Information Security Policy

Last Updated: January 2023

Introduction

This Information Security Policy outlines the guidelines and procedures to be followed by all employees, contractors, and third-party vendors of HowTo.Marketing Ltd (referred to as “the Company”) to protect the confidentiality, integrity, and availability of information assets. It is essential that all individuals involved in the Company’s operations adhere to these policies to ensure the security of information resources. This policy is in compliance with the rules and regulations of the United Kingdom.

 

Data and Asset Management

2.1 Information Classification

2.1.1 All information assets shall be classified based on their sensitivity level into appropriate categories (e.g., confidential, internal, public), in accordance with the UK Data Protection Act 2018 and the General Data Protection Regulation (GDPR).

2.1.2 Employees must ensure that classified information is handled in accordance with the assigned level of sensitivity and comply with the principles of data protection outlined in the UK Data Protection Act 2018 and GDPR.

2.2 Data Handling

2.2.1 Employees shall follow the data handling procedures specified in the Company’s Data Handling Policy, ensuring compliance with the UK Data Protection Act 2018 and GDPR.

2.2.2 Access to sensitive data should be granted on a need-to-know basis, and employees must protect the confidentiality and integrity of such data at all times.

2.3 Data Destruction

2.3.1 Data must be disposed of securely and in compliance with the UK Data Protection Act 2018 and GDPR.

2.3.2 Destruction methods should render the data irrecoverable and should be in line with established data destruction standards.

2.4 Data Retention

2.4.1 The Company shall maintain a data retention policy that defines the period for which data must be retained in accordance with the UK Data Protection Act 2018 and GDPR.

2.4.2 Employees must comply with the data retention policy and properly store data during the specified retention period, ensuring its availability and integrity.

 

Encryption

3.1 Encryption of Data in Transit

3.1.1 All data transmitted over public networks must be encrypted using approved encryption protocols, in compliance with the UK Electronic Communications Act 2000.

3.1.2 Use of secure communication channels (e.g., SSL/TLS) is mandatory for all sensitive information transmission to protect against interception and unauthorized access.

3.2 Encryption of Data at Rest

3.2.1 Sensitive information stored on company-owned devices or media must be encrypted using approved encryption methods, ensuring compliance with the UK Data Protection Act 2018 and GDPR.

 

Acceptable Use

4.1 Acceptable Use of Company Resources

4.1.1 Employees shall use Company resources, including networks, systems, and software, in compliance with the Company’s Acceptable Use Policy, which outlines the acceptable and prohibited activities.

4.1.2 Employees must not engage in any activities that violate UK laws and regulations or compromise the security of Company resources.

4.1.3 The use of company resources for personal gain or any unauthorized purposes is strictly prohibited.

4.2 Password Security

4.2.1 Employees must create strong passwords and keep them confidential.

4.2.2 Passwords must be changed regularly, and the reuse of passwords for multiple accounts is prohibited.

4.2.3 Multi-factor authentication should be implemented for accessing sensitive systems and applications.

 

Security Configuration Standards

5.1 Applications

5.1.1 Applications must be developed, configured, and maintained in accordance with secure coding practices and industry standards, such as the OWASP Top Ten Project.

5.1.2 Regular vulnerability assessments and penetration testing should be conducted on applications to identify and remediate potential security vulnerabilities.

5.2 Databases

5.2.1 Databases shall be configured securely, ensuring appropriate access controls, strong passwords, and regular patching.

5.2.2 Data stored in databases must be protected through appropriate access controls and encryption.

5.3 Networks

5.3.1 Network devices and infrastructure should be secured through the use of firewalls, intrusion detection and prevention systems, and regular security updates.

5.3.2 Wireless networks must be protected with strong encryption, such as Wi-Fi Protected Access (WPA2) or higher.

5.4 Operating Systems

5.4.1 All operating systems used within the Company must be regularly patched and updated with the latest security patches and updates.

5.4.2 Default configurations of operating systems must be hardened to minimize potential security vulnerabilities.

 

Identity and Access Management

6.1 User Accounts

6.1.1 User accounts must be created for authorized personnel only and should be promptly deactivated upon termination or change in employment status.

6.1.2 User access privileges must be granted based on the principle of least privilege (PoLP), ensuring that employees only have access to the resources required to perform their job functions.

6.2 User Authentication

6.2.1 Strong authentication mechanisms, such as passwords, biometrics, or smart cards, should be used to verify the identity of users.

6.2.2 Multi-factor authentication should be implemented for accessing sensitive systems and applications.

6.3 Privileged Access

6.3.1 Access to privileged accounts must be tightly controlled, and administrative privileges should only be granted on a need-to-know basis.

6.3.2 Privileged account activities must be logged and regularly monitored for unauthorized access or misuse.

 

Mobile Device Management

7.1 Mobile Device Policy

7.1.1 The Company shall establish a Mobile Device Policy that outlines the acceptable use of mobile devices, including smartphones, tablets, and laptops, ensuring compliance with the UK Data Protection Act 2018 and GDPR.

7.1.2 Mobile devices used for Company business must be protected with strong passwords, encrypted storage, and remote wipe capabilities.

7.2 Bring Your Own Device (BYOD)

7.2.1 The use of personal devices for Company business should be governed by a Bring Your Own Device Policy that establishes security requirements and safeguards to protect Company data.

