Last updated 11/08/2020
The Management of ITI, located at Rotherside Road, Eckington, Sheffield, S21 4HL, which specialises in software application development, support, project management, training, infrastructure design, supply, installation and integration are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout their organisation in order to preserve its competitive edge, cash-flow, profitability, legal, regulatory and contractual compliance and commercial image. Information and information security requirements will continue to be aligned with the Organisations goals and the Information Security Management System (ISMS) is intended to be an enabling mechanism for information sharing, for electronic operations, and for reducing information-related risks to acceptable levels.
ITI's current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS. The Risk Assessment, Statement of Applicability and Business Risk Management procedure identify how information-related risks are controlled. The designated Security Officer for ITI locations is responsible for the administration and mitigation of information-related risk. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks.
In particular, business continuity and contingency plans, data backup procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy. Control objectives for each of these areas are contained in and are supported by specific documented policies and procedures.
ITI aims to achieve specific, defined information security objectives, which are developed in accordance with the business objectives, the context of the organisation, the results of risk assessments and the risk plan.
All Employees/Staff of ITI and certain external parties identified in the ISMS are expected to comply with this policy and with the ISMS that implements this policy. All Employees/Staff, and certain external parties, will receive appropriate training. The consequences of breaching the information security policy are set out in the disciplinary policy and in contracts and agreements with third parties.
The ISMS is subject to continual, systematic review and improvement.
ITI has established top level management steering group/Information Security Committee, chaired by the Directors and senior management to support the ISMS framework and to periodically review the security policy.
ITI is committed to securing and improving its existing practices for certification of its ISMS to ISO27001:2013; where necessary. This policy will be reviewed to respond to any changes in the risk assessment or risk plan at least annually.
In this policy, ‘information security’ is defined as:
This means that management, all full time or part time employees/staff, sub-contractors, project consultants and any external parties have, and will be made aware of, their responsibilities (which are defined in their job descriptions or contracts) to preserve information security, to report security breaches and to act in accordance with the requirements of the ISMS. All employees/staff will receive information security awareness training and more specialised employees/staff will receive appropriately specialised information security training.
This means that information and associated assets should be accessible to authorised users when required. The computer network must be resilient and ITI must be able to detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems and information. There must be appropriate business continuity plans.
This involves ensuring that information is only accessible to those authorised to access it and therefore preventing both deliberate and accidental unauthorised access to ITI information and its systems.
This involves safeguarding the accuracy and completeness of information and processing methods, and therefore requires preventing deliberate or accidental, partial or complete, destruction or unauthorised modification, of either physical assets or electronic data. There must be appropriate contingency and data backup plans and security incident reporting. ITI must comply with all relevant data-related legislation in those jurisdictions within which it operates.
The physical assets of ITI including, but not limited to, computer hardware, data cabling, telephone systems, filing systems and physical data files.
The information assets include information printed or written on paper, transmitted by post or shown in films, or spoken in conversation, as well as information stored electronically on servers, website(s), extranet(s), intranet(s), PCs, laptops, mobile phones and PDAs, as well as on any digital or magnetic media, and information transmitted electronically by any means. In this context, ‘data’ also includes the sets of instructions that tell the system(s) how to manipulate information (i.e.: the software: operating systems, applications, utilities, etc).
ITI and such partners that are part of our integrated network and have signed up to our security policy and have accepted our ISMS.
The ISMS is the Information Security Management System, of which this policy and other supporting and related documentation is a part, and which has been designed in accordance with the specification contained in ISO 27001:2013.
A Security Breach is any incident or activity that causes, or may cause, a break down in the availability, confidentiality or integrity of the physical or electronic information assets of ITI.
Document Owner and Approval
The Quality & Safety Manager is the owner of this document and is responsible for ensuring that this policy document is reviewed in line with the requirements of the ISMS.
A current version of this document is available to all members of staff on the corporate intranet. It does not contain confidential information and can be released to relevant external parties.
This Information Security Policy is issued on a version controlled basis under the signature of the Chief Executive Officer (CEO).