Published using Google Docs
K1ICA_Information_Security_Policy v1
Updated automatically every 5 minutes

INFORMATION  SECURITY POLICY HERE

March 2024

INFORMATION AND SECURITY POLICY

The UK General Data Protection Regulation (UK GDPR) aims to protect the rights of individuals  about whom data is obtained, stored, processed or supplied and requires that organisations take  appropriate security measures against unauthorised access, alteration, disclosure or destruction  of personal data.

K1 International Class Association (K1ICA) is dedicated to ensure the security of all information that it holds and  implements the highest standards of information security in order to achieve this. This document  sets out the measures taken by the K1ICA to achieve this, including to: -

Protect against potential breaches of confidentiality;

Ensure that all information assets and IT facilities are protected against damage,  loss or misuse;

Support our Data Protection Policy in ensuring all Volunteers are aware of and comply  with UK law and our own procedures applying to the processing of data; and Increase awareness and understanding at the K1ICA of the requirements of  information security and the responsibility of Volunteers to protect the confidentiality and  integrity of the information that they handle.

INTRODUCTION

Information Security can be defined as the protection of information and information systems from  unauthorised access, use, disclosure, disruption, modification or destruction.

Volunteers working on behalf of the K1ICA (Volunteers) are referred to the K1ICA’s Data Protection Policy, Data Breach Policy and Electronic  Information and Communication Systems Policy for further information. These policies are also  designed to protect personal data.

For the avoidance of doubt, the term ‘mobile devices’ used in this policy refers to any removable  media or mobile device that can store data. This includes, but is not limited to, laptops, tablets,  digital cameras, memory sticks and smartphones.

SCOPE

The information covered by this policy includes all written, spoken and electronic information held,  used or transmitted by or on behalf of the K1ICA, in whatever media. This includes information held  on a computer systems, paper records, hand-held devices, and information transmitted orally.

This policy applies to all Volunteers, including temporary workers, other contractors, interns, directors and any and all third parties authorised to use the IT systems. All  Volunteers are required to familiarise themselves with its content and comply with the  provisions contained in it.

This policy does not form part of any individual’s terms and conditions of employment with the  K1ICA and is not intended to have contractual effect. Changes to data protection legislation will be  monitored and further amendments may be required to this policy in order to remain compliant  with legal obligations.

GENERAL PRINCIPLES

All data stored on our IT Systems are to be classified appropriately (including, but not limited to,  personal data, sensitive personal data and confidential information. Further details on the  categories of data can be found in the K1ICA’s Data Protection Policy and Record of Processing  Activities). All data so classified must be handled appropriately in accordance with its  classification.

Volunteers should discuss with the Class Chair the appropriate security arrangements for the type of  information they access in the course of their work.

All data stored on our IT Systems and our paper records shall be available only to   Volunteers with legitimate need for access and shall be protected against unauthorised access and/or  processing and against loss and/or corruption.

All IT Systems are to be installed, maintained, serviced, repaired, and upgraded by the Class Chair or by such third party/parties as the Class Chair may authorise. The responsibility for the security and integrity of all IT Systems and the data stored thereon  (including, but not limited to, the security, integrity, and confidentiality of that data) lies with the  Class Chair unless expressly stated otherwise.

All Volunteers have an obligation to report actual and potential data protection compliance failures to  the Class Chair who shall investigate the breach. Any breach which is either known or  suspected to involve personal data or sensitive personal data shall be reported to the DClass Chair.

PHYSICAL SECURITY AND PROCEDURES

Paper records and documents containing personal information, sensitive personal information,  and confidential information shall be positioned in a way to avoid them being viewed by people  passing by as far as possible, e.g., through windows. At the end of the working day, or when you  leave your desk unoccupied, all paper documents shall be securely locked away to avoid  unauthorised access.

Available [storage rooms, locked cabinets, and other storage systems with locks] shall be used  to store paper records when not in use. If you do not feel you have the appropriate and/or sufficient storage available to you, you must inform the K1ICA Class Chair as soon as  possible.

Paper documents containing confidential personal information should not be left on office and  classroom desks, on Volunteers tables, or pinned to noticeboards where there is general access  unless there is legal reason to do so and/or relevant consents have been obtained. You should  take particular care if documents have to be taken out of K1ICA.

