Information Security Policy
The confidentiality, integrity and availability of information, in all its forms, are critical to the on-going functioning and good governance of Intelligent Sugar GmbH. Failure to adequately secure information increases the risk of financial and reputational losses from which it may be difficult for Intelligent Sugar GmbH to recover.
This Information Security Policy (“Policy”) outlines Intelligent Sugar GmbH’s approach to information security management. It provides the guiding principles and responsibilities necessary to safeguard the security of Intelligent Sugar GmbH’s information systems.
Intelligent Sugar GmbH is involved in the food and healthcare sectors. It is committed to a robust implementation of information security management. The principles defined in this Policy will be applied to all of the physical and electronic information assets for which Intelligent Sugar GmbH is responsible.
Objectives
The objectives of this Policy are to:
- Provide a framework for establishing suitable levels of information security for all Intelligent Sugar GmbH information systems (including but not limited to all Cloud environments commissioned or run by Intelligent Sugar GmbH, computers, storage, mobile devices, networking equipment, software and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.
- Make certain that users are aware of and comply with all current and relevant UK and EU legislation.
- Provide the principles by which a safe and secure information systems working environment can be established for staff and any other authorised users, including third party providers.
- Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the personal data that they handle.
- Protect Intelligent Sugar GmbH from liability or damage through the misuse of its IT facilities.
- Maintain personal data and other confidential information provided by suppliers at a level of security commensurate with its classification, including upholding any legal and contractual requirements around information security.
- Respond to changes in the context of the organisation as appropriate, initiating a cycle of continuous improvement.
Scope
This Policy is applicable to, and will be communicated to, all staff of Intelligent Sugar GmbH and third parties (including third party providers) who interact with information held by Intelligent Sugar GmbH and the information systems used to store and process it.
This includes, but is not limited to:
- Cloud systems developed or commissioned by Intelligent Sugar GmbH.
- Any systems or data attached to Intelligent Sugar GmbH data or telephone networks systems managed by Intelligent Sugar GmbH.
- Mobile devices used to connect to Intelligent Sugar GmbH networks or hold Intelligent Sugar GmbH data over which Intelligent Sugar GmbH holds the intellectual property rights.
- Data over which Intelligent Sugar GmbH is the data controller or data processor.
- Electronic communications sent from Intelligent Sugar GmbH.
The following information security principles provide overarching governance for the security and management of information at Intelligent Sugar GmbH:
- Information should be classified according to an appropriate level of confidentiality, integrity and availability (see Information Classification below) and in accordance with relevant legislative, regulatory and contractual requirements.
- Staff with particular responsibilities for information (see Responsibilities below) must ensure the classification of that information; must handle that information in accordance with its classification level; and must abide by any contractual requirements, policies, procedures or systems for meeting those responsibilities.
- All users covered by the scope of this Policy must handle information appropriately and in accordance with its classification level.
- Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.
- On this basis, access to information will be on the basis of least privilege and need to know.
- Information will be protected against unauthorized access and processing in accordance with its classification level.
- Breaches of this Policy must be reported to Intelligent Sugar GmbH’s Managing Director.
- Information security provision and the policies that guide it will be regularly reviewed, including through the use of annual internal audits and penetration testing.
Cloud Providers
Under the GDPR, a breach of personal data can lead to a fine of up to 4% of global turnover. Where Intelligent Sugar GmbH user Cloud services, Intelligent Sugar GmbH retains responsibility as the data controller for any data it puts into the service, and can consequently be fined for any data breach, even if this is the fault of the Cloud service provider. Intelligent Sugar GmbH will also bear the responsibility for contacting Information Commissioner’s Office concerning the breach, as well as any affected individual. It will also be exposed to any lawsuits for damages as a result of the breach. It is extremely important, as a consequence, that Intelligent Sugar GmbH is able to judge the appropriateness of a Cloud service provider’s information security provision. This leads to the following stipulations:
- Cloud services used to process personal data will be expected to have ISO27001 certification, with adherence to the standard considered the best way of a supplier proving that it has met the GDPR principle of privacy by design, and that it has considered information security throughout its service model.
