template modified from advice given in http://webarchive.nationalarchives.gov.uk/+/http://www.berr.gov.uk/files/file9981.pdf.
Our committee member responsible for Information Security is Kathryn Prevenzer, and the Information Security Manager is David Brown.
Objective
The purpose and objective of this policy is to protect CIGA’s information assets (note 1) from all threats, whether internal or external, deliberate or accidental, to ensure business continuity, minimise damage and maximise the success of our association.
Policy
- The Committee have approved the Information Security Policy.
- It is the Policy of CIGA to ensure that:
- Information will be protected from a loss of: confidentiality (note 2), integrity (note 3), and availability (note 4).
- Regulatory and legislative requirements will be met (note 5)
- Business continuity plans will be produced, maintained and tested (note 6).
- Information security training will be available to all people with access to our systems.
- All breaches of information security, actual or suspected will be reported to, and investigated by the Information Security Manager.
- Guidance and procedures will be produced to support this policy. These will include incident handling, information backup, system access, virus controls, passwords and encryption.
- The role and responsibility of the designated Information Security Manager (note 7) is to manage information security and to provide advice and guidance on implementation of the Information Security Policy.
- All CIGA people with access to Information Systems are directly responsible for implementing the Information Security Policy.
- It is the responsibility of each CIGA person with access to Information Systems to adhere to the Information Security Policy.
Notes to policies
The Policy will be reviewed by the CIGA Committee, at least once a year.
This policy was agreed by the CIGA Committee on 14th January 2014.
Guidance and Procedures
Control of Physical Security :
Controls on Access to Information :
- membership information (names, email address, postal addresses and telephone numbers, and other relevant information).
- names, email addresses and telephone numbers of people who have booked on walks offered over the internet.
- administration facilities including access to the WordPress and Eventbrite pages, Google Docs and Dropbox used for sharing administration data.
Committee members and technical support team will have password controlled access to the platform services, but will be required to follow the principles of the Information Security Policy. Access to all our platform services (except for records used by officers for finance and membership purposes maintained on spreadsheets and other software on home computers) is monitored by the suppliers, and audit trails of who accessed what are maintained by them. Access to records kept by officers on spreadsheets and other software is password protected and a register of people with passwords is maintained.
Our members will be provided with a list of members (including their names, email addresses and telephone numbers) which is provided on the agreement of members, in order for colleagues to contact other members at short notice in case they need to replace a guide on a walk with a colleague. This information is to be kept secure, and must not be provided to anyone outside the membership.