Skip to main content
DraftIndicative placeholder for the section owner — amend, replace, or confirm as the first definitive version.

Doc owner: TBD

Information Security Policy

Seeded from legacy Allied Information Security Policy. Content carried over for review. Some sections are out of date and need rewriting against ISO 27001:2022 and current Allied operations. The umbrella policy referenced here is Annex A.5.1 of ISO 27001.

Purpose

The purpose of this policy is to state the minimum security risk mitigation standards to which Allied and its people must adhere and to offer guidance to which they should adhere. These measures will keep Allied compliant with security accreditation standards (Cyber Essentials Plus etc). Correctly implemented, Allied security policy should protect Allied assets (particularly information). In turn, this will protect Allied's most valued commodity, its reputation and trustworthiness.

Scope

Applies to all Allied staff, contractors, third parties, systems, and information assets.

Key principles

  1. A leadership priority. Setting the conditions for effective security is a fundamental responsibility of the C-Suite. Good security practice flows from an engaged leadership team that constantly defines (and re-defines) what is important as well as what is urgent.
  2. Practical and common sense. Always consider the user. At worst security measures must not impede Allied business. At best, they should enable it. If procedures are cumbersome and/or deliver limited benefit, they should be reviewed.
  3. Appropriately accountable culture. Mistakes will happen, and human error is seldom the fault of a single person. Mitigating the consequences of security failures requires rapid, transparent and fulsome engagement by all parties to resolve them and to learn from them. People should feel incentivised to highlight, resolve and learn from security failures, rather than hiding them. Where mistakes and non-compliance are not malicious or blatantly negligent, Allied commits not to pursue individual employees with disciplinary or punitive administrative action for accidental breaches of security policy.
  4. Constructive challenge. Security should be a conscious part of project design and delivery, and must not become an unnecessary or unduly burdensome tick box exercise. Allied encourages and welcomes constructive challenge on the basis of security concern.
  5. Customer aligned. Allied's work requires that it maintains the trust and confidence of both its customers and partners. As such, where Allied's internal standards fall short of their partners' for a given issue, the higher standard should be adopted.
  6. Legal compliance. Security mechanisms must assure legal compliance (DPA 2018, GDPR etc). We must keep the data of our users, customers and employees safe and secure. See POL-ENT-006 Data Protection Policy for the GDPR principles and data subject rights.
  7. Assure CIAN.
    • Confidentiality. Information assets are only accessed by/accessible to people who should have access to it. Access to information must be based on a clear need to know. All new projects and repositories must be established as standalone shared drives with appropriate access permissions.
    • Integrity. Information assets remain in a fit state however they are processed. Backups must remain intact. Data must not undergo unexpected automated transformations. Confidence that no-one is inappropriately/dishonestly altering data is maintained.
    • Availability. Information assets should be available in a timely fashion for the people who legitimately have need of it.
    • Non-repudiation. The processing of information assets (alterations, sharing, deletion etc.) can be tied to specific individuals who will not reasonably be able to deny they were responsible for it.

Roles and responsibilities

CEO

  • Endorsing and mandating Allied security policy.
  • Ensuring challenge on security is effectively delivered throughout business operations.

Security Officer

  • Drafting and maintaining Allied security policy. Review at least annually.
  • Access and permissions management across Allied hardware, software and cloud resources. Review upon every change of staff/terms and conditions of employment, or annually, whichever is sooner.
  • Verifying that installed software packages used on Allied devices remain supported. Review quarterly.
  • Maintaining information and hardware asset registers. Review quarterly.
  • Monitoring wider industry best practice and implementing it into Allied policy.
  • Conducting security investigations on behalf of the C-Suite.
  • Deliver information security risk assessments, at least annually.
  • Actively monitor OS/firmware updates for security alerts.
  • Communicate details on required software updates and security patches via the #software-updates Slack channel.
  • Deliver information security training annually.
  • Audit. Annually deliver an audit to determine:
    • What our designated standards actually say, and whether we meet them.
    • Whether the processes we describe in this document are actually being carried out and whether they are achieving the desired effect.
    • Whether our records reflect the above.

Users

  • Maintain familiarity with and act in accordance with Allied information security policy. All Allied employees must attest that they have read Allied security policy at least once in any 12 month period.
  • Think security, challenge throughout. All employees should make a conscious effort to consider and mitigate security risk in all Allied business.
  • Highlight incidents early. Suspected and known security incidents should be highlighted to the Allied security officer as soon as practicably possible to enable speedy remediation.
  • Respond to guidance and direction from the Allied security officer. Posted via #security-business-continuity and #software-updates Slack channels.
  • Monitor apps and services for security alerts where the business-lead and disseminate this information as soon as is reasonably practical and always within 14 days.

Policy review

This policy will be reviewed and re-endorsed at least annually, following completion of an information security risk assessment. The Allied security officer will prompt all employees to review the policy within two weeks of its endorsement by the CEO.

Training

  • For new arrivals. New arrivals who cannot demonstrate awareness of cyber and wider security issues and principles will be required to complete a basic awareness course upon joining (NCSC certified training).
  • For established employees. In addition to reviewing this policy at least annually, all employees will conduct at least an hour of information security training, led by the security officer. Typically this training will comprise:
    • A security policy quiz, designed to confirm understanding of the policy.
    • A period of guided learning on a particular theme/topic.
    • A Q&A / feedback session to enable ideas and concerns to be shared.