- Any request for exceptions will be considered by the Managing Director.
Information Classification
The following table provides a summary of the information classification levels that have been adopted by Intelligent Sugar GmbH and which underpin the 8 principles of information security defined in this Policy.
These classification levels explicitly incorporate the GDPR’s definitions of Personal Data and Special Categories of Personal Data, as laid out in Intelligent Sugar GmbH’s Privacy Policy, and in the table below.
Security Level | Definition | Examples | Freedom of Information Act 2000 status |
1. Confidential |
Normally accessible only to specified members of Intelligent Sugar GmbH staff. Should be held in an encrypted state outside Intelligent Sugar GmbH’s systems; may have encryption at rest requirements from providers. |
·GDPR-defined Special Categories of personal data (racial/ethnic origin, political opinion, religious beliefs, trade union membership, physical/mental health condition, sexual life, criminal record) including as used as part of primary or secondary research data; ·patient-level observations; ·passwords;
·large aggregates of personally identifying data (>1000 records) |
Subject to significant scrutiny in relation to appropriate exemptions/ public interest and legal considerations. |
2. Restricted | Normally accessible only to specified members of Intelligent Sugar GmbH staff. |
·GDPR-defined Personal Data (information that identifies living individuals including home / work address, age, telephone number, schools attended, photographs);
·reserved Board business; |
Subject to significant scrutiny in relation to appropriate exemptions/ public interest and legal considerations. |
3. Internal Use | Normally accessible only to members of Intelligent Sugar GmbH staff |
·Internal correspondence,
·information held under license. |
Subject to scrutiny in relation to appropriate exemptions/ public interest and legal considerations. |
4. Public | Accessible to all members of the public |
·Annual accounts,
·minutes of statutory and other formal committees, ·pay scales etc. ·Information available on Intelligent Sugar GmbH website. |
Freely available on the website. |
Responsibilities of Intelligent Sugar Staff and Authorised Users
In the below “you” refers to any Intelligent Sugar member of staff or authorized user (including third party providers):
a) Equipment Security and Passwords
You, as a member of staff of Intelligent Sugar GmbH or authorised user (including third party providers) are responsible for the security of the equipment allocated to or used by you, and must not allow it to be used by anyone other than in accordance with this Policy. You should use passwords on all IT equipment, particularly items that you take out of the office. You should keep your passwords confidential and change them regularly.
You must only log on to Intelligent Sugar GmbH systems using your own username and password. You must not use another person’s username and password or allow anyone within Intelligent Sugar GmbH to log on using your username and password.
If you are away from your desk for longer than a few minutes, you should log out or lock your computer. You must log out and shut down your computer at the end of each working day.
b) Systems and Data Security
You should not delete, destroy or modify existing systems, programs, information or data (except as authorised in the proper performance of your duties).
You must not download or install software from external sources without authorisation from senior management. Downloading unauthorised software may interfere with Intelligent Sugar GmbH systems and may introduce viruses or other malware.
Emails can be used in legal proceedings and that even deleted emails may remain on the system and be capable of being retrieved. You must not send abusive, obscene, discriminatory, racist, harassing, derogatory, defamatory, pornographic or otherwise inappropriate emails.
You should not:
- Send or forward private emails at work which you would not want a third party to read;
- Send or forward chain mail, junk mail, or gossip;
- Contribute to system congestion by sending trivial messages or unnecessarily copying or forwarding emails to others who do not have a real need to receive them; or
- Send messages from another person’s email address (unless authorised) or under an assumed name.
Do not use your own personal email account to send or receive email for the purposes of our business. Only use the email account we have provided for you.
Internet access is provided primarily for business purposes. Occasional personal use may be permitted.
