NewNet plc: Information Security Policy
Download as PDF
Scope: The Information Security Management System applies to all aspects of the work of NewNet plc, an Internet Service Provider based at Cams Estate, Fareham, Hampshire. The ISMS includes NewNet's own servers and IP based network services including data centre spaces in Fareham (Delme Place, Carnac Lodge, West Barn, Walled Garden) and NewNet's space within London centres including Telehouse East, Telehouse North, Telecity Meridian Gate, Telecity Harbour Exchange, Telecity Sovereign House.
The ISMS includes the network connecting customer servers and services to the external Internet but does NOT include the hardware, content or operation and management of customer owned and managed servers, equipment and services unless these are specifically provided by NewNet. Customers hosting their own equipment within NewNet data centres remain fully responsible for the operation of their equipment, for the content stored within that equipment and for the security of their own systems and services.
Control objective: NewNet provides management direction and support for information security in accordance with business requirements and relevant laws and regulations
The Board and management of NewNet plc, located at Carnac Lodge, Cams Estate, Fareham, Hampshire PO16 8UJ, which is an Internet Service Provider, are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout the company in order to preserve its competitive edge, cash-flow, profitability, legal, regulatory and contractual compliance and commercial image. Information and information security requirements will continue to be aligned with NewNet goals and the ISMS is intended to be an enabling mechanism for information sharing, for electronic operations, including e-commerce and for reducing information-related risks to acceptable levels.
NewNet's current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS. The risk assessment, Statement of Applicability and risk treatment plan identify how information-related risks are controlled. The Regulatory Affairs Manager is responsible for the management and maintenance of the risk treatment plan. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks.
In particular, business continuity and contingency plans, data back up procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy. Control objectives for each of these areas are contained in the Manual and are supported by specific, documented policies and procedures.
All employees of NewNet plc [and certain external parties identified in the ISMS] are expected to comply with this policy and with the ISMS that implements this policy. All staff, and certain external parties, will receive appropriate training.
The ISMS is subject to continuous, systematic review and improvement. NewNet plc has established a management steering group/information security committee, chaired by Managing Director and including the Regulatory Affairs Manager, Technical Consultant and other managers to support the ISMS framework and to periodically review the security policy.
NewNet plc is committed to achieving certification of its ISMS to ISO27001:2005
This policy will be reviewed to respond to any changes in the risk assessment or risk treatment plan and at least annually.
In this policy, "information security" is defined as:
- preserving
- This means that management, all full time or part time staff, sub contractors, project consultants and any external parties have, and will be made aware of, their responsibilities (which are defined in their job descriptions or contracts) to preserve information security, to report security breaches (in line with the policy and procedures identified in section 13 of the Manual) and to act in accordance with the requirements of the ISMS. The consequences of security policy violations are described in NewNet's disciplinary policy. All staff will receive information security awareness training and more specialized staff will receive appropriately specialized information security training.
- the availability
- This means that information and associated assets should be accessible to authorized users when required and therefore physically secure. The computer network [identified as part of the scoping work for section 1 of the Manual] must be resilient and NewNet must be able to detect and respond rapidly to incidents (such as viruses and other malware) that may threaten the continued availability of assets, systems and information. There must be appropriate business continuity plans. NewNet will have systems in place and regularly monitored and tested to provide continuity of power supply and network access and availability. NewNet will work to ensure access to and availability of services in excess of 99.5% (basic SLA) and will expect to normally exceed 99.97%.
- confidentiality
- This involves ensuring that information is only accessible to those authorized to access it and therefore preventing both deliberate and accidental unauthorized access to NewNet's information and its systems [including its network(s), website(s), extranet(s), and e-commerce systems.
- and integrity
- This involves safeguarding the accuracy and completeness of information and processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, of either physical assets or electronic data. There must be appropriate contingency [including for network(s), e-commerce system(s), web site(s), extranet(s)] and data back-up plans, and security incident reporting. NewNet must comply with all relevant data-related legislation in those jurisdictions within which it operates (United Kingdom).
- of the physical (assets)
-
The physical assets of NewNet including but not limited to computer hardware, data cabling, telephone systems, filing systems and physical data files.
- and information assets
-
- The information assets include information printed or written on paper, transmitted by post or shown in films, or spoken in conversation, as well as information stored electronically on servers, web site(s), extranet(s), intranet(s), PCs, laptops, mobile phones and PDAs as well as on CD ROMs, floppy disks, USB sticks, back up tapes and any other digital or magnetic media, and information transmitted electronically by any means. In this context "data" also includes the sets of instructions that tell the system(s) how to manipulate information (i.e. the software: operating systems, applications, utilities, etc). of NewNet plc
NewNet plc and such partners that are part of our integrated network and have signed up to our security policy and have accepted our ISMS.
The ISMS is the Information Security Management System, of which this policy, the information security manual ("the Manual") and other supporting and related documentation is a part, and which has been designed in accordance with the [specification contained in ISO27001:2005]
A SECURITY BREACH is any incident or activity that causes or may cause a break down in the availability, confidentiality or integrity of the physical or electronic information assets of NewNet.
This information security policy was approved by the NewNet Board on 24th October 2007 and is issued on a version controlled basis under the signature of the CEO.
