This policy applies to the confidentiality and availability of information in all formats, including manual records and electronic data. The following sections outline novi.digital Ltd’s approach to information security.
Purpose
- Provide a framework for establishing suitable levels of information security for all of novi.digital Ltd’s information systems and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.
- To make certain that users are aware of and comply with all current and relevant UK and EU legislation.
- Provide the principles by which a safe and secure information systems working environment can be established for employees, clients and any other authorised users.
- Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle.
- To protect novi.digital Ltd from liability or damage through the misuse of its information.
- Maintain data and other confidential information provided by clients at a level of security appropriate, including upholding any legal and contractual requirements around information security.
- Respond to changes in the context of the organisation as appropriate, initiating a cycle of continuous improvement.
Key Principles
The following key principles provide overarching governance for the security and management of information at novi.digital Ltd.
- Information should be classified according to an appropriate level of confidentiality, integrity and in accordance with relevant legislative, regulatory and contractual requirements.
- Employees with particular responsibilities for information must ensure the classification of that information is handled in accordance with its classification level and must abide by any contractual requirements, policies, procedures or systems for meeting those responsibilities.
- All employees and clients covered by this policy must handle information appropriately and in accordance with its classification level.
- Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.
- On this basis, access to information will be on the basis of least privilege and need to know.
- Information will be protected against unauthorised access and processing in accordance with its classification level.
- Breaches of this policy must be reported to the appropriate body.
- Information security provision and the policies that guide it will be regularly reviewed, on a 6-monthly basis.
Roles & Responsibilities
Employees:
All employees of novi.digital Ltd will be users of novi.digital Ltd’s information. This carries with it the responsibility to abide by this policy and its principles and relevant legislation and procedures. No individual should be able to access information to which they do not have a legitimate access right and no individual should knowingly contravene this policy, nor allow others to do so.
Data Controllers:
Many members of novi.digital Ltd will have specific responsibilities for preserving the confidentiality, integrity and availability of information. These include:
- Managing Director
- Responsible for approving this information security policy.
- Operations Manager
- Responsible for ensuring that all employees of novi.digital Ltd adhere to this policy and ensure that the provision of novi.digital Ltd’s service is consistent with the demands of this policy.
- Process Manager
- Responsible for the security of information produced, provided or held in the course of carrying out novi.digital Ltd’s activities. This includes ensuring that data is appropriately stored, that the risks to data are appropriately understood and either mitigated or explicitly accepted, that the correct access rights have been put in place, with data only accessible to the right people, and ensuring there are appropriate backup, retention, disaster recovery and disposal mechanisms in place.
- Responsible for the advising on and recommending information security policies to the Managing Director, assessing information security risks, identifying and implementing controls to risks.
Legal & Regulatory Requirements
Novi.digital Ltd has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory and contractual requirements.
Related policies will detail other applicable legislative requirements or provide further detail on the requirements arising from the legislation summarised below.
Security Measures
A number of security measures have been implemented at novi.digital Ltd in order to protect sensitive information. The following list outlines these measures:
- Making regular backups of files whether these files are digital or paper files.
- All digital files and backups are stored on Dropbox.
- Paper file backups are stored offsite or in a fireproof safe.
- Ensuring all devices are protected from viruses using anti-virus software.
- Ensuring access to passwords and sensitive data is restricted.
- KeePass is used in order to safely store all passwords.
- Two-step verification is used wherever possible.
- Ensuring important documents are stored safely in a locked filing cabinet.
- Based on a secure facility with an on-site security team and CCTV.
- Allowing only authorised employees into certain areas.
- Entry to these areas are controlled by means of magnetic swipe cards.
- Ensuring all devices are password protected and logged off/turned off when not in use.
- Keys to each room are locked in a secure cabinet.
Our ‘Working from Home Policy’ outlines further security measures that have been put in place to protect novi.digital Ltd’s data.
Incident Handling
If an employee at novi.digital Ltd is aware of a breach of any data then they must report it to the management team at [email protected] or via a pre-arranged face-to-face meeting.
Review & Development
This policy shall be reviewed and updated regularly to ensure that it remains appropriate in accordance with any relevant changes to the law, company policies or contractual requirements.
The Process Manager will determine the appropriate levels of security measures applied to all new information systems.
Most households have an unsolved Rubiks Cube but you can esily solve it learning a few algorithms.