BOSH Ltd.
INFORMATION SECURITY POLICY
The aim of this Information Security Policy is to ensure that BOSH as an organisation takes all reasonable measures necessary in the protection of the personal data that it stores for the purposes of running its business and in doing so conforms to the Data Protection Act and the Freedom of Information Act.
BOSH stores information related to its staff, customers and their children in order to carry out its responsibilities and duties as a diligent childcare provider. This may include confidential information about individuals and that which is protectively marked.
Information is a valuable asset. Business continuity is dependent on its integrity and continued availability. Therefore, steps have been taken to protect information assets from unauthorised use, modification, disclosure or destruction, whether accidental or intentional.
BOSH is committed to the secure use of information and information technology systems in order to protect the availability, integrity and confidentiality of the information under its control. BOSH undertakes to have in place procedures to protect the information under its control.
BOSH will use a risk based approach when assessing and understanding the risks and will use physical, personnel, technical and procedural means to achieve appropriate security measures. BOSH will take into account developments in technology and the costs of implementation in order to achieve a level of security appropriate to the nature of the information and the harm which may result from a security breach.
BOSH staff are subject to a duty to keep confidential information that is provided to BOSH to carry out its functions under the Data Protection Act and Freedom of Information Act, and may only disclose it with lawful authority. BOSH will provide any guidance and training for staff to enable them to understand and carry out their responsibilities in respect of information security. BOSH will assess the integrity and identity of its staff before they are employed, as part of our standard vetting procedures. BOSH will monitor staff compliance with their obligations with respect to security.
Information Security Operating Procedures
BOSH has defined the following guidelines and principles relating to Information Security which must be adhered to by all BOSH staff:
- Staff roles and privileges allowing access to sensitive information are strictly controlled and managed in order to minimise access to unnecessary data;
- All of our sensitive information is stored in a database on our website server – this is regularly backed-up and is secured through the required use of password and memorable word protected user accounts;
- Access to personal data on our website is controlled by password and memorable word protected accounts. Only Play Managers have access to the personal details of all customers, using their own dedicated and audited account, which is protected via a password and a memorable word;
- No personal data relating to customers, their children, or staff, are stored on individual BOSH computers or external media (such as memory keys) – with all data, either being on the website databaseor occasionally, and only temporarily, stored on encrypted media.
- BOSH computer equipment is regularly patched with the latest security updates;
- On the disposal of redundant computer equipment, all confidential and sensitive data is rigorously deleted;
- All BOSH computer equipment has anti-virus software and firewall software, both in place and regularly updated;
- All staff are warned about the insecurity of email and told not to send information of a personal nature via email.
This Policy will be reviewed on a regular basis to ensure that at the very minimum the organisation is following relevant legislation.
Reviewed May 2014