Thermeon recognises the importance of Information Security and the role it has to play in increasing confidence in the business amongst our customers, clients, staff and stakeholders. The ability to manage Information Security in an efficient, professional and co-ordinated manner is a primary objective of Thermeon’s directors and senior management team. Information is a key asset to the Thermeon business and the protection of the Confidentiality, Integrity and Availability of information is of paramount importance, which is why the Board of Directors personally sponsor and endorse this policy.

The security mission of Thermeon is to identify, assess, and appropriately mitigate vulnerabilities and threats to Thermeon information systems that can adversely impact the critical business assets of the organisation and result in the loss of critical information. This includes ensuring business continuity and minimising business damage by preventing, detecting and responding to information security incidents and managing information security risks.

This Information Security Policy provides the framework by which we manage Information Security, and is the cornerstone of Thermeon’s ongoing commitment to enhance and clarify our information security procedures. It has full support of the Board of Directors who require that all staff read it and abide by it in the course of their work.

This Information Security Policy applies to all Thermeon operations, supported IT and operational infrastructure, information assets, information systems and security management processes. All staff, contractors and third-parties using or accessing Thermeon Information processing facilities must comply with the requirements of this policy.

Thermeon is obliged to protect the data it owns, holds and processes from a legal, contractual and business perspective. Legally Thermeon is bound by the Data Protection Act 1998, Computer Misuse Act 1990 and the Copyright Designs and Patents Act 1988 amongst a variety of other legislation.

In addition customers expect Thermeon to implement formal steps to manage Information Security Risk and maintain high standards of Information Security.

Implementing a suitable Information Security management framework is central to the strategy both to improve control and efficiency but also to meet Thermeon’s many obligations.

Information Security Objectives Thermeon’s Board of Directors defines our Information Security Objectives as:

• Compliance with customer expectations
• Compliance with all relevant legislation and regulation
• Assurance that all data will be protected and remain confidential where appropriate
• Reduction in the number of security incidents
• Assurance that risks are managed to fall in line with organisational acceptable risk levels
• Assurance that all staff are suitably trained in the area of Information Security
• Assurance that all systems are adequately protected from hacking, viruses and malware
• Customer and client recognition that Information Security is treated seriously by the organisation

The following information security principles provide overarching governance for the security and management of information at Thermeon:

• Information should be classified according to an appropriate level of confidentiality, integrity, and availability. Such classifications must be in accordance with relevant legislative, regulatory and contractual obligations and requirements.
• Where cardholder data is held by our systems, Thermeon will be responsible for the storing and, where contractually agreed and paid to do so, the processing and transmitting of that data by our systems in accordance with Payment Card Industry Data Security Standards and to the extent by which we can impact the security of the customer’s cardholder data environment.
• Staff with responsibilities for information must;
  • ensure the classification of that information,
  • handle that information in accordance with its classification level,
  • abide by any contractual requirements, policies, procedures or systems for meeting those responsibilities.
• All users covered by the scope of this policy must handle information appropriately and in accordance with its classification level.
• Information should be both secure and available to those with a legitimate need for access in accordance with its classification level. Access to information will be on the basis of least privilege and need to know.
• Information will be physically, logically, and technically protected against unauthorised access and processing in accordance with its classification level.
• Risks to information will be identified and assessed, and appropriate treatment plans will be designed and implemented.
• Breaches of this policy must be reported to the Security Officer at the soonest possible opportunity.
• Information security provision and the policies that guide it will be regularly reviewed, including through the use of annual internal audits and penetration testing.
• The approach to Information Security management will be appraised and adjusted through the principles of continuous improvement.

Ensure that the Senior Management Team have the support and resources required to fulfil their obligations in maintaining and improving Information Security.

Ensure that the Data Protection Officer is supported in their efforts to ensure compliance with the Data Protection Act 1998 and the EU’s General Data Protection Regulation.

The Board of Directors delegates the information security implementation and maintenance responsibility to the Senior Management Team.

