Information Security Policy

lifetask.co.uk

PURPOSE
The Company recognises that information is a valuable business asset and is committed to protecting information from unauthorised access, disclosure, alteration, loss, misuse, or destruction.
This Policy establishes the framework for maintaining the confidentiality, integrity, and availability of information assets.
The objectives of this Policy are to:
• Protect client, candidate, employee, and learner information.
• Ensure compliance with legal and regulatory obligations.
• Reduce cyber security risks.
• Protect business continuity.
• Promote secure working practices.

LEGAL AND REGULATORY FRAMEWORK
This Policy supports compliance with:
• UK GDPR
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• Computer Misuse Act 1990
• Human Rights Act 1998
• Employment Agencies and Employment Businesses Regulations
• Relevant contractual obligations

SCOPE
This Policy applies to:
• Directors
• Employees
• Temporary workers
• Consultants
• Contractors
• Agency staff
• Third-party service providers
The Policy applies to:
• Electronic information
• Physical records
• Cloud systems
• Recruitment databases
• Training platforms
• Mobile devices
• Company networks

INFORMATION SECURITY PRINCIPLES
The Company shall protect information through:

Confidentiality
Information shall only be accessible to authorised individuals.

Integrity
Information shall remain accurate, complete, and protected from unauthorised modification.

Availability
Information shall remain accessible when required for business operations.

Accountability
Users are accountable for information accessed and processed.

INFORMATION CLASSIFICATION
Information shall be classified according to sensitivity.

Public
Information approved for public release.

Internal
Information intended for internal business use only.

Confidential
Information that could harm the Company or individuals if disclosed.

Examples:
• Client information
• Candidate records
• Payroll records
• Contracts

Restricted
Highly sensitive information requiring enhanced protection.
Examples:
• Special Category Data
• Financial records
• Security credentials
• Investigation records

USER RESPONSIBILITIES
All personnel shall:
• Protect information assets.
• Follow security procedures.
• Maintain confidentiality.
• Use systems responsibly.
• Report security incidents immediately.

Users must not:
• Share passwords.
• Circumvent security controls.
• Access information without authorisation.
• Install unauthorised software.
• Use Company systems for unlawful purposes.

ACCESS CONTROL
Access to systems and information shall be granted on a need-to-know basis.
Access rights shall:
• Be approved by management.
• Match job responsibilities.
• Be reviewed periodically.
• Be removed upon termination of employment or engagement.

PASSWORD SECURITY
Users shall:
• Create strong passwords.
• Keep passwords confidential.
• Avoid password reuse.
• Change passwords when compromised.

Passwords must never be:
• Shared with colleagues.
• Written in unsecured locations.
• Sent via unsecured communication channels.
Where available, multi-factor authentication shall be enabled.

EMAIL SECURITY
Users shall exercise caution when using email.
Requirements include:
• Verifying recipients before sending.
• Avoiding suspicious links and attachments.
• Protecting confidential information.
• Reporting phishing attempts immediately.
Company email accounts shall only be used for authorised business purposes.

INTERNET AND ACCEPTABLE USE
Company internet access is provided for legitimate business purposes.
Users shall not:
• Access unlawful content.
• Download unauthorised software.
• Circumvent security controls.
• Engage in activities that may damage Company systems.
Limited personal use may be permitted provided it does not interfere with business operations.

MOBILE DEVICES
Company and authorised personal devices used for business purposes shall:
• Be password protected.
• Use encryption where possible.
• Have up-to-date software.
• Be secured when unattended.
Lost or stolen devices must be reported immediately.

REMOTE WORKING
Personnel working remotely must:
• Use secure internet connections.
• Protect confidential information.
• Avoid discussing sensitive matters in public places.
• Lock screens when unattended.
• Follow Company cyber security requirements.

CLOUD SERVICES
Only approved cloud services may be used for Company business.
The Company shall ensure:
• Appropriate contractual safeguards.
• Secure authentication.
• Controlled access permissions.
• Regular security reviews.

PHYSICAL SECURITY
The Company shall implement:
• Secure office access controls.
• Visitor management procedures.
• Locked storage facilities.
• Secure disposal arrangements.
Personnel shall ensure confidential documents are not left unattended.

DATA BACKUP
Critical business information shall be backed up regularly.
Backups shall:
• Be tested periodically.
• Be securely stored.
• Support business continuity requirements.

THIRD-PARTY SECURITY
Suppliers and service providers with access to Company information shall be subject to:
• Due diligence assessments.
• Confidentiality obligations.
• Security requirements.
• Contractual controls.

INFORMATION SECURITY INCIDENTS
An information security incident may include:
• Data breaches.
• Hacking attempts.
• Malware infections.
• Loss of devices.
• Unauthorised disclosure.
• System failures.
All incidents must be reported immediately.
Management shall investigate and implement corrective actions.

BUSINESS CONTINUITY
The Company shall maintain procedures to ensure critical operations can continue during disruptions.
These may include:
• Backup systems.
• Alternative communication arrangements.
• Disaster recovery measures.

TRAINING AND AWARENESS
All personnel shall receive information security training covering:
• Password security.
• Phishing awareness.
• Data protection.
• Incident reporting.
• Safe remote working practices.
Training records shall be maintained.

MONITORING
The Company reserves the right to monitor:
• System usage.
• Email usage.
• Network activity.
• Security events.
Monitoring shall be conducted lawfully and proportionately.

NON-COMPLIANCE
Failure to comply with this Policy may result in:
• Disciplinary action.
• Termination of engagement.
• Legal action.
• Regulatory reporting.

RELATED DOCUMENTS
• Privacy Notice
• Data Protection Policy
• Cookies Policy
• Data Retention Policy
• Employee Handbook
• Business Continuity Plan
• Incident Management Procedure

POLICY REVIEW
This Policy shall be reviewed annually or sooner where required by:
• Legislative changes
• Regulatory guidance
• Security incidents
• Organisational changes