The physical security of buildings and storage systems shall be reviewed on a regular basis. If  you find the security to be insufficient, you must inform the Class Chair as soon as possible.  Increased risks of vandalism and or burglary shall be considered when assessing the level of  security required.

The following measures are taken by the K1ICA to ensure physical security of the building/s and  storage systems:

The K1ICA carry out regular checks of the buildings and storage systems to ensure  they are maintained to a high standard.

The K1ICA has an electronic lock system to minimise the risk of unauthorised people  from entering the K1ICA premises.

Visitors should be recorded and accompanied at all times by  a Volunteer and never be left alone in areas where they could have access to  confidential information.

COMPUTERS AND I.T.

Responsibilities of the Class Chair.

The Class Chair shall be responsible for the following:

a) ensuring that all IT Systems are assessed and deemed suitable for compliance with the K1ICA’s  security requirements;

b) ensuring that IT Security standards within the K1ICA are effectively implemented and regularly  reviewed, working in consultation with the K1ICA’s management, and reporting the outcome of such  reviews to the K1ICA’s management;

c) ensuring that all  Volunteers are kept aware of this policy and of all related legislation,  regulations, and other relevant rules whether now or in the future in force, including, but not limited  to, the UK GDPR and the Computer Misuse Act 1990.

Furthermore, the Class Chair shall be responsible for the following: a) assisting all  Volunteers in understanding and complying with this policy; b) providing all  Volunteers with appropriate support and training in IT Security matters and  use of IT Systems;

c) ensuring that all  Volunteers are granted levels of access to IT Systems that are  appropriate for each member, taking into account their job role, responsibilities, and any special  security requirements;

d) receiving and handling all reports relating to IT Security matters and taking appropriate action  in response [including, in the event that any reports relate to personal data, informing the Data  Protection Officer];

e) taking proactive action, where possible, to establish and implement IT security procedures and  raise awareness among  Volunteers;

f) monitoring all IT security within the K1ICA and taking all necessary action to implement this policy  and any changes made to this policy in the future; and

g) ensuring that regular backups are taken of all data stored within the IT Systems at regular  intervals and that such backups are stored at a suitable location offsite.

RESPONSIBILITIES –  Volunteers 

All  Volunteers must comply with all relevant parts of this policy at all times when using the  IT Systems.

Computers and other electronic devices should be locked when not in use to minimise the  accidental loss or disclosure.

You must immediately inform Class Chair of any and all security concerns relating to the  IT Systems which could or has led to a data breach as set out in the Data Breach Policy.

Any other technical problems (including, but not limited to, hardware failures and software errors)  which may occur on the IT Systems shall be reported to the Class Chair immediately.

You are not permitted to install any software of your own without the approval of the Head of  Operations. Any software belonging to you must be approved by the Class Chair and may

only be installed where that installation poses no security risk to the IT Systems and where the  installation would not breach any licence agreements to which that software may be subject.

Prior to installation of any software onto the IT Systems, you must obtain written permission by  the Class Chair. This permission must clearly state which software you may install, and  onto which computer(s) or device(s) it may be installed.

Prior to any usage of physical media (e.g., USB memory sticks or disks of any kind) for transferring  files, you must make sure to have the physical media virus-scanned. Approval from the Head of  Operations must be obtained prior to transferring of files using cloud storage systems.

If you detect any virus this must be reported immediately to the Class Chair (this rule shall  apply even where the anti-virus software automatically fixes the problem).

ACCESS SECURITY

All  Volunteers are responsible for the security of the equipment allocated to or used by them  and must not allow it to be used by anyone other than in accordance with this policy. The K1ICA has a secure firewall and anti-virus software in place. These prevent individuals from  unauthorised access and to protect the K1ICA’s network. The K1ICA also teach individuals about e safety to ensure everyone is aware of how to protect the K1ICA’s network and themselves.