Act as the Data Protection Officer under the registration with the Information Commissioner.

Information Security is part of the Thermeon culture and as such all staff, contractors and third parties have a responsibility for maintaining the security of Thermeon Information Assets, as directed by this Information Security Policy, and any associated policies.

Fundamental to the management of Information Security is the management of risk. Thermeon captures and aligns business risk, including Information Security risk, to its business strategies. Thermeon’s risk management approach involves managers from across the organisation.

On an annual basis Thermeon will undertake a threat assessment to identify the groups or individuals who/which may compromise the Confidentiality, Integrity and Availability of Thermeon Information Assets. This assessment will be undertaken under the direction of the board and will be updated annually, when an incident occurs or if Thermeon becomes aware of information which would suggest that the threat landscape has changed during the previous twelve months. The information from the threat assessment will be used when assessing risks.

All Thermeon information assets will be identified and risk assessed in line with the Thermeon Information Security Risk Assessment Methodology as approved by the Thermeon board.

All identified risks will be reviewed by appropriate senior managers who will also take the responsibility for developing suitable risk treatment plans, addressing security weaknesses, approving security policies and managing security improvements.

In order to ensure that the management of Information Security risks is effective, Thermeon will maintain information on key performance metrics which will be presented at senior management team, and board, meetings as a measure of progress. These metrics give a general picture of security and ensure the objectives are being met. In order to measure the objectives the following metrics have been agreed:

• Number of Security Incidents by Category, including corrective actions
• Risk assessment status reports e.g. number and severity of risks
• Risk treatment status reports e.g. progress on treating identified risks
• Number of staff subject to training and numbers outstanding
• Vulnerability assessment results – Number of vulnerabilities
• Service outage time
• Results of audit activity
• Progress of security projects including key milestones
  These metrics are reviewed at each Senior Management Team meeting. Where suitable progress is not being made in these areas the Senior Management Team will task an appropriate member to investigate the root cause and then define and agree suitable actions.

Thermeon’s Information Security policies and process will be subject to a management review on a annual basis to ensure continued effectiveness and appropriateness. The review will examine the progress made in terms of identifying and addressing Information Security. A management review may occur before this annual cycle in light of security incidents, changes to business processes or contractual requirements.

The Information Security policies and framework will be subject to an internal audit on an annual basis in order to identify and manage any deficiencies in the framework. Any deficiencies will be quickly investigated by the Senior Management Team with clear action plans introduced to correct the issues.

If any person becomes aware of an information security incident affecting, or likely to affect, Thermeon’s information systems, then they must report it without undue delay to the Operations Director or Commercial Director through any or all possible means (telephone, email etc)

Breaches of personal data will be reported to the Information Commissioner’s Office by the Data Protection Officer following the Personal Data Breach Notification Process.

This Policy and any supporting information security policies and procedures will be enforced by the Senior Management Team. Non-compliance will be escalated via the formal reporting channels. Any employee found to have violated any Information Security policy may be subject to disciplinary action, up to and including termination of employment.

This Policy and relevant supporting information security policies will be communicated and made available to all Thermeon information system users, and are available in Thermeon’s document management in google drive.

There are no exceptions to this policy.

The Data Protection Act controls how personal information is used by organisations, businesses or the government. It provides the following eight ‘data protection principles’ to ensure information is;

• used fairly and lawfully
• used for limited, specifically stated purposes
• used in a way that is adequate, relevant and not excessive
• accurate
• kept for no longer than is absolutely necessary
• handled according to people’s data protection rights
• kept safe and secure
• not transferred outside the European Economic Area without adequate protection
  Sensitive information, such as; ethnic background, political opinions, religious beliefs, health, sexual health, criminal records, are subject to stronger legal protection.

The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect implementation of the GDPR. The GDPR reinforces and extends data subjects’ rights as laid out in the Data Protection Act 1998, and provides additional stipulations around accountability and governance, breach notification and transfer of data. It also extends the maximum penalties liable due to a data breach, from £500,000 to 4% global turnover.

