Information Security Policy

Purpose and Scope

Information plays a major role in supporting PMG's internal operational processes and activities undertaken on behalf of clients. The purpose of the policy is to provide a framework for protecting: PMG's IT and information security infrastructure:
  • Key data and information for both PMG and its clients
  • Those who have access to or who administer IT/IS facilities
  • Individuals who process or handle key data and information
This policy is designed to provide protection from internal and external security threats, whether deliberate or accidental by:
  • Defining PMG's policy for the protection of the Confidentiality, Integrity and Availability of its key data and information assets
  • Establishing responsibilities for information security
  • Providing reference to documentation that comprises the Information Security Management System (ISMS).

1. Policy Statement

This document forms PMG's Information Security Policy. Its purpose is to provide the framework (a commitment of undertaking) for PMG to apply information security controls throughout the organisation.
Supporting policies containing detailed Information Security requirements have been developed in support of this overarching policy. Dependent upon the subject matter, supporting policies will apply either across the entire organisation or to specific groups or individuals within PMG, its clients and supply chain. All members of staff who have access to PMG's computers, information systems and key data assets, and all other parties who have been granted such access, are responsible for complying with the supporting policies that are applicable to them.

2. Background

This Information Security Policy has been developed in support of the requirement for PMG to have an Information Security Management System (ISMS).

3. Requirements for Policy

PMG has an obligation to its staff and clients to clearly define requirements for the use of its information technology infrastructure facilities and its information systems. This is so that users of these facilities do not unintentionally place themselves or PMG at a risk of prosecution or compromise/loss of sensitive data and information.
In addition, the bulk of information at PMG is not intended to be openly accessible and available for sharing outside of PMG, its clients or suppliers who are deemed necessary to complete the contracted works. As such most information has to be processed, handled and managed securely and with accountability and integrity.
Legislation and industry requirements are key drivers of this policy, but it is also derived from the criticality and sensitivity of certain information where loss of accuracy, completeness or availability could prevent PMG from functioning efficiently or where disclosure could damage PMG's or its client's reputation. Unless a policy is in place to stipulate control requirements for such information, there is an increased risk that security breaches will be suffered, potentially resulting in a wide range of adverse consequences.

4. Objective

Information Security controls are designed to protect PMG's members of staff, its clients and supply chain. These are in place to help ensure the preservation of confidentiality, integrity and availability of key data and information.
  • Confidentiality - Knowing that key data and information can be accessed only by those authorised to do so
  • Integrity - Knowing that key data and information is accurate and up-to-date, and has not been deliberately or inadvertently modified from a previously approved version
  • Availability - Knowing that the key data and information can always be accessed when appropriate.
PMG is committed to protect its members of staff, its clients, supply chain, its key data and information to deploy controls that minimise the impact of any security incidents.

5. Applicability

The Policy applies to the following categories of users:
  • All full-time, part-time and temporary staff employed by, or working for or on behalf of PMG
  • Workers, contractors and consultants working for or on behalf of PMG
  • External 3rd party suppliers where PMG 's internal security requirements and/or client security requirements will be flowed down
  • All other individuals and groups who have been granted access to PMG's IS/IT systems and/or key data and information.
All managers are ultimately responsible for ensuring the policy is implemented within their respective departments and for overseeing compliance by users under their direction, control or supervision.
It is the personal responsibility of each person to whom the policy applies to adhere with its requirements.

6. Policy Detail

  • 6.1
  • Organisational Security

    The Information security governance will be implemented to ensure effective controls are in place throughout all operations of PMG.

  • 6.2
  • Information Security Infrastructure

    An Information Security Infrastructure has been developed to support the policy.

  • 6.3
  • Ownership and Maintenance of the Policy

    Ownership and maintenance of this policy is with PMG's IT Director.

  • 6.4
  • Independent Review

    An independent review of the implementation of the policy and its supporting policies, their effectiveness and the degree of compliance with it, will be carried out periodically by bodies that have appropriate experience of providing information security assurance.

  • 6.5
  • Security of External Party Access

    Access to PMG's information processing facilities by external parties will be controlled.

  • 6.6
  • Identification of Risks from External Party Access

    External parties who require access to PMG's infrastructure and/or information will be bound by an NDA that defines PMG's security requirements. Prior to being granted access to any information, they will be required to sign an undertaking to adhere to the requirements of the External Party Connection Policy.

    Each agreement will also take into consideration client specific requirements for information security in the processing that PMG will undertake for that client. This will ensure that PMG will flow down any requirements to the external parties.

  • 6.7
  • Risk Methodology

    A standard approach to risk is defined through the Risk Assessment Methodology Policy. This policy sets out how PMG will maintain risks within a central risk register which is combined with assets that risks are applicable to. Additionally, the policy sets out how PMG will use a standard approach to the identification of risks across the business.

