Information Security Policy


This Information Security Policy is a key component of Bad Rhino Limited’s overall information security management framework.

Data and information systems are vital to the business. Incidents involving loss of confidentiality, integrity or availability of information can be costly. Serious incidents, which may include failure to comply with information legislation, can also be damaging to the business reputation.

1. Objective, Aim and Scope

  • 1.1. Objectives

    The objectives of the Bad Rhino Limited Information Security Policy are:

    • Confidentiality - Access to Data shall be confined to those with appropriate authority, and protected from unauthorised access.
    • Integrity – Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.
    • Risk Management - Appropriate measures are taken to manage risks to the availability and disclosure of information.
    • Compliance – Ensured compliance with laws, regulations, and the terms of contracts.

    *Failure to comply with the Bad Rhino Limited Information Security Policy may lead to disciplinary action.

  • 1.2. Policy Aim

    The aim of this policy is to establish and maintain the security of individuals’ information, information systems, applications and networks owned or held by Bad Rhino Limited by:

    • Ensuring all members of staff are aware of, and fully comply with the relevant legislation as described in this and other policies.
    • Explaining the principals of security and how they shall be implemented in the organisation.
    • Ensuring all members of staff fully understand their own responsibilities towards a consistent approach to security.
    • Creating and maintaining a level of awareness of the need for Information Security as an integral part of the day to day business.
    • Protecting information assets.
  • 1.3. Scope
    • This policy applies to all information, information systems, networks, applications, locations and users of Bad Rhino Limited, or supplied under contract to them.

2. Responsibilities for Information Security

  • 2.1. Ultimate responsibility for information security rests with the Bad Rhino Board of Directors, and they shall be responsible for managing and overseeing implementing the policy and related procedures
  • 2.2. Line Managers are responsible for ensuring that their permanent and temporary staff, and contractors are aware of:
    • The areas of the Information Security Policy that is applicable in their department
    • Personal responsibilities for information security
    • Where to find, and how to access advice on information security matters
  • 2.3. All staff shall have to comply with information security procedures including the maintenance of data confidentiality and integrity.
  • 2.4. The Information Security Policy shall be maintained, reviewed, and updated accordingly on an annual basis.
  • 2.5. Line managers shall be responsible for the security of their department physical environments where information is accessed, processed or stored.
  • 2.6. Each member of staff shall be responsible for the operational security of the information systems they use.
  • 2.7. Each system user shall comply with the security requirements that are currently in force, and shall also ensure that the confidentiality, integrity and availability of the information they use is maintained to the highest standard.
  • 2.8. Contracts with external contractors that allow access to the organisation’s information systems shall be in operation before access is allowed. These contracts shall ensure that the staff or sub-contractors of the external organisation shall comply with all appropriate security policies.

3. Legislation

  • 3.1. Bad Rhino Limited is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents, who may be held personally accountable for any breaches of information security for which they may be held responsible.

4. Policy Framework

  • 4.1. Management of Security
    • Responsibility for Information Security shall reside with the Board of Directors.
    • Department Managers are responsible for implementing, monitoring, documenting and communicating security requirements within their teams for the organisation.
  • 4.2. Information Security Awareness Training
    • Information security awareness training shall be included in the staff induction process.
    • Staff awareness will be reviewed, refreshed, and updated as necessary.
  • 4.3. Contracts of Employment
    • All contracts of employment shall contain a confidentiality clause.
    • Information security expectations of staff shall be included within the employee handbook, and on induction.
  • 4.4. Security Control of Assets
    • Each IT asset, (i.e. hardware, software, application) shall have a named person who shall be responsible for the information security of that asset.
  • 4.5. Access Controls
    • Only authorised personnel who have a justified business need shall be given authorisation to access restricted areas containing information systems or stored data.
  • 4.6. Computer Access Control
    • Access to computer facilities shall be restricted to authorised users who have business need to use the facilities.
  • 4.7. Application Access Control
    • Access to data, system utilities and program source libraries shall be controlled and restricted to those authorised users who have a legitimate business need e.g. systems or database administrators.
  • 4.8. Equipment Security
    • In order to minimise loss of, or damage to, all assets, equipment shall be physically protected from threats and environmental hazards.
  • 4.9. Computer and Network Procedures
    • Management of computers and networks shall be controlled through standard documented procedures that have been authorised by the board.
  • 4.10. Information Risk Assessment
    • Risk assessment and management requires the identification and quantification of information security risks in terms of their perceived value of asset, severity of impact and the likelihood of occurrence.
      Once identified, information security risks will be recorded on a central business risk register and action plans devised to effectively manage those risks. The risk register and all associated actions shall be reviewed regularly. Any implemented information security arrangements shall also be a regularly reviewed. These reviews shall help identify areas of continuing best practice and possible weakness, as well as potential risks that may have arisen since the last review was completed.
  • 4.11. Information Security Events and Weakness
    • All information security events and suspected weaknesses will be reported. These shall be investigated to establish their cause and impacts with a view to avoiding similar or future events.
  • 4.12. Protection from Malicious Software
    • Bad Rhino shall use management procedures and countermeasures relating to any software used to protect itself against the threat of malicious software. Users shall not install software on the organisation’s property without permission from the IT Manager, or a Director.
  • 4.13. User Media
    • Removable media of all types that contain software or data from external sources, or that have been used on external equipment, require the approval of the IT Manager or a Director before they may be used on Bad Rhino systems. Such media must also be fully virus checked before being used on the organisation’s equipment.
  • 4.14. Monitoring System Access and Use
    • An audit trail of system access and data use by all staff shall be maintained.
    • Bad Rhino regularly audits compliance with this and other policies. In addition it reserves the right monitor activity where it suspects that there has been a breach of policy. The Regulation of Investigatory Powers Act (2000) permits monitoring and recording of employees’ electronic communications (including telephone communications) for the following reasons:
      • To establish the existence of facts
      • Detection and investigation of any unauthorised use of the system
      • Prevention and detection of crime
      • To ascertain or demonstrate standards which are achieved or ought to be achieved by persons using the system (quality control and training)
      • National Security Interests
      • Compliance with regulatory practices or procedures
      • Ensuring the effective systems operation.

      Any monitoring will be undertaken in accordance with the above act and the Human Rights Act

  • 4.15. Accreditation of Information Systems
    • Bad Rhino will ensure that all new information systems, applications and networks include a security plan and are approved by the Board before they commence operation.
  • 4.16. System Change Control
    • Changes to information systems, applications or networks shall be reviewed and approved by the IT Manager and the Board.
  • 4.17. Intellectual Property Rights
    • Bad Rhino will ensure that all information products are properly licensed and approved. Users shall not install software on the organisation’s property without permission from the IT Manager or a Director.
  • 4.18. Business Continuity and Disaster Recovery Plans
    • The organisation shall ensure that business impact assessment, business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks.
  • 4.19. Reporting
    • The IT Manager shall keep the Board informed of the information security status of the organisation by means of regular reports.
Amazon Payments
Master Card
Visa Card
Paypal
Sign Up for Exclusive News and Offers >	Close