Equin Limited
Information Security Policy
Classification: Public
Section 1
Purpose & Scope
The purpose of this policy is to set out the information security policies that apply to the company to protect the confidentiality, integrity, and availability of data.
Scope
All employees and third-party users.
Section 2
Policy
Information security is managed based on risk, legal and regulatory requirements, and business needs.
Section 2.1
Statement of Commitment
As a company, information processing is fundamental to our success and the protection and security of that information is a board level priority. Whether it is employee information or customer information we take our obligations under the GDPR and Data Protection Act 2018 seriously. We have provided the resources to develop, implement and continually improve the information security management appropriate to our business.
Section 2.2
Introduction
Information security protects the information that is entrusted to us. Getting information security wrong can have significant adverse impacts on our employees, our customers, our reputation, and our finances. By having an effective information security management system, we can:
- Provide assurances for our legal, regulatory, and contractual obligations
- Ensure the right people, have the right access to the right data at the right time
- Provide protection of personal data as defined by the GDPR
- Be good data citizens and custodians
Section 2.3
Definitions
Information security is defined as preserving:
| Confidentiality | Access to information is to those with appropriate authority |
| Integrity | Information is complete and accurate |
| Availability | Information is available when it is needed |
The right people with the right access – to the right data – at the right time.
Section 2.4
Objectives
To ensure the confidentiality, integrity and availability of company information including all personal data as defined by the GDPR based on good risk management, legal regulatory and contractual obligations, and business need.
To provide the resources required to develop, implement, and continually improve the information security management system.
To effectively manage third party suppliers who process, store, or transmit information to reduce and manage information security risks.
To implement a culture of information security and data protection through effective training and awareness.
Section 3
Policy Framework
The information security management system is built upon an information security policy framework. In conjunction with this policy, the following policies make up the policy framework:
- Acceptable Use Policy
- Access Control Policy
- Backup Policy
- Business Continuity Policy
- Clear Desk and Clear Screen Policy
- Data Protection Policy
- Data Retention Policy
- Information Classification and Handling Policy
- Information Security Awareness and Training Policy
- Information Transfer Policy
- Malware and Antivirus Policy
- Risk Management Policy
- Third Party Supplier Security Policy
Section 4
Roles and Responsibilities
Information security is the responsibility of everyone to understand and adhere to the policies, follow processes and report suspected or actual breaches. Responsibility for the running of the information security management system is with the IT & Security Manager, working alongside the Information Security Management team.
Section 5
Monitoring
Compliance with the policies and procedures of the information security management system are monitored via the Information Security Management team on a periodic basis.
Section 6
Legal and Regulatory Obligations
The company takes its legal and regulatory obligations seriously and these requirements are recorded in the document Legal and Contractual Requirements Register.
Section 7
Training and Awareness
Policies are made readily and easily available to all employees and third-party users. A training and communication plan is in place to communicate the policies, process, and concepts of information security. Training needs are identified, and relevant training requirements are captured in the document Competency Matrix.