This information security policy is a key component of Green Text’s overall information security management. It incorporates Green Text’s handling of personal data, protection of that data, security of our systems, and staff procedures.
Green Text is committed to safeguarding your personal information. Whenever you provide such information, we are legally obliged to use the information in line with all laws concerning the protection of personal information, including, but not limited to, the Data Protection Act 1998 and the subsequent 2018 General Data Protection Requirement.
2. Objectives, Aim and Scope
The objectives of Green Text’s Information Security Policy are to preserve:
- Confidentiality – Access to data shall be confined to those with appropriate authority.
- Integrity – Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.
- Availability – Information shall be available and delivered to the right person, at the time when it is needed.
2.2. Policy Aim
The aim of this policy is to establish and maintain the security and confidentiality of information, information systems, applications, and networks owned or held by Green Text by:
- Ensuring that all members of staff are aware of, and fully comply with, the relevant legislation as described in this policy.
- Describing the principals of security and explaining how they shall be implemented in the organisation.
- Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibilities.
- Protecting information assets under the control of the organisation.
This policy applies to all information, information systems, networks, applications, locations, and employees of Green Text, or supplied under contract to it.
3. Responsibilities for Information Security
Ultimate responsibility for information security rests with the senior management of Green Text, and, as Green Text is a relatively small organisation, on a day-to-day basis the senior management shall be responsible for managing and implementing the policy and related procedures.
All staff shall comply with information security procedures including the maintenance of data confidentiality and data integrity.
Each member of staff shall be responsible for the operational security of the information systems they use.
Green Text is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of Green Text, who may be held personally accountable for any breaches of information security for which they may be held responsible.
Green Text shall comply with the following legislation and other legislation as appropriate:
- Data Protection Act (1998)
- Data Protection (Processing of Sensitive Personal Data) Order 2000
- Copyright, Designs and Patents Act (1988)
- Computer Misuse Act (1990)
- Health and Safety at Work Act (1974)
- Human Rights Act (1998)
- Regulation of Investigatory Powers Act 2000
- Freedom of Information Act 2000
- 2018 General Data Protection Requirement
5. Policy Framework
5.1. Access controls
Only authorised personnel who have a justified and approved business need shall be given access to restricted areas containing information systems or stored data.
5.2. Equipment security
In order to minimise loss of, or damage to, all assets and equipment shall be physically protected from threats and environmental hazards.
5.3. Information security events and weaknesses
All information security events and suspected weaknesses are to be noted. All information security events shall be investigated to establish their cause and impacts with a view to avoiding similar events.
5.4. Protection from malicious software
The organisation shall use software countermeasures and management procedures to protect itself against the threat of malicious software. All staff are required to cooperate fully with this policy.
5.5. Monitoring system access and use
An audit trail of system access and data use by staff shall be maintained.
5.6. Business continuity and disaster recovery plans
The organisation shall ensure that business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks.
Green Text will only collect information necessary to provide the Green Text service. This includes name and contact information for clients and partners, as well as appropriate financial information from clients.
Green Text will not pass any personal information to any third party at any time without your prior permission.
Green Text may contact you for the following reasons:
- In relation to the functioning of any service you have signed-up for in order to ensure that Green Text can deliver the services to you
- Where you have opted to receive further correspondence
- In relation to any content you have uploaded to your account
- For marketing purposes where you have specifically agreed to this
We will keep your information confidential except where disclosure is required by law (for example to government bodies and law enforcement agencies).
We will hold your personal information on our systems for no longer than is necessary for the service you have signed-up for. After this period, we will continue to hold relevant data for as long as it is required for tax and recording purposes. After the cancellation of any account, we will not use the data for any business or marketing purpose other than for tax and recording purposes.
Our approach, responsibilities, and commitment to your privacy are set out in our Privacy and Data Processing Policy.
7. ISO Accreditation
As part of our commitment to provide robust InfoSec standards Green Text has been awarded the following ISO certification by the British Standards Institution (BSI).
ISO 9001 Quality Management
ISO 27001 Information Security management
Our Information Security Policy has the full support of the senior management.
To ensure that this policy is properly implemented, Green Text regularly reviews its information security progress.