    The policy also sets out the criteria for accepting risks and acceptable levels of risk. This is based on a score of 1-16 with 1 being the lowest and 16 the highest risk.

    The risk methodology also sets out how PMG will manage and treat any risks that are identified. Risk reviews are ultimately owned by the IT Director who will report these to PMG's Board. Reviews will be undertaken at least annually.

  • 6.8
  • Asset Classification

    Information assets will be categorised and recorded to enable appropriate management and control.

  • 6.9
  • Inventory of Assets

    Inventories of information assets, including hardware, software and key data will be developed and maintained in accordance with the Asset Management Policy.

    The asset register will be a managed document controlled by the IT Head of Technical Services.

  • 6.10
  • Protection of Key Data and Information

    Key data and information will be classified, protectively marked and handled and managed in accordance with the Information Classification & Protection Policy.

  • 6.11
  • Personnel Security

    Controls will be put in place by PMG that will minimise the risks of human error, theft, fraud or malicious misuse of any PMG's facilities.

  • 6.12
  • Security in Job Descriptions

    Security roles and responsibilities will be included in job descriptions where appropriate to the role. These will include any specific responsibilities for the protection of particular assets, the execution of particular processes or activities such as data protection.

  • 6.13
  • Personnel Screening Policy

    PMG's HR Team, is responsible for conducting and maintaining the security vetting of all staff. Pre-employment controls are in place to mitigate client reputational and security damage. Employees must provide supporting documentation such as proof of identity, address details, nationality and entitlement to undertake work, previous employment history, and professional references. They may also be subject to Disclosure and Barring Service (DBS) and credit checks for appropriate roles, where there is access to personal identifiable data or there is a contractual requirement for staff to undergo enhanced screening. The company will also qualify any professional body memberships and qualifications.

  • 6.14
  • Confidentiality Undertaking

    All members of staff are reminded of their obligation to protect confidential information in accordance with PMG's standard terms and conditions of employment.

  • 6.15
  • Employee Responsibilities

    Employees will be informed of their information security responsibilities during induction training and these will be reiterated on the PMG's intranet in accordance with the Information Security Training Awareness Policy.

  • 6.16
  • Information Security Education and Training

    Information security awareness training and/or instruction will be made available to all staff. The Information Security Training Awareness Policy will identify where such training is mandatory. Additionally, roles that specifically manage key data and information will be identified.

    Contractors and external parties, such as visiting clients, will be made aware of their responsibilities through various information security awareness documents and publications.

  • 6.17
  • Suspected Security Weaknesses

    Any person covered by the ISMS using or involved in the administration of any PMG's facilities will not try and prove any suspected or perceived security weakness that would cause system or process failure.

    Where there may be a requirement to prove a weakness then a written exemption will be documented and approved by the IT Director prior to any action being undertaken.

  • 6.18
  • Reporting Security Incidents

    All actual, near miss and suspected security incidents are to be reported in accordance with the Information Security Incident Reporting Policy.

  • 6.19
  • Network Isolation and Reconnection

    Any computer that is perceived to be placing the integrity of PMG's network at risk could be disconnected from network access in accordance with the Information Security Incident Reporting Policy. Subsequent reinstatement will only be permitted once the device concerned is cleaned and is passed by the IT Service Desk for reconnection.

  • 6.20
  • Security Incident Management

    Events that are regarded as being 'security incidents' are defined, and processes have been implemented to investigate, control, manage and review such events in accordance with the Information Security Incident Reporting Policy, with a view to preventing recurrence.

    All departments are required to follow the Information Security Incident Reporting Policy.

  • 6.21
  • Physical and Environmental Security

    Controls have been implemented as appropriate to prevent unauthorised access to, interference with, or damage to, information assets.

  • 6.22
  • Physical Security

    Computer systems and networks are protected by suitable physical, technical, procedural and environmental security controls in accordance with the Physical Security Policy.

    File servers and machines that hold or process high criticality, high sensitivity or high availability data are located in physically secured areas.

    Access to facilities that hold or process high criticality, high sensitivity or high availability data (as defined within the Information Classification & Protection Policy) are controlled.

  • 6.23
  • Office Security

    Key Information is protected in accordance with the Information Classification & Protection Policy.

    Laptop computers and remote equipment are protected in accordance with the Mobile & Remote Working Policy.

  • 6.24
  • Communications and Operations Management

    Controls have been implemented to enable the correct and secure operation of information processing facilities.

  • 6.25
  • Documented Operating Procedures

    Design, build and configuration documentation will be produced in respect of system platforms. Sensitive documentation will be held securely and access restricted to staff on a need to know basis.

    IT operating procedures shall be documented and maintained.

  • 6.26
  • Segregation of Duties

    Access to critical systems and key data and information will only be granted on a need to know basis.

