Information Security Policy
1.1 St Philip's Books recognises that information and the associated processes, systems and networks are valuable assets and that the management of personal data has important implications for individuals. Through its security policies, procedures and structures, St Philip's Books will facilitate the secure and uninterrupted flow of information, both within St Philip's Books and in external communications. The policies outlined below are intended to support information security measures throughout St Philip's Books.
This policy is based on recommendations contained in British Standard 7799 - A Code of Practice for Information Security Management.
2.1 For the purposes of this document, information security is defined as the preservation of: confidentiality: protecting information from unauthorised access and disclosure; integrity: safeguarding the accuracy and completeness of information and processing methods; and availability: ensuring that information and associated services are available to authorised users when required.
2.2 Information exists in many forms. It may be printed or written on paper, stored electronically, transmitted by post or using electronic means, shown on films, or spoken in conversation. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations
3. Protection of Personal Data
St Philip's Books holds and processes information on behalf of customers who utilise St Philip's Books's hosting services which may come under the remit of the Data Protection Act. When handling such information, St Philip's Books, and all staff or others who process or use any personal information, must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the 1998 Act). Responsibilities under the 1998 Act are set out in the Data Protection Policy.
4. Information Security Responsibilities
4.1 St Philip's Books believes that information security is the responsibility of all members of staff. Every person handling information or using St Philip's Books's information systems is expected to observe the information security policies and procedures, both during and, where appropriate, after his or her time at St Philip's Books.
4.2 This Policy is the responsibility of the directors who will undertake supervision of the Policy. This policy may be supplemented by more detailed interpretation for specific sites, systems and services (see appendix for a list of the relevant policies and regulations). Implementation of information security policy is managed through the directors and other designated personnel with security responsibilities in specified areas of St Philip's Books.
5. Information Security Education and Training
St Philip's Books recognises the need for all staff to be aware of information security threats and concerns, and to be equipped to support the security policy in the course of their normal work. The directors shall implement a training programme for users and shall provide information and further training in information security matters to answer particular requirements.
6. Compliance with Legal and Contractual Requirements
6.1 St Philip's Books IT facilities must only be used for authorised purposes. St Philip's Books may from time to time monitor or investigate usage of IT facilities and any person found using IT facilities or systems for unauthorised purposes, or without authorised access, may be subject to disciplinary, and where appropriate, legal proceedings.
6.2 St Philip's Books shall only permit the inspection and monitoring of operational logs by computer operations personnel and system administrators. Disclosure of information from such logs, to officers of the law or to support disciplinary proceedings, shall only occur (i) when required by and consistent with law; (ii) when there is reason to believe that a violation of law has taken place; or (iii) when there are compelling circumstances.
6.3 In general, the privacy of users' files will be respected but St Philip's Books reserves the right to examine systems, directories, files and their contents, to ensure compliance with the law and with our policies and regulations, and to determine which records are essential for St Philip's Books to function administratively or to meet its commercial obligations. Except in emergency circumstances, authorisation for access must be obtained from a Director, and shall be limited to the least perusal of contents and the least action necessary to resolve the situation
6.4 To ensure that all software and licensed products used within St Philip's Books comply with the Copyright, Designs and Patents Act 1988 and subsequent Acts (see appendix), St Philip's Books will carry out checks from time to time to ensure that only authorised products are being used, and will keep a record of the results of those audits. Unauthorised copying of software or use of unauthorised products by staff or students may be grounds for disciplinary, and where appropriate, legal proceedings.
6.5 St Philip's Books will maintain detection and prevention controls to protect against malicious software and unauthorised external access to networks and systems. All users of St Philip's Books computers, including laptops, shall comply with best practice in order to ensure that up-to-date virus protection is maintained on their machines
7. Retention and Disposal of Information
7.1 All staff have a responsibility to consider security when disposing of information in the course of their work.
8.1 All staff and other users should report immediately by email using our enquiry form, any observed or suspected security incidents where a breach of St Philip's Books's security policies has occurred, any security weaknesses in, or threats to, systems or services.
8.2. Software malfunctions should be reported to a Director.
9. Business Continuity
St Philip's Books will implement, and regularly update, a business continuity management process to counteract interruptions to normal commercial activity and to protect critical processes from the effects of failures or damage to vital services or facilities.