Intelligent Sugar GmbH permits the incidental use of our systems to send personal email, browse the internet and make personal telephone calls subject to certain conditions. Personal use is a privilege and not a right. It must not be overused or abused. We may withdraw permission for it at any time or restrict access at our discretion.
Personal use must meet the following conditions:
- Personal emails should be labelled “personal” in the subject header;
- It must not affect your work or interfere with the business;
- It must not commit us to any marginal costs; and
- It must comply with our policies.
You should not access any web page or download any image or other file from the internet which could be regarded as illegal, offensive, in bad taste or immoral. Even web content that is legal in the UK may be in sufficient bad taste to fall within this prohibition. As a general rule, if any person (whether intended to view the page or not) might be offended by the contents of a page, or if the fact that our software has accessed the page or file might be a source of embarrassment if made public, then viewing it will be a breach of this Policy.
Creating, viewing, accessing, transmitting or downloading any of the following material will usually amount to gross misconduct (this list is not exhaustive):
- Pornographic material (that is, writing, pictures, films and video clips of a sexually explicit or arousing nature);
- Offensive, obscene, or criminal material or material which is liable to cause embarrassment to us or to our clients;
- A false and defamatory statement about any person or organisation;
- Material which is discriminatory, offensive, derogatory or may cause embarrassment to others (including material which breaches Intelligent Sugar GmbH’s Privacy Policy);
- Confidential information about us or any of our staff or clients (except as authorised in the proper performance of your duties);
- Unauthorised software;
- Any other statement which is likely to create any criminal or civil liability (for you or us); or
- Music or video files or other material in breach of copyright.
We may block or restrict access to some websites at our discretion.
d) Monitoring
Intelligent Sugar GmbH monitors all emails passing through our system for viruses. You should exercise particular caution when opening unsolicited emails from unknown sources. If an email looks suspicious do not reply to it, open any attachments or click any links in it.
Intelligent Sugar GmbH’s systems enable us to monitor telephone, email, voicemail, internet and other communications. For business reasons, and in order to carry out legal obligations in our role as an employer, your use of our systems including the telephone and computer systems (including any personal use) may be monitored by automated software.
Intelligent Sugar GmbH reserves the right to retrieve the contents of email messages or check internet usage (including pages visited and searches made) as reasonably necessary in the interests of the business, including for the following purposes (this list is not exhaustive):
- Intelligent Sugar GmbH reserves the right to retrieve the contents of email messages or check internet usage (including pages visited and searches made) as reasonably necessary in the interests of the business, including for the following purposes (this list is not exhaustive):
- To find lost messages or to retrieve messages lost due to computer failure;
- To assist in the investigation of alleged wrongdoing; or
- To comply with any legal obligation.
e) Technical and Security Measures
Some of the security procedures we use to protect your and customers’ privacy are:
- We require both a personal Username (log-in name) and a Password in order for users to access their personal data.
- We use firewalls to protect information held in our servers.
- We back-up our systems to protect the integrity of personal data.
Compliance, Policy Awareness and Disciplinary Procedures
Any security breach of Intelligent Sugar GmbH’s information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems. The loss or breach of confidentiality of personal data is an infringement of the GDPR, contravenes Intelligent Sugar GmbH’s Privacy Policy and may result in criminal or civil action against Intelligent Sugar GmbH.
The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against Intelligent Sugar GmbH. Therefore, it is crucial that all users of Intelligent Sugar GmbH’s information systems adhere to this Information Security Policy and its supporting policies.
All current staff and other authorized users (including providers) will be informed of the existence of this Policy and the availability of supporting policies, codes of practice and guidelines.
Any security breach will be handled in accordance with all relevant Intelligent Sugar GmbH policies.
Incident Handling
If a member of staff of Intelligent Sugar GmbH and authorized user (including providers) is aware of an information security incident then they must report it to Managing Director at: info@intelligentsugar.info.
Breaches of personal data will be reported to the Information Commissioner’s Office by the Managing Director.