Investigate Information Security Policy Summary

  1. Policy Purpose
  2. Operational Objectives
  3. Risk Management
  4. Roles and Responsibilities
  5. Portable Equipment Policy
  6. Data Management
  7. Policy and Procedure Management
  8. Coverage
  9. Referenced Policies and Procedures

1. Policy Purpose

The purpose of this policy, and the associated policies and procedures in the company’s Information Security Management System (ISMS), is to secure against all Information Security threats whether internal, external, deliberate, or accidental to protect the information assets of:

  • Hooyu Ltd
  • Hooyu Ltd Customers
  • Hooyu Ltd Suppliers & Interested Parties

2. Operational Objectives

To deliver reliable online services where sensitive information generated internally, by end users, customer organisations, or data providers is secured from inappropriate access, modification, or removal.  To secure against misuse and corruption through risk and incident management while maintaining compliance with appropriate legal, regulatory, and contractual standards and obligations.  The Senior Management Team (COO, CTO, and departmental Directors), in conjunction with the CEO, commit to ensuring the company ISMS preserves the confidentiality, integrity, and availability of information throughout Hooyu Ltd’s operational systems and processes by:

  • Defining and monitoring information security objectives and metrics
  • Defining and labelling data sensitivity
  • Identifying, tracking and managing information security risk and events
  • Conducting regular management reviews of the achievement of objectives and targets
  • Performing audits of internal policies to maintain information security, proper risk assessment, and compliance with information security obligations
  • Maintaining information security standards certifications where management has determined they are required

It is the policy of Hooyu Ltd to ensure:

  • Information confidentiality is maintained as per legal, regulatory, and contractual obligations
  • Information integrity is protected by preventing unauthorised modification
  • Information availability is maintained for authorised users
  • Any vulnerabilities or breaches in information security are investigated, contained, remediated, and reported as required
  • Contractual, regulatory, and legislative requirements are monitored and complied with
  • Disaster Recovery and Business Continuity plans and other systems and processes critical to information security are implemented, maintained and tested at least annually
  • Information security training is given to all staff as appropriate to their role

3. Risk Management

Hooyu Ltd implements risk assessment to determine the value of information assets, possible vulnerabilities, and threats they may be exposed to. These risks are mitigated through effective treatment procedures, systems and process changes, and maintenance of an ISMS (Information Security Management System) based on ISO 27001.  As an aspect of that commitment, Hooyu Ltd maintains compliance with:

  • UK Data Protection Act of 2018
  • UK Computer Misuse Act of 1990
  • The EU Data Protection Directive 95/46/EC (GDPR)
  • Electronic Communications Data Protection Directive (202/58/EC)
  • Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003)
  • Financial Conduct Authority
  • Markets Financial Instruments Directive (MiFID)

And further to:

  • Maintain compliance with all customer, contractor, and supplier conditions relating to information security
  • Maintain compliance with Hooyu Ltd policies and procedures

4. Roles and Responsibilities

With Board support, Hooyu Ltd senior management created and regularly reviews company policies to support and maintain the integrity of operational procedures, roles and responsibilities. The Information Security and Compliance Team facilitate these policies through the implementation and enforcement of company standards and procedures. All parties are required to follow the procedures to maintain the information security policy. All parties are responsible for reporting security incidents and risks, suspected or confirmed. Attempts to jeopardise the information security of Hooyu Ltd or its affiliates will be subject to disciplinary and/or legal action as appropriate.

5. Portable Equipment Policy

Portable equipment must comply with the following requirements:

  • Portable data storage and portable devices with data storage capability must employ hardware level storage encryption that is compliant with company cryptography policies
  • Disposal of sensitive/confidential data as per company policies
  • Portable computers and mobile phones must run company approved anti-virus and configuration monitoring software
  • Portable computers and mobile phones must employ access controls in line with company account management and password policies
  • Portable equipment that impacts company continuity must be included in Business Continuity planning and testing
  • Portable equipment must comply with all company policies and procedures

6. Data Management

Data Controls requires all sensitive Company data be encrypted in transit and at rest (when stored or archived). Sensitive Company and third-party data must only be processed by systems, or transferred via channels, approved by senior management. Files containing sensitive information transmitted over email or other messaging services must be protected by encryption and a password that comply with company cryptography and password policies. Company Data Retention policy is based on, and compliant with, GDPR, together with other company legislative, regulatory and contractual obligations.

7. Policy and Procedure Management

This policy is reviewed by Senior Management annually, and as needed in response to changing business circumstances, to ensure it effectively supports and protects the business, our customers, suppliers, and other interested parties.

Management Reviews include:

  • The status of actions from previous management reviews
  • Changes in internal and external conditions that impact company risk and obligation landscape
  • The feedback on information security performance including relevant trends
  • Opportunities for continual improvement

8. Coverage

All Hooyu Ltd employees and suppliers working under a contract, who have exposure to information assets covered by the Hooyu Ltd Information Security Management System, are responsible for implementing this policy, and related policies and procedures, with the full support of Hooyu Ltd Management.

9. Referenced Policies and Procedures

The referenced policies and procedures summarised by this document are:

  • Annual Internal Compliance Audit Procedure
  • Annual Management Risk, Policy and Procedure Review
  • Business Continuity Plan
  • Clean Desk / Clear Screen Policy
  • Data Retention Policy
  • Disaster Recovery Plan
  • Email Phishing Avoidance
  • Employee Handbook Appendix A: IT Policy
  • Employee Handbook Appendix B: Information Security Policy Manual
  • Fraud Prevention Policy
  • Incident Management Procedure
  • Intellectual Property Policy
  • Policy and Procedure Document Requirements and Approval Process
  • Procedure Training Program Policy
  • Risk Assessment & Treatment Methodology
  • Risk Scoring Matrix
  • Remote Office Security Requirements
  • Starter, Leaver, and Change of Role policies and procedures