Information Security Policy

Introduction

Purpose
The confidentiality, integrity and availability of information, in all its forms, are critical to the on-going functioning and good governance of Professional Advantage. Professional Advantage, through client projects and client hosting within our cloud instances, has access to confidential information. Failure to adequately secure information will lead to breach of client confidentiality commitments, increase the risk of financial and reputational losses from which it may be difficult to recover.
This information security policy outlines Professional Advantage's approach to information security management. It provides the guiding principles and responsibilities necessary to safeguard the security of Clients and Company's information systems. Supporting policies, codes of practice, procedures and guidelines provide further details.

 

Objectives
The objectives of this policy are to:

  1. Provide a framework for establishing suitable levels of information security for the company information systems, including, but not limited to, all Cloud environments commissioned or run by Professional Advantage, computers, storage, mobile devices, networking equipment, software and data. To mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.
  2. Call out the dual responsibility of all staff and authorized users. The responsibilities are for: i) Client data & Confidential Information and ii) Professional Advantage data.
  3. Make certain that Professional Advantage abides with its commitment to secure clients’ confidential information.
  4. Ensure only authorized users have access to Client data and those users understand their responsibilities for protecting Client data.
  5. Make certain that users are aware of, and comply with, all current and relevant legislation.
  6. Provide the principles by which a safe and secure information systems working environment can be established for staff and any other authorized users.
  7. Ensure that all users understand their responsibilities for protecting the confidentiality and integrity of the data that they handle.
  8. Protect Professional Advantage from liability or damage through the misuse of its IT facilities.
  9. Maintain data and other confidential information provided by prospective clients, clients, vendors and partners at a level of security commensurate with its classification. Including upholding any legal and contractual requirements around information security.
  10. Respond to changes in the context of the organization as appropriate, initiating a cycle of continuous improvement.

 

Scope

This policy is applicable to, and will regularly be communicated to, all staff, contractors and third parties who interact with information held by Professional Advantage and the information systems used to store and process it.


This includes, but is not limited to: Cloud systems developed or commissioned by Professional Advantage, any systems or data attached to Professional Advantage data or telephone networks. Systems managed by Professional Advantage, sensor and edge devices used to connect to Professional Advantage networks or hold Professional Advantage or Client data. Mobile devices used to connect to Professional Advantage networks or hold Professional Advantage data. Data over which Professional Advantage holds the intellectual property rights, data over which Professional Advantage is the data controller or data processor, electronic communications sent from Professional Advantage.

 

Policy

Information Security Principles
The following information security principles provide overarching governance for the security and management of information for Professional Advantage.

  1. Information should be classified according to an appropriate level of confidentiality, integrity and availability (see Section 2.3 Information Classification) and in accordance with relevant legislative, regulatory and contractual requirements (see Section Legal and Regulatory Obligations).
  2. Staff with responsibilities for information (see Section 3: Responsibilities) must ensure the classification of that information; must handle that information in accordance with its classification level; and must abide by any contractual requirements, policies, procedures or systems for meeting those responsibilities.
  3. All users covered by the scope of this policy (see Section Scope) must handle information appropriately and in accordance with its classification level.
  4. Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.
  5. On this basis, access to information will be on least privilege or need to know.
  6. Information will be protected against unauthorized access and processing in accordance with its classification level.
  7. Breaches of this policy must be reported (see Sections Compliance and Incident Handling).
  8. Information security provision and the policies that guide it will be regularly reviewed.
  9. Any explicit Information Security Management Systems (ISMSs) run by Professional Advantage will be appraised and adjusted through the principles of continuous improvement.
  10. If someone doesn’t know what classification data comes under, it is their personal responsibility to actively confirm the level with their direct manager or other appropriate officer.

 

Legal & Regulatory Obligations
Professional Advantage has a responsibility to abide by and adhere to all current legislation as well as a variety of regulatory and contractual requirements.


Professional Advantage operates in USA, UK, EU, Philippines and Australian jurisdictions, staff that operate in those jurisdictions must abide by the applicable requirements.
Professional Advantage has contractual requirements to each Client to protect Confidential Information. Only staff who have been inducted and have signed current Confidential Information acknowledgements can access a Client’s Confidential Information.

 

Information Classification
The following table provides a summary of the information classification levels that have been adopted by Professional Advantage and which underpin the principles of information security defined in this policy.


These classification levels explicitly incorporate the EU & UK : General Data Protection Regulation's definitions of Personal Data and Special Categories of Personal Data, as laid out in the Data Protection Policy.


Detailed information on defining information classification levels and providing appropriate levels of security and access is provided below.

Security Level

Definition

Examples

Confidential

Normally accessible only to specified members of staff.

Client Confidential Information as defined for each Client;

Prospective Partner & Client

 

Stored in password protected systems with approved access lists.

Confidential Information as defined in individual signed NDA’s;

Client Project data, correspondence and planning documentation;

Commercial-in-Confidence data;

Information held on the company's business management systems;

GDPR-defined Special Categories of personal data (physical/mental health condition, criminal record).