7.2.2 Mobile device management tools should be utilized to enforce security configurations and remotely manage personal devices accessing Company resources.

 

Network Security

8.1 Firewall and Intrusion Detection/Prevention Systems

8.1.1 Firewalls and intrusion detection/prevention systems should be implemented to monitor and protect the Company’s network from unauthorized access and malicious activities.

8.1.2 Firewall rules should be regularly reviewed and updated to reflect changes in the network infrastructure and security requirements.

8.2 Wireless Network Security

8.2.1 Wireless networks must be secured with strong encryption, such as WPA2 or higher, and use strong, unique passwords.

8.2.2 Wireless access points should be regularly updated with the latest security patches and configurations.

 

Change Management

9.1 Change Control Process

9.1.1 The Company shall establish a change control process to ensure that changes to systems, applications, or configurations are implemented in a controlled and secure manner.

9.1.2 Changes must be reviewed, approved, and tested before deployment, with appropriate rollback procedures in place.

9.2 Change Documentation

9.2.1 All changes must be documented, including the reason for the change, the individuals responsible, and the date of implementation.

9.2.2 Documentation should be maintained to facilitate audits and support incident response and recovery efforts.

 

Vulnerability Management

10.1 Vulnerability Scanning and Patch Management

10.1.1 Regular vulnerability scanning should be conducted on systems, applications, and network infrastructure to identify and remediate potential vulnerabilities.

10.1.2 Patch management procedures must be established to promptly apply security patches and updates to mitigate known vulnerabilities.

10.2 Security Updates

10.2.1 All software, operating systems, and firmware should be regularly updated with the latest security patches and updates.

10.2.2 Procedures must be in place to test patches before deployment to ensure compatibility and minimize potential disruptions.

 

Endpoint Protection

12.1 Anti-Malware Protection

12.1.1 All endpoint devices (e.g., desktops, laptops, mobile devices) must have up-to-date anti-malware software installed and regularly updated.

12.1.2 Scanning for malware and potentially unwanted programs should be performed on a regular basis.

12.2 Device Encryption

12.2.1 Endpoint devices that store or access sensitive information must have disk encryption enabled to protect data in case of loss or theft.

12.2.2 Encryption keys for endpoint devices must be managed securely.

 

Physical Security

15.1 Access Controls

15.1.1 Physical access to Company premises, server rooms, and other sensitive areas should be restricted to authorized personnel only.

15.1.2 Access controls, such as access cards, biometric systems, or security guards, should be implemented to protect physical assets.

15.2 Equipment Protection

15.2.1 IT equipment, including servers, workstations, and storage devices, should be physically secured to prevent theft, damage, or unauthorized access.

15.2.2 Portable devices, such as laptops and mobile devices, must be protected with cable locks or stored securely when not in use.

 

Incident Response

16.1 Incident Reporting

16.1.1 All employees, contractors, and third-party vendors have a duty to report any suspected or actual security incidents promptly to the designated incident response team.

16.1.2 Incident reporting procedures should be communicated to all employees and clearly define the reporting channels and contact information.

16.2 Incident Response Plan

16.2.1 The Company shall maintain an Incident Response Plan that outlines the steps to be taken in the event of a security incident, including containment, investigation, and recovery.

16.2.2 The plan should be regularly tested and updated to ensure its effectiveness and compliance with legal and regulatory requirements.

 

Business Continuity/Disaster Response

17.1 Business Impact Analysis

17.1.1 The Company shall conduct a business impact analysis to identify critical business functions, dependencies, and recovery time objectives.

17.1.2 The analysis will be used to develop a business continuity plan to mitigate risks and ensure the timely resumption of business operations in the event of a disruption.

17.2 Backup and Recovery

17.2.1 Regular backups of critical data and systems should be performed and tested to ensure the integrity and availability of data.

17.2.2 Backup media should be securely stored and protected against unauthorized access or damage.

 

Third-Party Management

18.1 Vendor Risk Assessment

18.1.1 The Company shall assess the security posture of third-party vendors before engaging their services, especially those with access to sensitive information.

18.1.2 Contracts with third-party vendors should include security clauses and require compliance with the Company’s security policies and applicable laws and regulations.

18.2 Ongoing Vendor Management

18.2.1 Regular reviews of third-party vendors’ security controls and practices should be conducted to ensure ongoing compliance with security requirements.

18.2.2 Vendors should be held accountable for promptly addressing any identified security vulnerabilities or incidents.

 

Policy Compliance

19.1 Compliance Monitoring

19.1.1 The Company shall periodically assess compliance with this Information Security Policy through audits, reviews, and security assessments.

19.1.2 Non-compliance with the policy may result in disciplinary action, including termination of employment or contractual relationships.

19.2 Policy Review

19.2.1 This Information Security Policy shall be reviewed and updated on an annual basis or when significant changes in laws, regulations, or business operations occur.

19.2.2 Employees shall be notified of any changes or updates to the policy and provided with appropriate training and guidance.

By accepting employment or engagement with HowTo.Marketing Ltd, all employees, contractors, and third-party vendors agree to abide by this Information Security Policy and its associated procedures. Violations of this policy may result in disciplinary action, legal consequences, or termination of employment or contractual relationships.