Information Security Policy

template modified from advice given in http://webarchive.nationalarchives.gov.uk/+/http://www.berr.gov.uk/files/file9981.pdf.

Our committee member responsible for Information Security is Kathryn Prevenzer, and the Information Security Manager is David Brown.

Objective

The purpose and objective of this policy is to protect CIGA’s information assets (note 1) from all threats, whether internal or external, deliberate or accidental, to ensure business continuity, minimise  damage and maximise the success of our association.

Policy

  • The Committee have approved the Information Security Policy.
  • It is the Policy of CIGA to ensure that:
    • Information will be protected from a loss of: confidentiality (note 2), integrity (note 3), and availability (note 4).
    • Regulatory and legislative requirements will be met (note 5)
    • Business continuity plans will be produced, maintained and tested (note 6).
    • Information security training will be available to all people with access to our systems.
    • All breaches of information security, actual or suspected will be reported to, and investigated by the Information Security Manager.
  • Guidance and procedures will be produced to support this policy. These will include incident handling, information backup, system access, virus controls, passwords and encryption.
  • The role and responsibility of the designated Information Security Manager (note 7) is to manage information security and to provide advice and guidance on implementation of the Information Security Policy.
  • All CIGA people with access to Information Systems are directly responsible for implementing the Information Security Policy.
  • It is the responsibility of each CIGA person with access to Information Systems to adhere to the Information Security Policy.

Notes to policies

1. Information takes many forms and includes data printed or written on paper, stored electronically, transmitted by post or using electronic means, stored on tape or video, spoken in conversation
2. Confidentiality: ensuring that information is accessible only to authorised individuals.
3. Integrity: safeguarding the accuracy and completeness of information and processing methods.
4. Availability: ensuring that authorised users have access to relevant information when required.
5. This includes the requirements of legislation such as the Companies Act, the Data Protection Act, the Computer Misuse Act and the Copyright, Design and Patents Act,
6. This will ensure that information and vital services are available to users whenever they need them.
7. For our association this is a part-time role for the nominated person.

The Policy will be reviewed by the CIGA Committee, at least once a year.

This policy was agreed by the CIGA Committee on 14th January 2014.

Guidance and Procedures

Control of Physical Security :

As CIGA has no sites, buildings, computer rooms or equipment and the information assets of the association are principally held online in suppliers databases during normal working, physical security for records is normally irrelevant.   There will be copies of data required for business continuity, which will be kept in encrypted format elsewhere (usually on a different online service), and under lock and key if held on physical media owned by CIGA.  Similarly any membership records held by officers or members at home will be maintained under lock and key.

Controls on Access to Information :

Selected members of the association will be provided with usernames that provide password controlled access to information that is relevant to the member. Information held by CIGA includes
  • membership information (names, email address, postal addresses and telephone numbers, and other relevant information).
  • names, email addresses and telephone numbers of people who have booked on walks offered over the internet. 
  • administration facilities including access to the WordPress and Eventbrite pages, Google Docs and Dropbox used for sharing administration data.

Committee members and technical support team will have password controlled access to the platform services, but will be required to follow the principles of the Information Security Policy.  Access to all our platform services (except for records used by officers for finance and membership purposes maintained on spreadsheets and other software on home computers) is monitored by the suppliers, and audit trails of who accessed what are maintained by them.  Access to records kept by officers on spreadsheets and other  software is password protected and a register of people with passwords is maintained.

Our members will be provided with a list of members (including their names, email addresses and telephone numbers) which is provided on the agreement of members, in order for colleagues to contact other members at short notice in case they need to replace a guide on a walk with a colleague.  This information is to be kept secure, and must not be provided to anyone outside the membership.

Business Continuity Plan

Our information assets are stored with suppliers who are well protected against disasters.  Most of our association activities are also not time critical.  Most transactions are of a short term nature, and duplicated (for example every transaction is echoed in emails to guides). The worst case disaster would be the death or removal of the main operations person.
 As a back up a regular dump of information from each of the key resources will be made, encrypted and available to selected committee members and the technical support team, so that the association could continue.

Training Staff:

There are no directly employed staff.  All members of the committee have agreed to the Information Security Policy and these Guidelines and Procedures.  Individual members of the association are briefed (through association meetings, emails from our secretary and also through guidance on the membership pages of our web site) on the responsibility they have as guides to maintain the principles of the Data Protection Act.

Detecting and investigating breaches of security when they occur:

The committee member appointed as Information Security Manager is responsible for investigating any breach of security and reporting to the committee of the association on the results of the investigation, and then implementing any resulting changes to policy and security procedures.