IT Security Policy
(Information, Communication & Technology (ICT))
This ICT Security Policy (‘policy’) relates to: –
- all information, systems, networks, applications (ICT Systems); and
- employees, contractors, volunteers and other authorised individuals (‘employees’) associated with Sir Charles Burrell t/a Knepp Castle Estate, Knepp Farm Partnership, Knepp Castle Home Farm, Edward Burrell t/a Knepp Estate B, Knepp Wildland Safaris, Knepp Energy Ltd, Brookhouse Knepp Ltd, Nancy Burrell, Knepp 1983 Settlement and Knepp 1987 Settlement (‘Knepp’).
The purpose of this policy is to enable and maintain effective security and confidentiality of information processed or stored by Knepp. This shall be achieved by:
- Ensuring that all employees are aware of and shall comply with the General DataProtection Regulation (GDPR)and Knepp’s GDPR policy;
- Describing the principles of information security management and describing how they shall be implemented within Knepp;
- Assisting Knepp employees to identify and implement information security as an integral part of their day to day role; and
- Safeguarding information relating to employees and clients under the control of Knepp.
- Confidentiality -Access to information shall be restricted to those Knepp employees and relevant others with agreed authority to view it;
- Integrity –Records are to be complete and accurate with all filing and management systems operating correctly; and
- Availability -Information shall be readily available and delivered when it is needed.
3. Responsibilities For Information Security
- Managers shall be responsible for ensuring that both permanent and temporary employees including volunteers and contractors are aware of:
– The information security policies applicable to their work areas;
– The Knepp ICT Acceptable Use policy;
– Their personal responsibilities for information security; and
– Who to ask or approach for further advice on information security matters.
- All employees shall abide by the security and GDPR procedures of Knepp. This shall include the maintenance of client records whilst ensuring that their confidentiality and integrity are not breached. Failure to do so may result in disciplinary action.
- This Policy document shall be owned, maintained, reviewed and updated by the Estate Administrator. This review shall take place annually. The results of which shall be made known to the Estate Manager.
- Knepp employees shall be responsible for both the security of their immediate working environments, passwords and for security of information systems they use (e.g. workstations, laptops, PDAs etc.);
- Any contracts with third party organisations that allow access to the information systems of Knepp shall be in place before access is allowed. These contracts shall ensure that the employees or sub-contractors of those external organisations shall comply with all the appropriate security policies/guidance required by Knepp.
Knepp shall undertake to ensure:
- Contracts of Employment – address information security requirements at the recruitment stage and that all contracts of employment shall contain a confidentiality clause. The information security requirements shall be included within job descriptions.
- Access Controls – to areas containing information systems are restricted and controlled to ensure that only those authorised can access information.
- Equipment Security – is effective in order to minimise losses, or damage to Knepp. All information assets and equipment shall, where possible be physically protected from security threats and environmental hazards. (Locked cabinets (fire proof if possible), and the limitation of risks in the surrounding work area etc.).
- Information Risk Assessment – a regular assessment of the working environment shall be conducted to identify potential risks to the security of Knepp’sinformation. Where risks are identified, these should be noted and where possible mitigating action taken.
- Security Incidents and weaknesses – are to be recorded and reported to the Estate Administrator,so that they can be investigated to establish their cause, impact and the effect on Knepp, its clients and stakeholders.
- Protection from Malicious Software – should be provided through the use of commercial strength anti-virus/anti-malware software. Where there is an internet connection an appropriate firewall shall be installed and managed.
- Secure Communications – should be in place to ensure that all correspondence, video conferencing, email, telephone messages and transfer of client records are conducted in a secure and confidential manner.
- Payment Card Industry Data Security Standard (PCI) – to comply with the Payment Card IndustryData Security Standard (PCI) when processing payment (credit/debit) cards.
- Records management – to retain certain information, whether held in hard copy or electronically, for legally defined periods. Such information must be appropriately safeguarded and not destroyed prior to the defined minimum retention period, while remaining accessible to those who require access and are authorised to access that information. In accordance with the Data Protection Act, personal data should not be retained for longer than it is required for the purposes for which it was collected.
- Business Continuity and Disaster Recovery Plans – are in place so that in the event of a disruption to the information services of Knepp, it is possible to activate relevant business contingency plans until affected services are restored