to See Science Ltd. We also welcome any suggestions for improving our procedures.

8. Data and IT Controller: identity and contact details

The Data and IT Controller at See Science Ltd and the person responsible for administering this policy is Cerian Angharad.

Cerian Angharad
See Science Ltd
8 St Andrew's Crescent
Cardiff CF10 3DD

02920 344727

cerian.angharad@see-science.co.uk

www.see-science.co.uk

www.gweld-gwyddoniaeth.co.uk