The GDPR requires organisations to maintain an Information Asset Register, to ensure where personal data is voluntarily gathered people are required to explicitly opt in, and can also easily opt out. It requires data breaches to be reported to the Information Commissioner’s Office within 72hrs of controllers becoming aware of their existence.

Defines offences in relation to the misuse of computers as;

1. Unauthorised access to computer material.
2. Unauthorised access with intent to commit or facilitate commission of further offences.
3. Unauthorised modification of computer material.

The Freedom of Information Act 2000 (FOIA2000) is a general right of public access to all types of recorded information held by public authorities in order to promote a culture of openness and accountability.

The Copyright, Designs and Patents Act 1988, is the current UK copyright law. It gives the creators of literary, dramatic, musical and artistic works the right to control the ways in which their material may be used. The rights cover: Broadcast and public performance, copying, adapting, issuing, renting and lending copies to the public. In many cases, the creator will also have the right to be identified as the author and to object to distortions of his work.

The Regulation of Investigatory Powers Act 2000 regulates the powers of public bodies to carry out surveillance and investigation. It covers the interception and use of communications data and can be invoked in the cases of national security, and for the purposes of detecting crime, preventing disorder, public safety and protecting public health.

Defamation is a false accusation of an offence or a malicious misrepresentation of someone’s words or actions. The defamation laws exist to protect a person or an organisation’s reputation from harm. The use of Social Media within organisations has highlighted this legislation many times.

The law makes it an offence to publish, whether for gain or not, any content whose effect will tend to “deprave and corrupt" those likely to read, see or hear the matter contained or embodied in it. This could include images of extreme sexual activity such as bestiality, necrophilia, rape or torture.

The Protection of Children Act 1978 prevents the exploitation of children by making indecent photographs of them and penalises the distribution and showing of such indecent photographs. Organisations must take appropriate steps to prevent such illegal activities by their workers using their digital systems and networks.

The definition of ‘photographs’ include data stored on a computer disc or by other electronic means which is capable of conversion into an image. It is an offence for a person to distribute or show such indecent photographs; or to possess such indecent photographs, with a view to their being distributed or shown.

Section 160 of the Criminal Justice Act 1988 made the simple possession of indecent photographs of children an offence. Making an indecent image of a child is a serious arrest able offence carrying a maximum sentence of 10 years imprisonment. NB: The term “make" includes downloading images from the Internet and storing or printing them out.

The Terrorism Act 2006 makes it an offence to write, publish or circulate any material that could be seen by any one or more of the persons to whom it has or may become available, as a direct or indirect encouragement or other inducement to the commission, preparation or instigation of acts of terrorism.

It also prohibits the writing, publication or circulation of information which is likely to be useful to any one or more persons in the commission or preparation of terrorist acts or is in a form or context in which it is likely to be understood by any one or more of those persons as being wholly or mainly for the purpose of being so useful.

In addition, it prohibits the glorification of the commission or preparation (whether in the past, in the future or generally) of terrorist acts or such offences; and the suggestion that what is being glorified is being glorified as conduct that should be emulated in existing circumstances.

Appropriate legislation being reviewed for insertion into this policy

Appropriate legislation being reviewed for insertion into this policy

Appropriate legislation being reviewed for insertion into this policy

1. PCI-DSS

Below are some of the policies or processes that will serve to fulfill the requirements of this Information Security Policy. This list to be reviewed and maintained annually.

• Information Classification (and Control) Policy
• Access Control Policy
• Operational Security Policy
• Password Policy
• Incident Management Policy
• Physical Security Policy
• Human Resources Policy
• Third-party Access Policy
• Third-party Management (Procurement) Policy
• Business Continuity Management Policy/Plan
• Personal Data Breach Notification Process.
• Information Security Risk Assessment Methodology