SECURITY OBJECTIVES (ISO 27001)
As with any good Management System, Policies and Objectives are fundamental for ensuring that all business activities and associated functions are performed around these commitments. We here at Data Mail Solutions Ltd, (incorporating data mail solutions), are proud of our business achievements and the standards we operate against and will ensure that these Security Objectives are complied with and reviewed for effectiveness.
The following Security Objectives have been established and the Company’s commitment to these will be made available to all staff, contractors, clients and other interested parties:
• To identify and regularly assess security threats to business operations and manage associated risks.
• Define and implement specific controls and procedures to ensure confidentiality, availability and integrity of all forms of business and personal data.
• Develop and maintain effective Security Management processes to mitigate or minimise identified risks by the use of proactive and cost effective measures and procedures.
• Protect all Company assets, including personnel, corporate reputation, business information and systems physical property and key business processes from harm.
• Record, analyse and investigate all reported security incidents and irregularities to develop improvements to prevent their recurrence.
• Consider security in all aspects of business operations and planning.
• Expect a positive commitment to security by all levels of Management and Staff and provide sufficient resources relative to assessed risks.
• Conduct security operations in compliance with Data Mail Solutions Ltd’s business principles, national legal requirements and international standards. Where practical we will improve on the performance standards specified.
• Produce and test response, contingency and business interruption plans to cover all foreseeable events to minimise the impact of any incident or emergency and train personnel in their effective and efficient implementation.
• Introduce and maintain active programmes to develop security awareness and responsibility among all employees and contractors.
• Ensure compliance with our ISMS policy, (refer to 5.2 in the ISMS Policy Manual), through a process of education, training, review and audit.
Click here to download a copy of this document
INFORMATION SECURITY MANAGEMENT POLICY (ISO 27001)
Data Mail Solutions Ltd is fully committed to ensuring that all Information Security business operations and processes are performed against customer contractual requirements, appropriate industry guidelines and applicable legislation and this Information Security Management System (ISMS) Policy has been developed against the specified requirements of BS ISO/IEC 27001 and, (where applicable) Cheque & Credit Clearing Company (C&CCC) Standard 55. This will be applicable to all current, improved and new processes that relate to data security, (electronic or hard copy format). The Company’s published ISMS Objectives define these commitments.
The Company is also committed, to educating all staff in regards to this policy and their associated responsibilities to adhere to it. Responsibility will also be delegated to ensure that each area is assessed in terms of risk and where appropriate, additional security measures are considered and in place.
The Company are fully committed to ensuring that, at all stages of the process, all Customer information, materials and property, whether physical or intellectual, is held in a secure and protected manner. All staff are made aware of the importance of associated controls to prevent theft, compromise or unauthorised use.
Risk assessments are carried out and appropriate security measures, including physical elements have been put in place to ensure that access to Company property, (including intellectual property which the Company holds), is restricted to all employees and authorised third party personnel only.
An ISMS Policy Manual, with relevant supportive documentation, (i.e. work instructions and procedures) has been developed in order to define all associated activities that the Company will be responsible for. Documentation will include and not be restricted to inventories of databases, software, hardware, services and utilities.
Information stored, physical assets and processing systems to be protected will be recorded and continually monitored for changes. The Group Managing Director is delegated with the responsibility for assets and classification as appropriate in order to identify its risk in terms of loss, destruction, theft or exposure to unauthorised individuals and takes reasonable measures to protect it.
The cost of security measures to protect assets should be appropriate to the value of the assets, the risk of security threats and the impact of security failure on the business or its customers.
Information systems are protected against a range of threats both from inside and outside of the premises from unauthorised individuals who may or may not work for the Company, gaining access to systems causing loss, destruction or theft of information. Methods for determining permissions/accesses will be documented, regularly assessed and monitored, as appropriate.
Procedures for access controls will follow stringent security/complexity requirements.
Transactions identified, as high risk are recorded to provide a full audit trail.
All changes made that affect the policies and operations of the ISMS will be communicated to all parties affected by the change and other parties who may need to be made aware of the changes.
The change management process will include risk assessment review and appropriate follow up actions/activity. Reasonable measures to monitor the external environmental changes will be made to assess the effects of changes on the Company’s security systems, processes and procedures. The impact changes relating to ISMS, both internal and to the external environment must be itemised as a discussion topic at regular Management Review/Team Meetings.
Suppliers/Contractors used will be evaluated in line with the Company’s Management practices to ensure compliance with ISMS Codes of practice.
Security requirements will be explicitly stated and formally agreed when the information processing work and subsequent responsibility is outsourced to a 3rd party. Data Mail Solutions Ltd is fully committed to the continual improvement of the ISMS.
Click here to download a copy of this document