Restricted

Normally accessible only to specified members of staff.

Intellectual Property software plans and source code;

GDPR-defined Personal Data

 

 

(information that identifies living individuals including home / work address, age, telephone number, schools attended, photographs);

Internal Use

Normally accessible only to members of staff.

Internal correspondence, internal social discussions, general company documentation sites.

Vendor information held under license.

Public

Accessible to all members of the public

Published accounts,

information available on the Professional Advantage website.

 

Suppliers
All Professional Advantage suppliers will abide by Professional Advantage's Information Security Policy, or otherwise be able to demonstrate corporate security policies providing equivalent assurance. This includes:

  • when accessing or processing Professional Advantage assets, whether on site or remotely; or
  • when subcontracting to other suppliers.

 

Cloud Providers
Under the UK & EU: GDPR, a breach of personal data can lead to a fine of up to 4% of global turnover. Where Professional Advantage uses Cloud services, Professional Advantage retains responsibility as the data controller for any data it puts into the service, and can consequently be fined for any data breach, even if this is the fault of the Cloud service provider. Professional Advantage will also bear the responsibility for contacting UK or EU: Information Commissioner's Office concerning the breach, as well as any affected individual. It will also be exposed to any lawsuits for damages as a result of the breach. It is extremely important, therefore, that Professional Advantage is able to judge the appropriateness of a Cloud service provider's information security provision.

Cloud services used to process personal data will be expected to have ISO27001 certification, with adherence to the standard considered the best way of a supplier proving that it has met the GDPR principle of privacy by design, and that it has considered information security throughout its service model.

Any request for exceptions will be considered by the CEO.

 


Compliance, Policy Awareness and Disciplinary Procedures
Any security breach of Professional Advantage's information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems. The loss or breach of confidentiality of personal data is an infringement of the General Data Protection Regulation, contravenes Professional Advantage’s Data Protection Policy, and may result in criminal or civil action against Professional Advantage.


The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against Professional Advantage. Therefore it is crucial that all users of the Company's information systems adhere to the Information Security Policy and its supporting policies as well as the Information Classification Standards.


All current staff and other authorized users will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines. And be required to acknowledge their understanding of this policy each quarter.


Any security breach will be reported to the CEO and handled in accordance with all relevant policies, including the Electronic Communication and Information Technology Use Policy.

 


Incident Handling
If a staff member or approved contractor is aware of an information security incident, then they must report it to the Information Management and Technology Service Desk at PAHelpdesk@pa.com.au.


Breaches of personal data will be reported to the UK or EU: Information Commissioner's Office by Professional Advantage's Data Protection Officer.

 

Supporting Policies, Codes of Practice, Procedures and Guidelines
Supporting policies have been developed to strengthen and reinforce this policy statement. These, along with associated codes of practice, procedures and guidelines are published together and are available on the company’s internal site.


All staff and any third parties authorized to access Professional Advantage’s network or computing facilities are required to familiarize themselves with these supporting documents and to adhere to them in the working environment.


Additional regulations may be created to cover specific areas.

 


Review and Development
The heads of Services, Development and Hosting/Managed Services shall oversee the creation of information security and subsidiary policies.

The Information Security Manager will determine the appropriate levels of security measures applied to all new information systems.

 


Responsibilities
Staff and approved third parties at Professional Advantage
All staff members of Professional Advantage, agency staff working for Professional Advantage and third parties will be users of Professional Advantage and client information. This carries with it the responsibility to abide by this policy and its principles and relevant legislation, supporting policies, procedures and guidance. No individual should be able to access information to which they do not have a legitimate access right. Notwithstanding systems in place to prevent this, no individual should knowingly contravene this policy, nor allow others to do so. To report policy contraventions, please see Section: Incident Handling

Data Controllers
Many members of Professional Advantage will have specific or overarching responsibilities for preserving the confidentiality, integrity and availability of information. These include:
Project Managers.


Responsible for the security of information produced, provided or held in the course of a project. This includes ensuring that data is appropriately stored, that the risks to data are appropriately understood and either mitigated or explicitly accepted, that the correct access rights have been put in place, with data only accessible to the right people, and ensuring there are appropriate backup, retention, disaster recovery and disposal mechanisms in place.

  • Heads of Departments - Responsible for the information systems (e.g. HR/ Registry/ Finance) both manual and electronic that support Professional Advantage. Responsibilities as above Project Managers).
  • Departmental Managers - Responsible for a specific area of Professional Advantage work, including all the supporting information and documentation that may include working documents/ contracts/ staff information.

Records Manager I Data Protection Officer
Responsible for Professional Advantage’s Data Protection Policy, data protection and records retention issues. Breach reporting to CEO.

IT Team
Responsible for ensuring that the provision of Professional Advantage's IT infrastructure is consistent with the demands of this policy and current good practice.


Information Security Manager
Responsible for this and subsequent information security policies and will provide advice on information security issues.