Information Security Policy

1.3 RELATED DOCUMENTS

​

This Policy is supported by our data protection policy.

​​

1.4 COMMUNICATION, REVIEW AND MAINTENANCE

 

This Policy is communicated to all staff as part of their induction and as part of the annual refresher programme. The Policy is held on the HO filing system.  Staff shall be informed of any changes to the Policy by their line manager.  This Policy shall be made available to relevant interested parties as required.

 

This Policy shall be reviewed annually by the Policy Owner to ensure it remains fit for purpose and at other times as dictated by operational needs.

​​

1.5 REFERNCES

​

• ISO/IEC 27000:2013 Information technology – Security techniques – Information security management systems – Overview and vocabulary (ISO 27000)

• BS ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements (ISO 27001)

• BS ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for information security controls (ISO 27002)

• Payment Card Industry Data Security Standard (PCI DSS) v4.0 dated April 2024

​

2.0 DOCUMENT PURPOSE

​

To define the policy requirements for information security within Wilson Vale.

​

3.0 SCOPE

​

Information takes many forms. The scope of this Information Security Policy includes, but is not limited to:

​

• All information processed by Wilson Vale in pursuit of its operational activities, regardless of whether it is processed electronically or in paper form, including but not limited to:

  • External customer products, materials, information and reports

  • Operational documents, plans, and minutes

  • Financial and compliance records

  • Employee records

• All information processing facilities used in support of Wilson Vale’s operational activities to store, process and transmit information

• All external organisations that provide services to Wilson Vale in respect of information processing facilities.

 

This Policy applies to all staff at all locations including those storing, transmitting or processing information within Wilson Vale’s cardholder data environment.

​

4.0 DEFINITIONS

​

Information Security protects the following three attributes of Wilson Vale’s information:

​

• Confidentiality – Ensuring that information is not made available or disclosed to unauthorised individuals, entities, or processes

• Integrity – protecting the accuracy and completeness of assets

• Availability – Ensuring information is accessible and usable upon demand by an authorised entity.

 

Other definitions applicable to this Policy:

​

Information Asset – Any information and information processing assets of value to Wilson Vale.

Information Owner – An individual accountable for the information asset.

Information Processing Facilities – Any information processing system, service or infrastructure, or the physical locations housing them.

Cardholder Data Environment – Refers to the physical or IT environment within which cardholder data is transmitted, processed and stored.

Staff - Includes permanent or fixed term staff working for Wilson Vale.

Manager - Any Wilson Vale employee with a defined supervisory or management role.

Third Party - Includes all external parties, including existing or potential customers, suppliers / contractors, agency staff, regulators and any other authorised visitor to Wilson Vale’s premises.

​

5.0 RISKS

​

Loss of confidentiality, integrity or availability of Wilson Vale’s information, its systems or places where its information is stored or processed, may result in potential legal, regulatory or contractual breach, and financial or reputational loss to the company and/or its customers.

​

6.0 RESPONSIBILITIES

​

Managers must provide staff and applicable third parties with education and training to support adherence to this Policy and other supporting information security policies.

​

Staff must comply with this Policy.

​

Third Parties must comply with the applicable provisions of this Policy as directed by Wilson Vale Management.

​

7.0 POLICY

​

This Policy establishes the necessary policies and an organisational structure that will:

​

• Ensure Wilson Vale’s information, systems and infrastructure are appropriately protected and secure, yet remain available in line with business requirements, preserving confidentiality of information, integrity (completeness and accuracy) of information, and availability of information and the systems and places where it is stored and processed

• Ensure Wilson Vale’s information security related legal and regulatory requirements are met, including the management and maintenance of the Payment Card Industry Data Security Standards (PCI DSS) requirements

• Ensure that Wilson Vale meets its customers’ contractual information security obligations and provides assurance of its capability and capacity to manage information security adequately and meet its customer needs.

 

Compliance with this Policy is necessary to minimise business damage by preventing and minimising the impact of information security incidents.

​

7.1 INFORMATION SECURITY

​

It is the policy of Wilson Vale to ensure that:

​

• Information security supports Wilson Vale’s business objectives

• Wilson Vale’s information security responsibilities are defined and communicated

• Information security related policies, processes and procedures are in place to identify and mitigate information security risks to an acceptable level, to protect Wilson Vale’s systems, infrastructure, and the information security requirements of interested parties, including the company’s customers

• The confidentiality, integrity and availability of Wilson Vale’s information and the places where that information is stored, handled and processed are maintained

• Information security objectives are established for relevant functions

• In the event of a disruption, Wilson Vale can continue to deliver an acceptable level of service of its critical activities to its interested parties

• Appropriate information security measures are included in contracts with third parties, where possible.

 

7.2 INFORMATION SECURITY COMPLIANCE MANAGEMENT

​

Activities related to the use of Wilson Vale’s information including the systems and places where it is stored and processed shall be monitored to ensure that Wilson Vale’s requirements for confidentiality, integrity, and availability are maintained.  Staff or third parties with access to Wilson Vale’s information, systems or premises are responsible for reporting any suspicious activity, security breaches or security violations to their manager, a Wilson Vale Director or other authorised Wilson Vale contact.

​

Wilson Vale’s Directors may authorise deviation from the company’s information security related policies only when:

​

• It has been clearly demonstrated that a cost/benefit analysis of the available compliance options and risks of not complying has been performed

• Analysis results indicate that compliance will have a significant and unacceptable business impact

• Risk acceptance has been formally approved

• Wilson Vale remains compliant with legal and regulatory requirements.

​

7.3 INFORMATION SECURITY RISK ACCEPTANCE

​

Wilson Vale’s Directors must formally accept responsibility for all identified information security risks when deviating from the company’s information security related policies.  Information security risk acceptances must, in advance, be:

​

• Documented by the relevant Wilson Vale Manager

• Filed with, and approved by, Management

​

7.4 SECURITY AWARENESS AND TRAINING

​

Staff with access to Wilson Vale’s information, systems and the places where information is processed, shall be educated on their security responsibilities.  Education shall be provided at induction so that new employees understand their responsibilities in respect of the protection of information and places where information is processed and stored.

 

Staff shall be provided with annual information security education and supporting reference materials as required by PCI DSS.  Directors must ensure the provision of refresher courses and other related materials to regularly remind staff about their obligations with respect to security.