Last updated: October 2019
- To design, implement and manage an effective Information Security Management System (ISMS), which ensures that Management Dynamics’ information assets are properly protected at all times.
- To ensure the confidentiality, integrity and availability of Management Dynamics’ information assets, and supporting assets (including information systems) as defined within the Inventory of Assets.
- To ensure that vulnerabilities, threats and risks to information assets and supporting assets are identified, understood and assessed.
- To ensure that the Management Dynamics’ IT infrastructure uses relevant and effective security controls.
- To ensure that Management Dynamics’ employees, contractors, third party users and suppliers comply with this Information Security Policy, and other ISMS documentation, through the provision of effective information security training and awareness programmes.
- To ensure that Management Dynamics is able to maintain full compliance with all applicable legislation, regulations and contractual requirements.
- To ensure that the Management Dynamics communicates its information security position to interested parties, as appropriate.Policy Scope
Management Dynamics’ Information Security Policy shall include the following:
All information assets either owned by Management Dynamics or entrusted to Management Dynamics by a client under an agreement which specifically details Management Dynamics’ responsibility for that data, and including:
- Information assets held, processed or stored on Management Dynamics premises
- Information assets held, processed or stored at approved off-site premisesSupporting assets
All supporting assets, which by direct or indirect association are an integral part of ensuring the confidentiality, integrity or availability of the information assets described above, and including:
- Premises (including offices, storage facilities and recovery sites)
- Hardware (including servers, network infrastructure, laptop computers, desktop computers,storage infrastructure and mobile devices)
- Software (including operating systems and commercially available software applications)
- Management Dynamics personnel (including permanent, temporary, full-time and part-timeemployees, associates, contractors, third party users of information systems and suppliers)
Documentation and Records
All policies, processes, work instructions and records related to the management, use or control of the information assets and their supporting assets detailed above.
3. Policy Statements
Management Dynamics shall be committed to the protection of the information assets and supporting assets as defined within the Scope of this Policy.
To effectively deliver its ISMS, Management Dynamics shall:
Inventory of Assets
Define and maintain an Inventory of Assets, including all information assets and supporting assets as defined within Section 2.0 of this Policy. The Inventory of Assets shall detail a named owner for each asset, who shall understand their responsibility for the asset.
Ensure that all are protected so as to ensure their confidentiality, integrity and availability. Access to assets shall be restricted to the minimum required to undertake authorised business activities, and Management Dynamics has adopted the principle that “access is generally forbidden unless it has been specifically authorised”.
Access to Information and Systems
Ensure that access only be granted to bona-fide personnel, contractors, third party users and suppliers (if applicable), and only applies to access from Management Dynamics issued and controlled devices. Access shall be regularly reviewed and connections that are no longer required shall be removed immediately.
Business Continuity Management
Ensure that all systems implemented follow the “cloud first” strategy of the business, deploying only systems that are deployed with failover and remote access capabilities. There is to be no reliance on a single Management Dynamics or supplier for system availability.
Information Security Training
Information security training Policy shall be mandatory for all employees, contractors, third party users and suppliers (if applicable), which details their individual responsibility to adhere to the requirements of the ISMS policies, processes and work instructions defined within Section 2.0 of this Policy.
Management, Monitoring and Review
Continually monitor, review and improve the ISMS by undertaking regular reviews, internal audits and other activities, and taking prompt corrective actions and implementing improvement opportunities in response to the findings of these activities.
Ensure that, at all times, its ISMS shall support compliance with the following UK legislation and regulations, including:
Data Protection Act 1998
The Data Protection Act 1998 requires every organisation that processes personal information to register with the Information Commissioner’s Office (ICO) and adhere to the Eight Data Protection Principles. All Management Dynamics personnel have received training on the Act.
This requirement extends to understanding and delivering activities related to the rights of data subjects, including subject access requests, right to be forgotten etc.
Freedom of Information Act 2000
As applicable to Management Dynamics’ public sector customers, Management Dynamics understands and acknowledges its responsibility to comply with properly authorised and issued FOI requests.
Human Rights Act 1998
Management Dynamics is fully committed to recognising the human rights of the individual, as detailed within the International Bill of Human Rights Act. The Company acknowledges that these apply to all countries, all cultures and in all situations, and even in situations where prevailing legislation or implementation does not provide for adequate protection of the human rights of an individual.
Computer Misuse Act 1990
The Computer Misuse Act is designed to protect computer systems against wilful attacks, unauthorised access and the theft of information. All Management Dynamics personnel have received training on the Act and their responsibilities and obligations for compliance.
