Information Security Policy
This is a Controlled Document
In line with Vaxa's governance framework, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.| Version | Effective | Reviewed | Next review due |
|---|---|---|---|
| 1.1.1 | 2024-09-24 | 2024-09-24 | 2025-09-24 |
Purpose
This policy outlines Vaxa’s overarching approach to information security management and signposts to specific sub-policies within our framework.
Scope
The Information Security Policy applies to
- All organisational and customer information, regardless of format.
- All individuals associated with Vaxa, including temporary workers and external contractors.
Roles & Responsibilities
Who is responsible for doing what. This should refer to departments or roles instead of specific individuals.
| Role | Responsibility |
|---|---|
| [Role] | [Responsibility] |
Policy Statements, Standard, or Procedure
Related ISMS Policies
To ensure comprehensive information security management, Vaxa has opted to establish several detailed policies that support and complement this Information Security Policy.
Employees, contractors, and other stakeholders are required to familiarise themselves with these policies and adhere to their guidelines.
The related policies include:
| Policy | Description |
|---|---|
| Privacy Policy | Outlines how Vaxa collects, uses, discloses, and manages personal and sensitive information. |
| Acceptable Use Policy | Describes the acceptable use of Vaxa’s information systems and resources. |
| Personnel Screening Policy | Details the procedures for screening personnel before employment/engagement. |
| Access Control Policy | Describes the requirements for granting access to Vaxa’s information systems and resources. |
| BYOD Policy | Describes the requirements for using personal devices to access Vaxa’s information systems and resources. |
| Data Classification Policy | Details measures and practices to classify data in compliance with relevant regulations and our risk tolerance, so that appropriate protections can be applied. |
| Data Retention Policy | Sets out the principles for retaining and disposing of data in a secure and compliant manner. |
| Mobile Device Policy | Describes the requirements for using mobile devices to access Vaxa’s information systems and resources. |
| Password Policy | Describes the requirements for creating and managing passwords. |
| Patching Policy | Describes the requirements for keeping Vaxa’s information systems and resources up-to-date with security patches. |
| Secure Development Policy | Outlines best practices for developing and maintaining secure software applications. |
| Supplier Security Policy | Establishes security requirements for engaging and managing third-party suppliers. |
| Asset Management Policy | Details procedures for managing information assets throughout their lifecycle. |
| Cloud Security Policy | Provides guidelines for the secure use and management of cloud services. |
| Remote Working Policy | Specifies security measures and practices for employees working remotely. |
| Backup Policy | Outlines procedures and guidelines for data backup to ensure data availability and integrity. |
Information Security Objectives
- The ISG working group sets annual objectives, which are reviewed quarterly.
- Objectives are available in the Handbook.
Training and Awareness
- All staff and contractors must undergo security training to support their roles. The training must align with their job roles and the data they handle.
- Induction for new employees includes mandatory security awareness.
- Staff will be given regular training updates to maintain awareness of changing security threats.
Physical Security
- Staff will secure and report lost security access passes.
- Use physical restrictions such as keys or preferably swipe cards to manage access to restricted areas and equipment.
- Always ensure visitors are accompanied on site.
Oral Communications
Use caution when communicating confidential information in public areas due to the risks of being overheard.
Third-Party Security
- All third parties processing data on behalf of the organisation will undergo a risk assessment.
- All third parties handling internal or confidential information must sign confidentiality agreements.
- The organisation’s security policies will be communicated to third parties and contractually obligated as required.
Refer to our related third-party security policies;
- Supplier Security Policy: This is for guidance on expectations around the approach to 3rd party security, with particular emphasis on personal data protection.
Personnel Screening
Personnel will undergo background checks before being employed. See the Personnel Screening Policy for more information.
Exceptions
Define how exceptions to the controlled document will be tracked.
Compliance & Monitoring
Define how compliance with the controlled document will be monitored and what checks will be performed (where applicable).
References
Procedure documents should map back to a governing policy or standard, and may relate to one or more procedures or other uncontrolled documentation. Policy documents may relate to an internal or external framework or legal requirement.