Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted electronically or sent by post, shown on films, or spoken in conversation. Whatever form information takes, or means by which it is shared or stored, it shall always be appropriately protected.
Information security is characterised here as the preservation of:
1. Confidentiality: ensuring that information is accessible only to those authorised to have access;
2. Integrity: safeguarding the accuracy and completeness of information and processing methods;
3. Availability: ensuring that authorised users have access to information and associated assets when required.
Dubit shall comply with all legal, regulatory and contractual requirements. The compliance to these requirements brings in more concepts:
1. Compliance (with laws and regulations): all necessary steps must be taken to remain aware of and address all legal, regulatory and contractual requirements pertaining to information assets
2. Auditability: information must be retained on all information security significant events to preserve a record of activities to provide future accountability.
3. Accountability: individual accountability and responsibility for information security must be clearly and consistently defined and acknowledged.
Employees and third parties should be made aware of their roles and responsibilities to ensure the protection of information:
1. Awareness: all employees and third parties, including but not limited to information owners and information security practitioners, must be aware of the need for security at Dubit and what they can do to enhance security.
Information security is achieved by implementing a suitable set of controls or safeguards, which could be in the form of policies, practices, procedures, organisational structures and software. These controls need to be established to ensure that the specific security objectives of Dubit are met.
It is Dubit’s policy to develop, implement and maintain an Information Security Management System that is aligned to Dubit’s measurable objectives:
• Provides assurance within the company and to our customers and suppliers that the confidentiality, integrity, and availability of their information will be maintained appropriately.
• Manages information security risks to all company and customer assets by basing information security decisions and investments on risk assessment of relevant assets considering; confidentiality, integrity and availability.
• Applies appropriate control to maintain the security of information security assets.
• Considers business and legal or regulatory requirements and contractual security obligations.
• Protects the company’s ongoing ability to meet contracted commitments through appropriate business continuity planning.
• Maintains awareness of all employees so they can identify and fulfil contractual, legislative and company specific security management responsibilities.
• Deals effectively with security incidents to minimise the business impact.
• Ensures commitment to continual improvement.
Dubit’s has set the following measurable objectives for 2024 to be worked on by the company and reviewed for success at regular intervals, with outcomes fed back to the management team:
Ensure compliant and secure data retention practices:
Establish and adhere to structured retention policies, minimising data storage durations to necessary periods, and implementing robust controls to safeguard sensitive information throughout its lifecycle.
Improve Security Awareness:
Regularly train all employees on security best practices and integrate security competency into performance reviews.
Strengthen Access Controls:
Enhance authentication and access controls to protect sensitive information from unauthorised access.
Robust supplier onboarding process:
Ensure the process for selecting and onboarding new suppliers focusses on data security
Improve supplier management:
Ensure supplier management procedure is compliant with standard and ensures CIA of Dubit data
This policy is supported by the following:
• A company wide Information Security Management System that is working towards being fully compliant and independently certified to the ISO/IEC 27001:2022Standard for Information Security Management Systems.
• An Information Security Risk Assessment Process that assesses the business harm likely to result from a security failure and the realistic likelihood of such a failure occurring in the light of prevailing threats and vulnerabilities to business assets, and controls currently implemented.
• Setting and regular review of achievement of information security objectives
• Defined access control policy and process to prevent unauthorised access to Dubit’s information in order to protect it from unauthorised disclosure, deletion or modification.
• Data classification and exchange guidance within the Electronic Devices and Internet Policy and Documents and Records Management Policy, including compliance with regulations under the Data Protection Act 2018 to protect client, partner, supplier, our own and personal employee information which is not in the public domain.
• Development and maintenance of an appropriate Business Continuity Plan to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.
• Information security awareness guidance for all company employees.
• An ISMS Committee, the purpose of which is to oversee Dubit’s ISMS development, implementation and continuous improvement. It aims to ensure the confidentiality, integrity and availability of information assets while also meeting regulatory and legal requirements. Roles in the committee include IT Security Manager, Risk manager,Compliance Officer and Chairperson.
• Implementation of incident management and escalation procedures for reporting and investigation of security incidents for ISMS management review and action.
• A management team that supports the continuous review and improvement of the company ISMS.
• A development team that considers data security throughout the development lifecycle, supported by policies and processes such as the Cryptographic Controls Policy and the Secure Development Policy.
This Information Security Policy is communicated to all person(s) working for or on behalf of Dubit (as part of induction training) and is available to all employees in the HiComply system.It is reviewed as or when there are key changes (e.g. in customer, legislative, operational requirements etc.) and annually as a minimum by the management team who recommend amendments and updates to the policy as part of the Review and continuous service improvement process.
Signed: Matthew Warneford, CEO
This is the first version of this Security Policy and was released on 05 September 2024.