mobile logo

Search

 

 

Information Security Statement

Updated January 2024

  1. Introduction

esynergy’s board believes that it has an ethical, legal and professional duty to ensure that the information it holds is compliant with the principles of confidentiality, integrity and availability. We must ensure that the information we hold or are responsible for is safeguarded where necessary against inappropriate disclosure; is accurate, timely and attributable; and is only available to those who should be able to access it.

 

  1. Scope

The Information Security Policy’s primary purpose is to ensure the security, integrity and availability of data and resources through effective IT Security processes and procedure, to describe how security is implemented, to give guidance to staff whose actions can affect the confidentiality and integrity of the business, its data, systems, and services and to illustrate the overall commitment to security issues within our company.

This policy has the full support of the esynergy board of Directors, and all our staff are required to abide by it in the course of carrying out their work.

 

  1. Objectives

The confidentiality, integrity and availability of information and data are critical to the on-going functioning and success of esynergy.  Failure to adequately secure information increases the risk of financial and reputational losses from which it may be difficult to recover.

 

The objectives of this policy are to:

  • Provide a framework for establishing suitable levels of information security for all company information systems (including but not limited to all Cloud environments commissioned or run by esynergy, computers, storage, mobile devices, networking equipment, software, and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.
  • Make certain that users are aware of and comply with all current and relevant UK and EU legislation.
  • Provide the principles by which a safe and secure information systems working environment can be established for authorised users.
  • Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle.
  • Protect the company from liability or damage through the misuse of its IT facilities.

 

This policy is applicable to, and will be communicated to, all staff and other members of the company and third parties who interact with information held by esynergy and the information systems used to store and process it.

 

  1. Information security principles

The following information security principles apply to the security and management of information at esynergy;

  • Information is classified according to an appropriate level of confidentiality, integrity and availability and in accordance with relevant legislative, regulatory and contractual requirements.
  • Staff with particular responsibilities for information must ensure they handle that information in accordance with its classification level; and must abide by any contractual requirements, policies, procedures or systems for meeting those responsibilities.
  • All users must handle information appropriately and in accordance with its classification level.
  • Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.
  • Information will be protected against unauthorized access and processing in accordance with its classification level.
  • Breaches of this policy must be reported to the Senior Management and would be dealt with under our Disciplinary Procedures.
  • Information security policy will be regularly reviewed, including by using annual internal audits and penetration testing.

 

 

  1. Legal & Regulatory Obligations

esynergy recognises and is fully committed to its responsibility to abide by and adhere to all current UK and EU legislation in regards to Data Protection as well as a variety of regulatory and contractual requirements.

 

 

  1. Information Classification

The following table provides a summary of the information classification levels that have been adopted by esynergy and which underpin the principles of information security defined in this policy.  These classification levels explicitly incorporate the General Data Protection Regulation’s definitions of Personal Data and Special Categories of Personal Data.

 

Classification Definition Example
Restricted Normally accessible only to specified members of staff with specific access rights GDPR-defined Personal Data (information

that identifies living individuals including ID proofs, home / work address, email address, telephone number), Financial and HR records, Internal record management systems. Legal or Board  reports and minutes

Internal Use Normally accessible only to members of staff via login and passwords Client contracts/correspondence,  Associate CVs and information on our Salesforce database

 

Public Access Accessible externally on our website Only general information about the company that is published on our website and policies that we are required to make publicly available

 

 

 

  1. IT and Technology Support team

All Information Technology support and management for esynergy is carried out by our IT Support Team and an independent contractor, Coviello Computer Services (CCS).

Coviello Computer Services is a company that has been working in the tech support field for over 30 years.      CCS has supported and maintained esynergy’s systems since esynergy was set up in 2001.

The internal IT Support Team is on site and manages the day to day operations of esynergy.

For any support with IT related issues please email the team on helpdesk@esynergy.co.uk

 

CCS supplies, installs and maintains all the IT infrastructure for esynergy and as such, has a comprehensive knowledge of all aspects of esynergy’s systems and security and, in collaboration with the IT Support Team, tests the robustness of the assets and systems at regular intervals throughout the year.     CCS believes in working on a prevention basis whenever possible and this means they operate a programme of testing and replacing assets and equipment at frequent intervals to avoid risks of system failures or breaches.

