Security Policy
Objective
Our Cyber Security Policy aims to safeguard company information assets against internal and external threats, ensure business continuity, reduce risk, and support growth. This policy is guided by IASME Cyber Assurance principles as we work towards certification, ensuring alignment with UK GDPR and the Data Protection Act 2018. (A control sheet version of this document is available upon request).
Governance and Responsibilities
We integrate cyber security into operational systems and regularly review security measures to adapt to evolving risks, industry standards, and regulations.
Risk Management
We proactively monitor risks like unauthorised access, phishing, malware, and data breaches. Regular risk assessments are conducted quarterly using a simple checklist approach to identify new risks and update security controls accordingly.
Access Control
System access is restricted based on the principle of least privilege. Multi-factor authentication (MFA) and strong password policies are enforced.Secure Systems and Devices
All systems and devices meet industry security standards, receive timely updates, and are protected by tools like Huntress and IronScales to mitigate threats.
Network and Cloud Security
We use secure platforms with encryption and authentication controls. Our LMS platform operates on a best practice AWS infrastructure, leveraging built-in security features such as encryption, access control, and continuous monitoring to ensure data integrity and system resilience.LMS Platform Security
Our LMS platform is hosted on AWS, following best practice infrastructure standards for security and performance. We use AWS security features such as Identity and Access Management (IAM), and automated backups. The platform is protected by robust access controls, data encryption, and regular software updates. User access is managed based on roles and permissions, with multi-factor authentication implemented for administrative accounts. Security testing and monitoring are conducted to identify and address potential vulnerabilities. Backup and recovery processes are in place to ensure data integrity and business continuity.
Data Protection and Compliance
We comply with UK GDPR, enforce strict data access controls, use encryption, & securely delete unnecessary data.Business Continuity
Critical data is backed up regularly to enable swift restoration in case of incidents, minimising operational disruptions.Supplier and Third-Party Security
We collaborate with trusted partners (e.g., Microsoft, AWS) and enforce strict controls when third parties access our systems.Incident Response
A structured incident response plan ensures effective management of cybersecurity incidents. The plan involves:- Identification: Detect potential security incidents through monitoring tools and user reports.
- Containment: Isolate affected systems to prevent further damage.
- Eradication: Remove the root cause of the incident, such as malware or unauthorised access.
- Recovery: Restore systems and data from secure backups, ensuring integrity and security.
- Lessons Learned: Conduct a post-incident review to identify improvements and update security protocols.
- Notification: Where applicable, notify clients and regulatory bodies in line with compliance requirements.
Training and Awareness
We provide regular training on emerging threats, security best practices, and data protection to keep staff informed and vigilant.Continuous Improvement
This policy is reviewed annually and adapted as needed to maintain compliance with industry best practices and our goal of achieving IASME Cyber Assurance certification.Cyber Security Control Sheet
| Control Area | Control Description | Responsible Party | Frequency | Status |
| Access Control | Enforce least privilege, MFA, and password policies | CEO | Ongoing | Active |
| Systems and Device Security | Apply security patches and updates, monitor endpoints | Cyber Security Partner | Weekly | Active |
| Network and Cloud Security | Use encryption, and monitor AWS infrastructure | Development Team | Continuous | Active |
| LMS Platform Security | Implement IAM, VPC, and backup procedures on AWS | Development Team | Monthly | Active |
| Data Protection | Comply with GDPR, manage data securely | CEO | Quarterly | Active |
| Business Continuity | Perform regular data backups and test recovery plans | CEO | Quarterly | Active |
| Supplier Security Assurance | Review third-party access and security compliance | CEO | Annually | Active |
| Incident Response | Maintain incident response plan | CEO | Bi-Annually | Active |
| Training and Awareness | Provide security training and awareness to all staff | CEO | Quarterly | Active |
| Policy Review and Improvement | Review cyber policy and update based on best practices | CEO | Annually | Scheduled |