    Segregation of duties between operations and development environment shall be maintained for critical systems.

    Permanent and full access to live operating environments is restricted to staff on role-based requirements.

  • 6.27
  • Capacity Planning

    Appropriate processes and procedures have been implemented in respect of capacity planning and alerting for critical systems as defined in the Information Classification & Protection Policy.

  • 6.28
  • System Changes

    All changes to live critical systems will follow a pre-defined change management process, to ensure that activities are undertaken in accordance with stringent change control process in accordance with the Change Control Policy.

  • 6.29
  • Security Assurance Testing

    Critical systems, as defined by the Information Classification & Protection Policy, will be subjected to periodic security assurance testing to ensure that systems remain secure.

  • 6.30
  • Controls against Malicious Software

    Controls have been implemented to check for malicious or fraudulent code being introduced.Bespoke source code written by external parties, contractors and staff will be subjected to security scrutiny through code reviews before being installed on any system.

  • 6.31
  • Virus Protection

    An Information Security Virus Protection Policy has been implemented to prevent the introduction and transmission of computer viruses and malware both within and from outside of PMG's networks. This extends to managing and containing viruses and malware should preventative measures fail.

  • 6.32
  • Security Patches, Fixes and Workarounds

    The IT Help Desk is responsible for the day to day management of systems to ensure that security patches, fixes and workarounds are applied in accordance with the Security Patching Policy.

  • 6.33
  • Data Storage

    Data on systems is managed in accordance with the Storage, Backup and Encryption Policy and subject to client and legislative requirements.

  • 6.34
  • System, Application and Data Backup

    All critical systems, applications and key data is backed up in accordance with the Storage, Backup and Encryption Policy.

  • 6.35
  • Archiving

    All archive material is held, managed and stored in accordance with the contractual and regulatory requirements of PMG.

  • 6.36
  • Network Management

    Controls have been implemented to achieve, maintain and control access to computer networks, including wireless LANs in accordance with the Access Control and Account Management Policy.

  • 6.37
  • Handling and Storage

    Media containing key data will be marked and handled in accordance with the Information Classification & Protection Policy and managed in accordance with the Storage, Backup & Encryption Policy.

  • 6.38
  • Disposal

    Removable media containing data will be reused or disposed of through controlled and secure means when no longer required, in accordance with the Information Classification & Protection Policy.

    Procedures have been implemented in accordance with the Information Classification & Protection Policy for the secure disposal of storage media containing data when these are no longer required.

    Where custody of equipment containing data is to be relinquished, procedures have been implemented in accordance with the Information Classification & Protection Policy to securely delete such data first.

    Redundant computer equipment will be disposed of in accordance with the Waste Electrical and Electronic (WEEE) Regulations and through secure and auditable means.

  • 6.39
  • Software Usage and Control

    Software will be used, managed and controlled in accordance with business requirements and the Use of Company Systems Policy.

    All software upgrades and in-house systems development for systems will be appropriately controlled and tested through a managed process before live implementation, as defined in the Information Classification & Protection Policy.

  • 6.40
  • Internet Usage

    Activities involving Internet usage, for example e-mail transmission and web site access, are governed by the Use of Company Systems Policy.

  • 6.41
  • Cloud Technology

    Boundaries for businesses now extend beyond the sites owned and operated by a business. Increasingly PMG is making use of cloud technologies to provide competitive advantages in the marketplace. Cloud technologies invariably mean that PMG's data will be hosted in data centres not owned and controlled by PMG. Levels of security and control ensure PMG's data is secure and cannot be compromised.

    The usage of cloud technology will be controlled by the Cloud Technology Requisition Policy, Cloud Technology User Policy and an approved list of cloud technologies. The IT Director must assess and approve any cloud technology before becoming operational within PMG.

  • 6.42
  • User Responsibilities

    Users who access PMG's computer systems and/or networks must do so in accordance with the Use of Computer Systems Policy.

  • 6.43
  • User Access Management and Administration

    Users are only authorised access to PMG's facilities in accordance with specific privileges that they have been given in accordance with the Access Control & User Account Management Policy.

  • 6.44
  • Remote Access

    Controls have been implemented to manage and control remote access to PMG's facilities and data in accordance with the Mobile & Remote Working Policy.

  • 6.45
  • Privilege Management

    The allocation and use of system privileges on each computer platform is restricted and controlled in accordance with the Access Control & User Account Management Policy.

  • 6.46
  • Password Management

    The allocation and management of password/passphrases is controlled in accordance with the Secret Password Usage and Control Policy.

  • 6.47
  • Passwords

    Users are required to follow good security practices in the selection, use and management of their secret authentications and to keep them confidential in accordance with the Secret Password Usage and Control Policy.