Copyright, Designs and Patents Act 1988
The Copyright, Designs and Patents Act 1988, is the current UK copyright law. It gives the creators of literary, dramatic, musical and artistic works the right to control the ways in which their material may be used. Management Dynamics understands its responsibilities under this Act for protecting the development of its own intellectual property, as well as observing the rights of others.
Companies Act 1985
The Companies Act of 1985 is an important part of UK company law that governs various aspects of the registration and management of companies. Since the act is a consolidation of several other pieces of legislation it also covers the responsibilities and duties of secretaries and directors. Management Dynamics understands and acknowledges its responsibility to comply with the Act.
Regulation of Investigatory Powers Act 2000
As applicable to Management Dynamics’ public sector customers, Management Dynamics understands and acknowledges its responsibility to comply with properly authorised and issued RIPA requests.
Electronic Communications Act 2000
The Electronic Communications Act is designed to make provision to facilitate the use of electronic communications and electronic data storage; to make provision about the modification of licences granted under section 7 of the Telecommunications Act 1984; and for connected purposes. Management Dynamics understands and acknowledges its responsibility to comply with the Act.
Health & Safety at Work Act 1974
Under the Health & Safety at Work Act 1974, and the Management of Health & Safety at Work Regulations 1999, Management Dynamics acknowledges its responsibility to ensure the health, safety and welfare of employees (permanent or contractors) during their work activities, and to identify and resolve (as far as is possible) any risks that have been identified as a result of those activities. Management Dynamics also acknowledges its responsibility for the health and safety of any other authorised persons on Management Dynamics’ premises, including clients, suppliers, partners and any other visitors.
4. ISMS Responsibilities
Employees, Contractors, Third Party Users and Suppliers
Within Management Dynamics, all employees, contractors, third party users and suppliers (if applicable) shall understand their role in ensuring the security of information assets as detailed in Section 3.0.
There are, however, additional responsibilities defined in order that the ISMS shall operate efficiently and in accordance with the requirements of the current ISO27001 standard.
These are detailed below.
The Directors shall be responsible for the following activities within the Management Dynamics ISMS:
- Agreeing the business need for this ISMS, and communicating their commitment to it
- Reviewing and signing off this Information Security Policy
- Assigning appropriate resources necessary to operate the ISMS effectively
- Overseeing any disciplinary action resulting from security breachesCompliance Manager
The Compliance Manager, shall have overall responsibility for the Management Dynamics ISMS, and shall be responsible for the daily operation of the ISMS, including:
- Ensuring an appropriate structure of ISMS policies, processes and work instructions
- Ensuring that appropriate records are created and maintained for all ISMS activities
- Arranging a programme of risk assessments, risk treatments and internal audits
- The preparation of the Statement of Applicability
- The provision of a user training and awareness programme for employeesTechnical Management Team (Operations Managers/Director of Platform & Programmes)
The Technical Management Team, collectively, shall be responsible for:
- Overall management and functionality of Management Dynamics’ operational environments
- The provision of a user training and awareness programme for contractors, third party usersand associates
- The management of security arrangements for suppliers under their control
- The design and review of technical security controls, including Management Dynamicsnetworks
Designated Asset Owners shall be responsible for:
- Undertaking risk assessments of their asset(s), including the identification of controls andassessing their effectiveness
- Addressing any unacceptable risks
- Assisting in the investigation, resolution and closure of any information security incidentwhich directly or indirectly affects the security of their asset(s)
- Contributing to the Acceptable Use Policy (BCD-POL-008), specifically for the use of theirasset(s)
- If appropriate, the management of security arrangements for suppliers under their control
Following risk assessment activities, specific personnel may be assigned “Risk Owners”, and shall have responsibility for:
- Understanding all risks which have been assessed as being unacceptable to the Company
- Evaluating the effectiveness of risk treatment options which have been undertaken
- Signing off (normally by CEO) residual risks which have been accepted by the CompanyPolicy Communication and Compliance
All Management Dynamics personnel shall comply with the requirements of this Policy. The Management Dynamics information security training programme shall advise all Management Dynamics personnel of the key requirements of this Policy. Any breach of this Policy shall be treated as serious misconduct and shall be considered for disciplinary action to be taken against the individual(s) concerned.
This Policy shall be communicated (under NDA, if applicable) to those Management Dynamics partners, suppliers or clients who have a need to understand its contents so as to ensure their compliance with this Policy
5. Document Control
This policy should be reviewed annually, as a minimum, or if amendments are required to address a change in Management Dynamics business activities which affect the management or operation of the Management Dynamics Information Security Management System.