 

CCS provides esynergy with a team consisting of three remote workers, two of which can be onsite within 4 hours if necessary.   The CCS team is augmented by our internal IT Support Team who are employed full time at the esynergy offices to carry out daily IT tasks in collaboration with CCS.  The IT Support Team is required to complete regular relevant training courses to ensure their continued professional development and enhance their effectiveness in supporting esynergy to the level required.

 

  1. Access to Data and Controls Functionality

 

8.1.       Secure Log on Procedures:

Access to esynergy computer systems require an MFA logon authentication process that includes a unique user ID and password and a separate device.

The following logon features are in place:

  • System/application identifiers are not displayed until the logon procedure has been successfully completed.
  • No indication is given of which part of the logon information is incorrect.
  • The system records the date and time of successful logons and logoffs linked to workstation identity.
  • The password being entered is not displayed in clear text.
  • Passwords are not transmitted in clear text over the network.
  • Systems enforce password changes at various intervals.
  • Whenever possible, access to systems and devices are controlled by biometrics, either– fingerprint, facial or iris recognition or a combination of two.
  • Any remote access is IP restricted.

 

    • Identifying and Authenticating Users

To facilitate and operate effective access control and audit functions it is possible to:

  • Uniquely identify all users of an information asset.
  • Where group identities are used a record of those users with access to the group is securely held and regularly reviewed.

 

  • Password Management

The following criteria are in place:

  • Complex passwords are enforced. They must be a minimum of 8 characters long and must include at least three of the following types of character: upper case, lower case, numeral and special characters to be accepted by the systems.
  • Periodic password changes are enforced.
  • Repetition of past passwords are not allowed.
  • Passwords are not displayed on the screen when being entered.
  • Passwords are stored separately from the application system data.
  • Passwords are transmitted in encrypted formats.
  • Where any password has been compromised it is reported to IT as soon as practicable, and all accounts or apps associated with that password are then reset.

 

  • System Utilities

System utilities would only be accessible via Administrative accounts.  Administrative accounts are top level access accounts that can override standard controls and protocols.   Administrator accounts are only set up when absolutely necessary and access to system utilities via these accounts are strictly confined to the IT Support Team and Leadership Team.

The set up of new Administrative accounts have to be approved by the Leadership Team prior to being processed by the IT Support team.     Any Administrative accounts that are no longer essential are deleted.

 

  • User Access Management

Effective Access Management is essential to prevent unauthorised access, loss or corruption of data, introduction of malicious or unauthorised codes and the abuse of access rights.   esynergy’s files storage and records management databases are structured to ensure that access is restricted on a ‘need to know’ basis dependent on the seniority or specific job function of the individual.  Further to this, folders are structured so that they are only visible on the network to those individuals with the authorisation to access them.

 

  • User Registration

esynergy requires all users to be set up by the IT Support Team and strong user registration processes are in place.   The level of access rights granted to a new user must be authorised by a senior manager and confirmed to the IT Support team in writing.

Training documentation and webinars are an integral part of the user registration process.

Prior to accessing the systems for the first time all new users are provided with copies of esynergy’s Data Protection Policies and Security Policies and must acknowledge electronically that they accept their rights and responsibilities under these policies and will adhere to esynergy’s acceptable terms of use as part of the registration process.

A procedure is in place for temporarily suspending user accounts. It is possible to have any user blocked from accessing the systems within minutes upon notifying the IT Support Team of such a requirement.   This procedure would apply where an individual has lost their log-on credentials, are suspected of misusing the system or are on long term sick leave/ leave of absence.

 

  • User De-registration

A user de-registration process is in place. Where an individual no longer needs any access to the system, for whatever reason, their access can be permanently removed within minutes of notifying such a requirement to the IT Support Team.   All passwords are changed and all login access is blocked. Phones are wiped of all esynergy data, remotely if necessary,  remote access from any other device is revoked, email is redirected to an approved member of staff and any group memberships are removed. Then all licences are removed.

 

  • Privilege Management

System and database administrators have special access rights that allow them to view and correct system data as part of a system’s maintenance or potentially to amend data that other users have entered in error. These rights are restricted to a very small number of approved staff who have Administrative accounts.

 

  • User Password Management

Password creation, distribution and use is strictly controlled. Users are issued with guidance on password confidentiality, storage and what to do if they forget a password. The guidance also includes instructions for reporting suspected password/identity misuse.    The open recording of passwords on Post-it notes or similar is strictly forbidden.