All IT Systems (in particular mobile devices) shall be protected with a secure password or  passcode, or such other form of secure log-in system as approved by the Class Chair.  All passwords must, where the software, computer, or device allows:

a) be at least 6 characters long including both numbers and letters;

All mobile devices provided by the K1ICA, shall be set to lock, sleep, or similar, after a period of  inactivity, requiring a password, passcode, or other form of log-in to unlock, wake or similar. You  may not alter this time period.

Volunteers should be aware that if they fail to log off and leave their terminals unattended, they may be  held responsible for another user’s activities on their terminal in breach of this policy, the K1ICA’s  Data Protection Policy and/or the requirement for confidentiality in respect of certain information.

DATA SECURITY

Personal data sent over the K1ICA network will be encrypted or otherwise secured.

All  Volunteers are prohibited from downloading, installing, or running software from external  sources without obtaining prior authorisation from the Class Chair who will consider bona  fide requests for work purposes. Please note that this includes instant messaging programs,  screen savers, photos, video clips, games, music files and opening any documents or  communications from unknown origins. Where consent is given, all files and data should always  be virus checked before they are downloaded onto the K1ICA’s systems.

You may connect your own devices (including, but not limited to, laptops, tablets, and  smartphones) to the K1ICA’s Wi-Fi provided that you follow the Class Chair’ requirements  and instructions governing this use. All usage of your own device(s) whilst connected to the K1ICA’s  network or any other part of the IT Systems is subject to all relevant K1ICA Policies (including, but  not limited to, this policy). The Class Chair may at any time request the immediate  disconnection of any such devices without notice.

ELECTRONIC STORAGE OF DATA

All portable data, and in particular personal data, should be stored on encrypted drives using  methods recommended by the Class Chair.

All data stored electronically on physical media, and in particular personal data, should be stored  securely in a locked box, drawer, cabinet, or similar.

You should not store any personal data on any mobile device, whether such device belongs to  the K1ICA or otherwise without prior written approval of the Class Chair. You should delete  data copied onto any of these devices as soon as possible and make sure it is stored on the K1ICA’s  computer network in order for it to be backed up.

All electronic data must be securely backed up by the end of the each working day.

HOME WORKING

You should not take confidential or other information home without prior permission of the Class Chair here satisfied appropriate technical and practical measures are  in place within your home to maintain the continued security and confidentiality of that  information.

When you have been given permission to take confidential or other information home, you must  ensure that:

a) the information is kept in a secure and locked environment where it cannot be accessed by  family, visitors; and

b) all confidential material that requires disposal is shredded or, in the case of electronical  material, securely destroyed as soon as any need for its retention has passed.

COMMUNICATIONS, TRANSFER, INTERNET, AND EMAIL USE

The K1ICA work to ensure the systems do protect pupils and Volunteers and are reviewed and improved  regularly.

If Volunteers or pupils discover unsuitable sites or any material which would be unsuitable, this should  be reported to the Class Chair.

Regular checks are made to ensure that filtering methods are appropriate, effective, and  reasonable and that users access only appropriate material as far as possible. This is not always  possible to guarantee and the K1ICA cannot accept liability for the material accessed or its  consequence.

All personal information, and in particular sensitive personal information and confidential  information should be encrypted before being sent by email or sent by tracked DX (document  exchange) or recorded delivery. You may not send such information by fax unless you can be  sure that it will not be inappropriately intercepted at the recipient fax machine.

Postal, DX, fax and email addresses and numbers should be checked and verified before you  send information to them. In particular you should take extra care with email addresses where  auto-complete features may have inserted incorrect addresses.

You should be careful about maintaining confidentiality when speaking in public places. You should make sure to mark confidential information ‘confidential’ and circulate this information  only to those who need to know the information in the course of their work for the K1ICA.

Personal or confidential information should not be removed from the K1ICA without prior permission  from the Class Chair except where the removal is temporary and necessary. When such  permission is given, you must take all reasonable steps to ensure that the integrity of the  information and the confidentiality are maintained. You must ensure that the information is:

a) not transported in see-through or other un-secured bags or cases.

b) not read in public places (e.g., waiting rooms, cafes, trains, etc.); and

c) not left unattended or in any place where it is at risk (e.g., in car boots, cafes, etc.)

Version

Author

Date written / approved

Approved by

1.0

IRD

14/3/2024

Class Chair