INFORMATION SECURITY POLICY
Document Control – Reference: ISMS DOC 5.2
The Board of Directors and Management of eTech Solutions Limited, located at Fore 2, 2 Huskisson Way, Solihull, B90 4SS, which produces Software operating in the Energy and Lending Sectors, aimed at mobile workforce management, the assessment journey and post production supporting services, are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout their organisation in order to preserve its competitive edge, cash-flow, profitability, legal, regulatory and contractual compliance and commercial image.
More specifically in scope
All eTech processes, locations and premises where information assets, hosting and back-up are accommodated.
This includes eTech offices on Huskisson Way, Solihull and UK Data Centres.
This means that eTech will be responsible for, and its Information Security Management System (ISMS), will include:
- The provision of software designed for handheld devices and desktop applications to ensure data captured and transferred has appropriate technical and organisational safeguards in place.
- The storage and processing of data within eTech Data Centre’s.
- The secure transfer of data to external parties; and the destruction and archive of data.
eTech Solutions Limited has a defined procedure for the management review of the information security policies, and this includes continual improvement, and assessing policy changes that might be necessary in response to significant changes in the organisational environment, business circumstances, legal conditions, technical environment or requirements of interested parties such as Government, Local authority bodies, suppliers, customers and employees.
Information and information security requirements will continue to be aligned with eTech Solutions Limited’s goals and the ISMS is intended to be an enabling mechanism for information sharing, for electronic operations (not including e-commerce) and for reducing information-related risks to acceptable levels.
eTech Solutions Limited’s current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS. The Risk Assessment, Statement of Applicability and Risk Treatment Plan identify how information-related risks are controlled. A Compliance Manager is responsible for the management and maintenance of the risk treatment plan. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks.
In particular, business continuity and contingency plans, data backup procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy. Control objectives for each of these areas are contained in the Information Security Manual and are supported by specific documented policies and procedures.
All staff of eTech Solutions Limited and certain interested parties identified in the ISMS are expected to comply with this policy and with the ISMS that implements this policy. All staff, and certain external parties, will receive appropriate training. The consequences of breaching the information security policy are set out in the Organization’s disciplinary policy and in contracts and agreements with third parties.
The ISMS is subject to continuous, systematic review and improvement.
eTech Solutions Limited has established an Information Security Committee , chaired by the Compliance Manager and including members of the Senior Leadership Team to support the ISMS framework and to periodically review the security policy.
eTech Solutions Limited is committed to IS27001 and having its ISMS certified to the 2013 Standard.
This policy will be reviewed to respond to any changes in the risk assessment or risk treatment plan and at least annually.
In this policy, ‘information security’ is defined as:
This means that management, all full time or part time staff, sub-contractors, project consultants and any external parties have, and will be made aware of, their responsibilities (which are defined in their job descriptions or contracts) to preserve information security, to report security breaches (in line with the policy and procedures identified in Section 16 of the Manual) and to act in accordance with the requirements of the ISMS. All staff will receive information security awareness training and more specialised staff will receive appropriately specialised information security training.
This means that information and associated assets should be accessible to authorised users when required and therefore physically secure. The computer network must be resilient and eTech Solutions Limited must be able to detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems and information. There must be appropriate business continuity plans.
Ensuring that information is only accessible to those authorised to access it and therefore preventing both deliberate and accidental unauthorised access to eTech Solutions Limited’s information and proprietary knowledge and its systems including its network(s) and website.
This involves safeguarding the accuracy and completeness of information and processing methods, and therefore requires preventing deliberate or accidental, partial or complete, destruction or unauthorised modification, of either physical assets or electronic data. There must be appropriate contingency including for network(s) and website and data backup plans and security incident reporting. eTech Solutions Limited must comply with all relevant data-related legislation in those jurisdictions within which it operates
“of the physical (assets)”
The physical assets of eTech Solutions Limited including, but not limited to, computer hardware, data cabling, telephone systems, filing systems and physical data files.
“and information assets”
The information assets include information printed or written on paper, transmitted by post or shown in films, or spoken in conversation, as well as information stored electronically on servers, website(s), extranet(s), intranet(s), PCs, laptops, mobile phones and PDAs, as well as on CD ROMs, floppy disks, USB sticks, backup tapes and any other digital or magnetic media, and information transmitted electronically by any means. In this context, ‘data’ also includes the sets of instructions that tell the system(s) how to manipulate information (i.e. the software: operating systems, applications and utilities).
“of eTech Solutions Limited.”
eTech Solutions Limited and such partners that are part of our integrated network and have signed up to our security policy and have accepted our ISMS.
The ISMS is the Information Security Management System, of which this policy, the Information Security Manual (‘the Manual’) and other supporting and related documentation is a part, and which has been designed in accordance with the specification contained in ISO27001:2013.
A SECURITY BREACH is any incident or activity that causes, or may cause, a break down in the availability, confidentiality or integrity of the physical or electronic information assets of eTech Solutions Limited.
Document Owner and Approval
The Compliance Manager is the owner of this document and is responsible for ensuring that this policy document is reviewed in line with the requirements of Clause 5.1.2 in the Manual.
A current version of this document is available to all members of staff on the eTech Intranet. It has been classified as Public and can be released to relevant external parties.
This information security policy was approved by the Board of Directors and is issued on a version controlled and approval basis under the signature of a director. All history is maintained within the ISMS as described in MSS_DOC_7.5.3.