Information Security Policy
Purpose, Scope, and UsersThe purpose of this policy is to define the function, direction, principles, and basic rules for CEQUENS’s information security management.
The scope of this policy is outlining CEQUENS's methodology for information security management. It provides the guiding framework, principles, and responsibilities necessary to safeguard the security of the CEQUENS information systems. Supporting policies, codes of practice, procedures, and guidelines provide further details to the entire Information Security Management System, as defined in the ISMS Scope Document as per ISO/IEC 27001:2013, ISO/IEC 27017:2015, and ISO/IEC 27018:2019
The users of this policy are all employees of CEQUENS, as well as relevant external parties.
- ISO/IEC 27001 standard, clauses 5.2 and 5.3
- ISO/IEC 27018 standard
- ISO/IEC 27017 standard
- EU GDPR, article 26
- ISMS Scope Document
- Risk Assessment and Risk Treatment Methodology
- Statement of Applicability
- List of Legal, Regulatory, and Contractual Obligations
- Data Breach Response and Notification Procedure
Definitions and Acronyms
|ISMS||Information Security Management System|
|EU GDPR||European Union General Data Protection Regulation|
|CEO||Chief Executive Officer|
|MIS||Management Information System|
|DPO||Data Protection Officer|
|ISAB||Information Security Advisory Board|
|CISO||Chief Information Security Officer|
Involved StakeholdersWe reserve the right at any time to modify or discontinue the Service (or any part or content thereof) without notice at any time.
- MIS Department
o MIS Manager
o Cloud Security Lead
- Operational Excellence Department
o Operational Excellence Sr. Lead
o Operational Excellence Sr. Specialist
- All CEQUENS Employees
Information Security PolicyThe following information security principles provide overarching governance for the security and management of information at CEQUENS.
- Information should be classified according to an appropriate level of confidentiality, integrity, and availability and by relevant legislative, regulatory, and contractual requirements.
- Staff with particular responsibilities regarding information must ensure the classification of that information; must be handled in accordance with its classification level; and must abide by any contractual requirements, policies, procedures, or systems for meeting those responsibilities.
- All users covered by the scope of this policy must handle information appropriately and by its classification level.
- Information should be both secure and available to those with a legitimate need for access by its classification level. On this basis, access to information will be by least privilege and need to know.
- Information will be protected against unauthorized access and processing by its classification level.
- Breaches of this policy must be reported.
- Information security provision and the policies that guide it will be annually reviewed through the use of internal audits and penetration testing.
- Any explicit Information Security Management Systems (ISMSs) run within CEQUENS will be appraised and adjusted through the principles of continuous improvement.
This policy applies to, and will be communicated to, all staff and third parties who interact with information held by CEQUENS and the information systems used to store and process said information, including but not limited to:
- Cloud systems developed or commissioned by CEQUENS
- Any systems or data attached to the CEQUENS data or telephone networks
- Systems managed by CEQUENS
- Mobile devices used to connect to CEQUENS networks or hold CEQUENS data
- Data over which CEQUENS holds the intellectual property rights
- Data over which CEQUENS is the data controller or data processor
- Electronic communications sent from the CEQUENS.
Basic Information Security TerminologyConfidentiality – characteristic of the information by which it is available only to authorized persons or systems.
Integrity – characteristic of the information by which it is changed only by authorized persons or systems in an allowed way.
Availability – characteristic of the information by which it can be accessed by authorized persons when it is needed.
Information Security – preservation of confidentiality, integrity, and availability of information.
Information Security Management System – part of overall management processes that take care of planning, implementing, maintaining, reviewing, and improving information security.
Data Protection Officer – a responsible person for all data security related matters and is referred to as DPO, which is a role given to the Information Security Advisory Board (ISAB).
Information Security Objectives
- CEQUENS should ensure Information Security availability, confidentiality, and integrity.
- It is critical to the ongoing functioning and good governance of CEQUENS's information to ensure that all users understand their responsibilities for protecting the confidentiality and integrity of the data that they handle.
- Any failure to adequately secure information increases the risk of financial and reputational losses from which it may be difficult for CEQUENS to recover.
- CEQUENS is committed to a robust implementation of Information Security Management as well as to ensure the appropriate availability of its data.
- CEQUENS is committed to preserving the confidentiality, integrity, and availability of documentation and data supplied by, generated by, and held on behalf of third parties under the carrying out of work agreed by contract by the requirements of data security standards.
- A framework should be established with suitable levels of information security for all CEQUENS information systems (including but not limited to all cloud environments commissioned or run by CEQUENS, computers, storage, mobile devices, networking equipment, software, and data) and to mitigate the risks associated with the theft, loss, misuse, damage, or abuse of these systems.
