Information Security & Data Protection Policy

Introduction
 
The Information systems used by Bedel Mobility Solutions represent a considerable investment and are valuable assets to the company. The assets comprise equipment, software and data, essential to the effective and continuing operation of the company.
 
Much of the data is of a confidential nature, and it is necessary for all information systems to be protected against any events, accidental or malicious, which may put at risk the activities of the company or the investment in information.
 
 
Policy Statement
 
The purpose of this policy is to bring to the attention of all staff the need to improve and maintain security of information systems, and to advise managers of the approach being adopted to achieve the appropriate level of security and the importance of ensuring the confidentiality of personal and sensitive data.
 
 
Purpose
 
The purpose of information systems security is to ensure an appropriate level of: -
 

Confidentiality
 
Information is obtained, held and disclosed lawfully and data access is confined to those with specified authority to view and/or change the data.
 
Integrity
 
All system assets are operating according to specification and the accuracy of data is maintained.
 

Availability
 
Systems and data are available when required and the output from it delivered to the user who needs it, when it is needed.
 
 
Passwords and Access Control
 
Each individual is responsible for keeping their own password secure, and must ensure it is neither disclosed to nor used by anyone else, under any circumstances. Staff must only access systems using their own login and password.  All staff are accountable for any activity carried out under their login and password, and this is audited.
 
 
Management and Access
 
Information security is discussed at recruitment stage for all staff, and a confidentiality clause included in contracts of employment.
 
 
Risk Analysis
 
In order to make the best use of resources, it is important to ensure that each Information system is secured to a level appropriate to the measure of risk associated with it. A risk assessment is carried out regularly by Maestro for our information systems and measures put in place to ensure each system is secured to an appropriate level.
 
 
Computer Operations
 
Responsibilities and procedures for the management and operation of all computers and networks are established, documented and supported by appropriate operating instructions. 
Procedures include: Back-up, media control, event logging, monitoring, protection from theft and damage, unauthorised access and capacity planning.
 
 
Business Continuity Planning
 
There is a process to develop and maintain appropriate plans for the speedy restoration of all critical IT systems.  Systems have threats and vulnerabilities assessed to determine how critical they are to the company.  Individual teams have procedures in place to maintain essential services in the event of IT system failure.
 

Personal Computers
 
Precautions are taken to prevent and detect computer viruses. Maestro will provide advice and support on virus control.
 
If sensitive information is present on the PC, then additional security software should be installed where the PC is taken off site or is not in a secure area.
 

Personal Use
 
Personal use of IT equipment is permitted providing that it is done with line management approval, it is not in support of a business, it does not use excessive system resources and it is done in the employees own time.  Consumables must be paid for. 
 

Awareness
 
Managers are responsible for ensuring that all staff are aware of, and adhere to this policy.