Cyber Security Policy

1. Introduction

This Information Security Policy outlines the framework for protecting the confidentiality, integrity, and availability of Lenience UK Ltd's information assets. This policy applies to all employees, contractors, and third parties who have access to Lenience UK Ltd's information systems and data.

2. Scope

This policy covers all aspects of information security within Lenience UK Ltd, including:

Data Confidentiality: Protecting sensitive information from unauthorised disclosure.

Data Integrity: Ensuring the accuracy and completeness of information.   

Data Availability: Ensuring that information is accessible when needed by authorized users.

System Security: Protecting information systems and networks from unauthorised access, use, disclosure, disruption, modification, or destruction.   

Physical Security: Protecting physical facilities and equipment that house and support information systems.

Personnel Security: Ensuring that employees and other personnel are aware of and comply with security policies and procedures.

Business Continuity: Ensuring the continued operation of critical business functions during and after a disruptive event.

3. Information Security Responsibilities

Management:

Establish and maintain an Information Security Management System (ISMS).

Provide adequate resources for information security.

Ensure that information security risks are identified, assessed, and mitigated.

Promote a culture of security awareness among employees.

Employees:

Comply with all information security policies and procedures.

Protect their assigned passwords and access credentials.

Report any suspected security incidents promptly.

Use company resources responsibly and ethically.

Maintain the confidentiality of all company information.

4. Password Control

Password Complexity: Passwords must meet minimum complexity requirements ( length, character types).

Password Regular Changes: Passwords must be changed regularly (every 90 days).

Password Storage: Passwords must be stored securely and encrypted.

Account Lockout: Accounts will be locked after multiple failed login attempts.

5. Personal Device Acceptable Use

BYOD Policy: Employees may use their personal devices for work purposes with appropriate security measures in place.

Data Separation: Personal and work data must be kept separate on personal devices.

Mobile Device Management (MDM): MDM software may be deployed on employee devices to enforce security policies.

Acceptable Use Guidelines: Employees must adhere to acceptable use guidelines for personal devices used for work.

6. Removable Media

Use Restrictions: The use of removable media (USB drives, external hard drives) may be restricted or subject to approval.

Data Sanitisation: Removable media used for work purposes must be properly sanitised before and after use.

Anti-Virus Scanning: Removable media must be scanned for viruses and malware before and after use.

7. Access Control

Least Privilege: Employees should only be granted access to the information and systems they need to perform their job duties.

Regular Access Reviews: Access rights should be reviewed and updated regularly.

Multi-Factor Authentication (MFA):

Google Authenticator: MFA will be implemented for critical systems and sensitive data using Google Authenticator.

Employees will be required to enroll their mobile devices with the Google Authenticator app.

Access to these systems will require the user to enter their username/password and then provide a time-based one-time code generated by the Google Authenticator app.

Other MFA Methods: Other MFA methods may be considered and implemented as needed, such as hardware tokens or biometric authentication.

8. Joiners, Leavers, and Movers

Onboarding: New employees must receive security awareness training and have their access rights properly provisioned.

Offboarding: Access rights for departing employees must be promptly revoked.

Internal Transfers: Access rights must be updated to reflect changes in employee roles and responsibilities.

9. Physical Security

Building Access Control: Access to company premises should be restricted and monitored.

Equipment Security: Company equipment should be properly secured and protected from theft or damage.

Data Center Security: Data centers should be physically secured and monitored.

10. Anti-Malware and Malware Recovery

Anti-Malware Software: Anti-malware software must be installed and maintained on all company devices.

Regular Updates: Anti-malware software must be updated regularly with the latest virus definitions.

Incident Response Plan: A plan should be in place to respond to and recover from malware incidents.

11. Network Security

Network Segmentation: Networks should be segmented to minimize the impact of security breaches.

Firewalls: Firewalls should be deployed to control network traffic.

Intrusion Detection and Prevention Systems (IDPS): IDPS systems should be implemented to monitor network activity for malicious traffic.

Event Logging and Monitoring: Network activity should be logged and monitored for suspicious activity.

12. Security Awareness Training

Mandatory Training: All employees are required to complete initial and ongoing security awareness training.

Training Topics:

This policy

Password security best practices

Phishing and social engineering awareness

Data handling and protection

Safe use of company devices and personal devices for work

Identifying and reporting security incidents

Vulnerability Reporting

Business Continuity Awareness

Regular Refresher Training: Annual refresher training will be conducted to reinforce security awareness and address emerging threats.

Phishing Simulations: Phishing simulations will be conducted regularly to test employee awareness and response to phishing attacks.

Training Documentation: Employees will be required to acknowledge their completion of security awareness training.

13. Vulnerability Management

Vulnerability Scanning: Regular vulnerability scans will be conducted on all systems and networks.

Vulnerability Assessment: Identified vulnerabilities will be assessed for risk and prioritized for remediation.

Remediation:

Action plans will be developed and implemented to address identified vulnerabilities.

Remediation efforts will be tracked and documented.

Reporting:

Vulnerabilities will be reported and tracked in a centralized vulnerability management system.

Regular reports on the status of vulnerability remediation will be generated and reviewed by management.

14. Incident Response

Incident Reporting: All security incidents must be reported promptly to the designated security contact.

Incident Response Plan: A documented incident response plan will be developed and regularly tested.

Incident Investigation: Incidents will be investigated thoroughly to determine the root cause and impact.

Incident Containment: Steps will be taken to contain the impact of the incident and prevent further damage.

Incident Recovery: Actions will be taken to recover from the incident and restore normal operations.

Post-Incident Review: After each incident, a post-incident review will be conducted to identify lessons learned and improve future incident response.

15. Business Continuity

Business Impact Analysis (BIA): A BIA will be conducted to identify critical business functions and their dependencies. This analysis will be updated annually.

Business Continuity Plan (BCP): A BCP will be developed and maintained to ensure the continued operation of critical business functions during and after a disruptive event.

The BCP will include:

Alternate Site Arrangements: Plans for relocating operations to alternate sites, such as hot sites, cold sites, or working from home.

Communication Plans: Procedures for communicating with employees, customers, and suppliers during and after a disruption.

Crisis Management Team: Designation and training of a crisis management team responsible for coordinating the response to a disruptive event.

Data Backup and Recovery: Procedures for backing up and recovering critical data.

Incident Response Procedures: Integration with the Incident Response Plan to ensure coordinated response to security incidents.

Disaster Recovery Plan (DRP): A DRP will be developed and maintained to enable the recovery of IT systems and data in the event of a disaster.

The DRP will include:

Data Backup and Recovery Procedures: Detailed procedures for backing up and restoring critical data from backups.

System Recovery Procedures: Procedures for restoring IT systems and applications to an operational state.

Testing and Maintenance: Regular testing and maintenance of backup and recovery systems.

Testing and Training:

The BCP and DRP will be tested annually through tabletop exercises, simulations, or partial system tests.

Employees will be trained on their roles and responsibilities in the event of a disruption.

Regular Reviews: The BCP and DRP will be reviewed and updated annually to reflect changes in business operations, technology, and threat landscape.

16. Policy Enforcement

Monitoring and Auditing: Information security activities should be monitored and audited regularly.

Incident Reporting: Security incidents must be reported promptly to the appropriate personnel.

Disciplinary Action: Disciplinary action may be taken against employees who violate security policies.

17. Policy Review and Updates

This policy will be reviewed and updated annually to ensure its continued effectiveness.

18. Internal Portal

This policy will be made available to all employees through the company's internal portal.

19. Employee Acknowledgement

All employees are required to acknowledge their understanding and agreement to this policy by signing this document upon commencement of employment and annually thereafter.