- All required resources should always be available to manage such systems.
- Continuous improvement of an ISMS should be undertaken by Plan Do Check Act (PDCA) principles.
- A safe and secure information system working environment can be established for staff and any other authorized users.
- Protect CEQUENS from liability or damage through the misuse of its IT facilities.
- Maintain research data and other confidential information provided by suppliers at a level of security commensurate with its classification, including upholding any legal and contractual requirements around information security.
- Respond to changes in the context of the organization as appropriate, initiating a cycle of continuous improvement.
Information Security Principles and ClassificationThese principles should be applied to all the physical and electronic information assets for which CEQUENS is responsible.
The following table provides a summary of the information classification levels that have been adopted by CEQUENS and which underpin the principles of information security defined in this policy.
These classification levels explicitly incorporate the General Data Protection Regulation's definitions of Clients Data and Special Categories of Clients Data, as laid out in CEQUENS’s Data Protection Policy, and are designed to cover both primary and secondary research data.
Detailed information on defining information classification levels and providing appropriate levels of security and access is provided in the Data Classification Standard. Information on proper encryption techniques for securing confidential data can be found in the CEQUENS Encryption Policy.
|CONFIDENTIAL [C4]||Normally accessible only to specified members of the CEQUENS staff. Should be held in an encrypted state outside CEQUENS systems; may have encryption-at-rest requirements from providers.||GDPR-defined Special Categories of Client Data. Data (>1000 records) including elements such as name or telephone number.||Subject to significant scrutiny about appropriate exemptions, public interest, and legal considerations.|
|RESTRICTED [C3]||Normally accessible only to specified members of the CEQUENS staff.||GDPR-defined Client Data: reserved committee business, draft reports, papers, minutes, systems, etc.||Subject to significant scrutiny about appropriate exemptions, public interest, and legal considerations.|
|INTERNAL USE ONLY [C2]||Normally accessible only to members of the CEQUENS staff.||Internal correspondence, final working group papers and minutes, committee papers, information held under license, etc.||Subject to significant scrutiny about appropriate exemptions, public interest, and legal considerations.|
|PUBLIC USE [C1]||Accessible to all members of the public.||Annual accounts, minutes of statutory and other formal pay scales, etc.||Freely available on CEQUENS’s website or through the CEQUENS publication scheme.|
Information Security Requirements and ControlsThis policy and the entire Information Security Management System must be compliant with legal and regulatory requirements relevant to CEQUENS in the field of information security and personal data protection, as well as with contractual obligations.
Therefore, CEQUENS has a responsibility to abide by and adhere to all current legislation as well as a variety of regulatory and contractual requirements. Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation.
Information Security Compliance, Policy Awareness, and Disciplinary Procedures
- Any security breach of CEQUENS’s information systems could lead to the possible loss of confidentiality, integrity, and availability of personal or other confidential data stored on these information systems.
- The loss or breach of privacy of clients' data is an infringement of the General Data Protection Regulation, contravenes CEQUENS’s Data Protection Policy, and may result in a criminal or civil action against CEQUENS.
- The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties, or criminal or civil action against CEQUENS. Therefore, it is crucial that all users of CEQUENS’s information systems adhere to the Information Security Policy and its supporting policies.
- All current staff and other authorized users will be informed of the existence of this policy and the availability of supporting policies, codes of practice, and guidelines.
- Any security breach will be handled by all relevant CEQUENS policies, including the Conditions of Use of IT facilities at CEQUENS and the appropriate disciplinary policies.
Information Security Supporting Policies, Code of Practice, Procedures, and GuidelinesSupporting policies have been developed to strengthen and reinforce this policy statement. These, along with associated codes of practice, procedures and guidelines are published together and are available on CEQUENS’s website.
All staff and any third parties authorized to access CEQUENS’s network or computing facilities are required to familiarize themselves with these supporting documents and to adhere to them in the working environment.
Information Security Incident HandlingIf a member of CEQUENS is aware of an information security incident, then they must report it to the Information Management and Technology Service Desk at https://misservicedesk.cequens.com/
Breaches of customer data will be reported to the Information Commissioner's Office by CEQUENS’s Data Protection Officer.
Information Security Review and DevelopmentThis policy and its subsidiaries shall be reviewed by the Information Security Advisory Board (ISAB) and regularly updated to ensure that they remain appropriate in light of any relevant changes to the law, organizational policies, or contractual obligations.
Additional regulations may be created to cover specific areas.
