Cyber Security Policy

Introduction

Elev8 Training holds the cyber essentials kitemark for cyber security. As part of our ongoing commitment to maintaining a safe and secure work and learning environment for all.  We have adopted key security principles that help to mitigate the threats relating to cyber security. 

Aims & Objectives

The cyber security policy provides key information on the procedures to ensure that the risk of cyberthreats are minimised. This also links to the safeguarding & Prevent policy and procedures, to help protect learners and staff from risk relating to cyber security

Removable media policy 

1. Where possible no sensitive information should be stored on a removable device.

2. Where this is not possible the removable media must be used with caution and approved by a senior manager prior to use.

3. All removable media must be scanned for viruses prior to use. encrypted and password protected. It must be used in a secure manner and must be stored in a secure location when not in use,  labelled with the user's name, date of use and purpose of use.

4. All removable media must be securely destroyed when no longer needed.

5. All removable media must be used in accordance with the company's acceptable use policy.

Information Incident Management Process

Objectives

Incident Management process objectives are to ensure that standardised methods and procedures are used for the efficient and prompt response, analysis, documentation, ongoing management and reporting of incidents

Scope

Incident management includes any event which disrupts, or which could disrupt service. This includes events which are communicated directly by users, either through google workspace or any other stakeholder or other authority.

This includes any incident that relates to information that is or was held within the IT systems relating to the organisation - including those outside the scope of GDPR.  

Staff should use the cyber security reporting process to identify any incidents. 

Timescales

Timescales must be agreed for all incidents by the leadership team according to their priority; this includes response and resolution targets. These should be stated within the incident action plan. 

Major Incidents

A separate procedure, with shorter timescales and greater urgency, must be used for 'major' incidents. A definition of what constitutes a major incident must be agreed upon and ideally mapped onto the overall incident prioritisation scheme. 

When necessary, a specialist can be used by the Management to ensure that adequate resources and focus are provided to find a swift solution.

All affected stakeholders should be informed of the incident through management communication channels along with the response plan.  

Incident Status Tracking

During the lifecycle of an incident, different status occurs; here are some examples :

New - an incident is submitted but is not assigned for resolution

Assigned - an incident is assigned for resolution

In process - the incident is in the process of being investigated for resolution

Resolved - a resolution has been put in place

Employer Responsibilities: 

1. A whitelist of permitted software on devices used to access organisational data or cloud services is maintained and updated by the employer. This list will be directed to all employees. It will also be checked by the responsible person(s) at least fortnightly; this is to ensure that any high-risk/critical updates for software are known about and can be installed by any individual making use of that software within 14 days of the updates release by its supplier.

2. An exhaustive list of any administrative level accounts used by individuals within the organisation will be produced and kept updated by the individual responsible for the creation and granting of such administrative accounts. This list will be checked at least annually.

3. Account Creation - Accounts can only be created by the Business Development Manager - Accounts will be created in line with this policy.

4. Admin accounts and access rights can only be created by the Business Development Manager - Admin Accounts require written authorisation from the DIrector prior to creation. Admin accounts and access right are reviewed annually or when there is a significant event (e.g. change of personnel or responsibilities) 

5. Accounts deletion - Account will be removed by the Business Development Manager after the person has left and all required data has been recovered. 

Employee Responsibilities: 

6. Employees are required to assess the whitelist of permitted software provided by the employer and follow the requirements that it sets out. This involves removing any software that is not included within the list, and only installing/using software that is included within the list on any and all devices that are used to access organisational data or cloud services.

7. Employees are required to remove any software that is not used on a day-to-day basis on devices that are used to access organisational data or cloud services, this includes software that is typically permitted via the software whitelist.

8. Employees are required to check that any and all OS’s they use on devices that access organisational data are still within their end-of-life date, and to only use devices and OS’s that are still within this date.

9. Employees are required to cease the use of any device, hardware or software that is no longer supported by the supplier/developer via security updates or similar support.

10. Employees are required to ensure that any high-risk/critical updates to OS’s in use on any device that accesses organisational data are installed within 14 days of their release by the supplier. This can either be done via auto-updates or manually.

11. Employees are required to disable auto-run options on all devices used to access organisational data or cloud services.

12. Employees are required to ensure that any device used to access organisational data or cloud services has some form of locking/unlocking mechanism for when it is not in use, such as a biometric (fingerprint/face scan), Password or PIN.

13. Employees are required to have a minimum of 12 characters for all passwords in use for all accounts that are used to access organisational data or cloud services. Multi-Factor authentication is also recommended for logins to cloud services wherever possible, and required for logins to organisational cloud service accounts with administrative privileges. A PIN can be used in lieu of a longer password for unlocking the devices themselves if there is a separate login (with a full password following the above minimum character requirements) to access cloud services through a browser.

14. Employees are required to ensure that, wherever possible, brute force protection is enabled for any device or account logins that access organisational data or cloud services. This must be set to lock a device or account after no more than 10 unsuccessful login attempts

15. Employees are required to only use administrative accounts (whether these be in the context of device accounts, or organisational cloud service accounts) when necessary to perform administrative tasks, such as installing new software. Non-administrative accounts must be used on devices or cloud services when not performing tasks requiring an administrative level of privilege

16. If at any point a network device (such as a home router/boundary firewall) is provided by Elev8 to an employee, the employee must ensure that the password to any such device follows the required minimum of 12 characters, and is changed from the default password that is provided with the device. It will also be required for an employee who has been provided a boundary firewall, to ensure that the device is configured to block other services from being advertised to the internet.

17. If you think that you have given away your password, or you think that somebody has access to your account who shouldn't - what do you do? Change your password immediately. Log out of your current sessions on all your devices. Contact your supervisor by email to inform us of the incident and receive further instructions.

This policy has been reviewed and authorised by

Kieran England  on 20/3/2022