  • 6.48
  • Unattended User Equipment

    Users of IT/IS facilities are responsible for safeguarding data by ensuring that computing devices are locked or not left logged-on when unattended, and that portable equipment in their custody is not exposed to opportunistic theft. Laptop or other portable devices should be placed in lockable containers when they are not being used for extended periods of time for example overnight.

    Where available, password protected screen locks and automatic logout mechanisms are used on computing devices to prevent individual accounts being used by persons other than the account holders, but not on cluster computers that are shared by multiple users.

  • 6.49
  • Network Access Control

    The use of networked services, connectivity to the PMG's network and the use of information systems connected to the PMG's network are controlled in accordance with the Access Control & User Account Management Policy.

  • 6.50
  • Operating System and Application Access Control

    Access to systems' operating systems and applications are controlled in accordance with the Access Control & User Account Management Policy.

    Access to system utilities software is restricted to authorised people only.

  • 6.51
  • Monitoring System and Access and Use

    Access to and use of systems is monitored in accordance with the Systems Usage Logging and Audit Policy.

  • 6.52
  • Systems Development and Maintenance

    Controls will be implemented to ensure that security requirements are considered when developing existing information systems and prior to introducing new ones.

  • 6.53
  • Use of Cryptography

    System administration and account management secret authentications should be encrypted where possible.

    Dependant on the nature of data being stored, contractual and regulatory requirements PMG will store data in an encrypted format wherever possible.

  • 6.54
  • Security in Test and Development Processes

    Test and development systems will be appropriately isolated from live critical systems at all times.

  • 6.55
  • Business Continuity Management

    Controls have been implemented to counteract disruptions to PMG's information processing facilities and to protect critical systems from the effects of major failures and disruption.

  • 6.56
  • Data Storage

    Ideally, data is held on a network resource so that it is backed up through a routine managed process. Where this is not possible, provision is made for regular and frequent backups to be taken in accordance with the Information Classification & Protection Policy and the Storage, Backup and Encryption Policy.

  • 6.57
  • Backup Media

    A controlled and fully auditable process for the handling, transportation, storage and retrieval of backup media containing data has been implemented.

  • 6.58
  • Continuity Strategy

    A Business Continuity plan has been developed, and will continue to be maintained to ensure the availability of services in the event of unexpected disruption in accordance with that plan.

    Testing of this plan will be undertaken and documented ensuring that the plan is kept aligned with a changing business and operational environment.

  • 6.59
  • Compliance

    Controls have been implemented to avoid contravention of legislation, regulatory and contractual obligations and security policy.

  • 6.60
  • Compliance with Legal Requirements

    Legislation that has a bearing on information processing and management will be identified and controls will be implemented to ensure compliance. The legal and regulatory compliance policy sets this out.

    A legal register of applicable legislation is maintained and periodic reviews undertaken. PMG will engage with external expertise to help ensure compliance.

    Details of all legal requirements applicable to PMG are maintained as part of the legal register. External experts will be utilised by PMG to ensure that legal requirements are maintained with changing legislation and regulatory requirements.

  • 6.61
  • Review of Security Policy

    The Policy is subjected to review annually and in the event of any major changes in circumstances, to ensure those controls remain effective.

    Any changes to the policy will be reviewed by the security working group (SWG) and has to be approved by the SWG before being accepted.

  • 6.62
  • Compliance with Security Policy

    Compliance with the policy is mandatory. Failure to comply with policy requirements, outside the process for exemption authorisation, will be viewed as a breach of security. Any such event may be the subject of investigation and possible further action in accordance with PMG's procedures.

    PMG's Board will ensure that the Information Security policy is adhered to within their departments. All parts of PMG will be subject to review to ensure compliance with the policy.

  • 6.63
  • Exemptions

    In certain circumstances, it may not be practical for some users or functional departments to rigorously adhere to specific areas of the policy. Where there are justifiable reasons why a particular policy requirement cannot be implemented, a specific policy exemption must be requested and approved by the SWG.

    Any exemption requirement will be fully documented and presented to the SWG for review. Any associated risks will be documented according to the Risk Assessment Methodology Policy and noted that these risks have been accepted with an exemption.

    All exemptions must be signed off by the IT Director following review and this will be documented.

    No processes or procedures that require an exemption will be put into operation until an exemption has been granted.

7. Consequences for Breach of Policy

Any breach of this policy may cause reputational damage or significant inconvenience to the company resulting in the use of valuable corporate resources to rectify any ensuing problems. Violations of this policy or any other abuse of our IT systems may be treated as gross misconduct and appropriate disciplinary action taken in line with PMG's Disciplinary Action policy. Depending on the seriousness of the offence, this could take the form of immediate dismissal, particularly if it involves real or threatened damage to the company's reputation, damage to our IT systems and property or a criminal offence.