ISAB comprises representatives from all relevant parts of the organization.
It shall oversee the creation of information security and subsidiary policies.
The MIS Manager will determine the appropriate levels of security measures applied to all new information systems.
Information Security Roles and ResponsibilitiesCEQUENS has clearly defined and allocated all information security responsibilities. Data controllers and members of CEQUENS will have specific or overarching responsibilities for preserving the confidentiality, integrity, and availability of information.
The authority of these individuals is documented in their job descriptions. Other responsibilities are identified as necessary throughout the ISMS and documented policies. Authorization levels are clearly defined and documented and enforce the segregation of duties.
All CEQUENS MembersAll members of CEQUENS, CEQUENS associates, agency staff working for CEQUENS, third parties, and collaborators on CEQUENS projects will be users of CEQUENS’s information. This carries with it the responsibility to abide by this policy and its principles and relevant legislation, supporting policies, procedures, and guidelines.
No individual should be able to access information to which they do not have a legitimate access right. Notwithstanding systems in place to prevent this, no individual should knowingly contravene this policy nor allow others to do so.
Principal Investigators / Project AdministratorsResponsible for the security of information produced, provided, or held in the course of carrying out research, consultancy, or knowledge transfer activities.
This includes ensuring that data is appropriately stored, risks to data are appropriately understood and either mitigated or explicitly accepted, correct access rights have been put in place with data only accessible to the right people, and ensuring there are appropriate backup, retention, disaster recovery, and disposal mechanisms in place.
Heads of Departments, Divisions, and CentersResponsible for the information systems (e.g., HR, Registry, Finance) both manual and electronic that support CEQUENS’s work. Responsibilities as above (for Principal Investigators / Project administrators).
Departmental Managers / Line ManagersResponsible for a specific area of CEQUENS’s work, including all the supporting information and documentation that may include working documents, contracts, or staff information.
Records Manager / Data Protection OfficerResponsible for CEQUENS’s Data Protection Policy, data protection, and records retention issues. Breach reporting to CIO.
CEQUENS MIS TeamResponsible for ensuring that the provision of CEQUENS IT infrastructure is consistent with the demands of this policy and current good practices.
- The MIS Manager is responsible for ensuring that information security and IT staff have specific information security responsibilities and that these are detailed in their job descriptions.
- The MIS Manager is responsible for ensuring that all users sign Non-disclosure agreements (NDAs) before they are allowed to access organizational information assets. These NDAs contain specific information security responsibilities.
Head of SecurityResponsible for physical aspects of security and will provide specialist advice throughout the CEQUENS network on physical security issues.
Information Security Advisory Board [ISAB]
- Responsible for advising on and recommending information security policies to the Information Technology Committee, assessing information security risks, and identifying and implementing controls for risks.
- Responsibilities for specific information security procedures are clearly defined throughout the ISMS and are documented in individual job descriptions.
- The ISAB is responsible for ensuring that CEQUENS has standard job descriptions for all roles, which contains defined security roles and responsibilities, and that these apply to all users of organizational information assets.
- The ISAB, who has lead responsibility in the management team for information security, is responsible for the development, implementation, and maintenance of the ISMS.
- The ISAB is responsible for approving information security policies.
- Responsible also for subsequent information security policies and will provide specialist advice throughout CEQUENS on information security issues.
SuppliersAll CEQUENS suppliers will abide by CEQUENS’s Information Security Policy, or otherwise be able to demonstrate corporate security policies providing equivalent assurance, which includes:
- When accessing or processing CEQUENS assets, whether on-site or remotely.
- ·When subcontracting to other suppliers.
Under the GDPR, a breach of clients' data can lead to a fine of up to 4% of global turnover. Where CEQUENS uses cloud services, CEQUENS is responsible, as the data controller for any data it puts into the service, and can consequently be fined for any data breach, even if this is the fault of the cloud service provider.
CEQUENS will be responsible for contacting the Information Commissioner's office concerning the breach, as well as any affected individual. It will also be exposed to any lawsuits for damages resulting from the breach. It is imperative, consequently, that CEQUENS can judge the appropriateness of a cloud service provider's information security provision. This leads to the following stipulations:
- All providers of cloud services to CEQUENS must respond to CEQUENS’s Cloud Assurance Questionnaire before a service being commissioned, for CEQUENS to understand the provider's information security provision.
- Cloud services used to process clients' data will be expected to have ISO 27001 certification, with adherence to the standard considered the best way for a supplier to prove that it has met the GDPR principle of privacy by design and that it has considered information security throughout its service model.
- Any request for exceptions will be considered by the ISAB.