THESAURUS SOFTWARE LTD.

Internal Information & IT Security Policy

Introduction

This policy has been created in accordance with increased awareness to the process of protecting information.

The Company’s information must be protected from risks that jeopardise its availability, integrity and confidentiality. To reduce the Company’s exposure to risk it is necessary for all staff to be aware of their roles and responsibilities in using the Company’s information and information technology resources.

The term information should be broadly understood to mean both electronic and paper-based information that is used or created in the course of serving our clients or managing our business. It also refers to the IT systems used to create, process, transmit and store the information itself.

This policy should also be read in conjunction with the Data Protection Policy, Email, Internet and Telecommunications Policy and Social Media Policy.

Failure to comply with this policy will likely lead to disciplinary action up to and including dismissal.

Access

Access to sensitive data and the Company’s network is granted on a “need to know” basis.

  • Remote Access: employees may remotely access Company logins using Company hardware only. Software programs used in the day-to-day running of our business should not be accessed through unknown hardware.
  • Physical Access to our premises is monitored in the following ways:
    • Services personnel and outside contractors (i.e. cleaners) are not permitted to enter the premises out of office hours unless they have prior approval. 
    • CCTV recording is in place.

Data Destruction

Each employee who has access to sensitive date is responsible for

  • The secure deletion of electronic documents containing sensitive data
  • Shredding and disposal of paper documents that contain sensitive data. Confidential information including customer data should not be left available on desks.

Customer files

Employees are required to comply with Company reminders to delete any customer backups on their PC as well as their download folders. It is strictly prohibited for customer backups and information to be held indefinitely on an employee’s PC.

The IT department have secure process in place for the destruction of electronic technology.

Passwords

On joining the Company, employees will be provided with PC and email passwords. Employees are required to change their password as soon as possible and once a year thereafter.

It is recommended that the longer the password the better. When creating a password a recommended website is: https://passwordsgenerator.net.

Employee Responsibilities

Employees must adhere to the following;

  • to access only data that they have authority to access and only for authorised purposes;
  • not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation;
  • to keep data secure by complying with rules on access to premises, computer access; including password protection, and secure file storage and destruction
  • not to leave printed documents containing confidential and personal data unattended on your desk or in public spaces such as a meeting room or wastebasket,
  • exercise caution when sending confidential information to intended parties.
  • not to remove confidential or personal data, or devices containing, or that can be used to access confidential or personal data, from The Company’s premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
  • to shred and dispose of personal data securely when finished processing;
  • ask for help from a line manager if unsure about data protection or would like to make suggested improvements on how personal data is processed within The Company;
  • report all suspected breaches to a line manager immediately so that proper investigations can be taken and necessary follow-up steps put in place.