 

  • Review of User Access Rights

All system user access rights are regularly reviewed. The review is used to ensure users remain active and their access rights are allocated correctly.

 

  • Unattended user Equipment and Data

A ‘clear desk and screen’ standard has been adopted across the office to ensure that data is protected from unauthorised access.     Users must lock access to their workstations when they are not using them at periods during the day, through the use of a lock screen or password backed screensaver.

 

  • Data Backup and recovery

All esynergy system data is backed up regularly and stored securely to protect it from unauthorised access or mechanical or environmental threats.  Back ups include the following:

  • Office 365 email, Onedrive and Sharepoint for all users are backed up daily using Acronis Cloud Backup.
  • A Salesforce backup is taken weekly and downloaded onto SharePoint for offsite backup as above.
  • Finance and accounting systems are backed up daily and the data stored locally and in Sharepoint.
  • Local workstations are configured so that a network drive is set as the default for the storage of data, rather than a local folder on the computer itself.
  • A quarterly test and restore is carried out for all backup systems to ensure effectiveness and security.

 

  • Preventing Disruptions to Information Processing

esynergy utilises virtual services to store its data and systems.    A Physical DNS/DHCP server is located on site in secure Comms rooms. Access requires door codes. Access to codes is strictly controlled.

In addition to the above;

  • The server is protected by an independent UPS
  • Switches and routers are protected by UPS
  • 2 duplicate firewalls are used to route data through an independent leased line
  • Access to the Firewalls is restricted by IP to approved experienced support engineers

 

 

  1. Business Continuity and Disaster Recovery Management

Business continuity is a core component of risk management and emergency planning. Its purpose is to counteract or minimise interruptions to esynergy’s business activities from the effects of a disaster that causes a major failure or disruption to its systems (e.g. data, data processing, facilities and communications).

In the case of severe disasters (fire, flood, explosion etc) it may not be possible to operate systems from their normal locations. In such circumstances esynergy’s  Disaster Recovery procedures would include the following-

 

 

    • For minor disasters where the building is still in use:
  • CCS will work together with the IT Support Team to resolve all issues
  • CCS will access the site though IP restricted remote access methods to make repairs or modifications to the systems as necessary to ensure continuity of work for staff on site
  • If required, a representative of CCS can be onsite within 4 hours to assist the IT Support Team with whatever tasks are required

 

  • For major disasters where the building is not accessible:
  • All esynergy staff will work from home using laptops while a temporary office is organised.
  • All general work-related data is stored on Sharepoint, Salesforce and HubSpot and can be accessed by secure login and passwords from esynergy issued laptops
  • Back Office and Accounts work related data is stored remotely in Intacct, HiBob and SharePoint
  • All email is available through office 365 with secure logon and passwords
  • All staff will communicate via mobile phone, encrypted Whats App or Slack channels and internal emails
  • Further information can be found in esynergy’s ‘Disaster Recovery and Business Continuity Policy’.

 

  • Testing and Review

The Business Continuity and Disaster Recovery Plan is regularly tested through simulation exercises with the plan being refined or updated where necessary.

 

  • Staff Awareness

Relevant information is communicated to all staff to ensure that they are fully aware of Business Continuity and Disaster Recovery plans and service specific procedures which affect them and their specific role in the recovery process. Testing and training is conducted regularly to ensure that staff know what to do if business continuity plans are activated.

 

  1. Prevention and Detection of Malicious and Unauthorised Code

Software and computerised information systems are vulnerable to the introduction and spread of malicious code, such as computerised viruses, network worms, Trojan horses, logic bombs and spyware.

esynergy makes all users aware of the dangers of unauthorised or malicious code and the need to protect the integrity of esynergy’s systems.

 

  • Safeguards

esynergy utilises Zyxel USG firewalls as the first line of defence.   All anti virus and anti spam software are regularly run and updated and IDP signature checks are carried out.  All system databases are updated automatically every hour.

Sophos Anti-Virus software is loaded to all user’s computers/laptops to defend against malicious or mobile code on individual devices and is controlled by CCS  and esynergy’s IT Support Team using Sophos Central Console. New viruses are being produced daily so the anti-virus software is checked for updates hourly, with any new updates being rolled out to all esynergy users whenever they are available. These updates are automatic.

Staff are regularly reminded about the danger of phishing attacks or similar and given training with examples and advice on determining how to spot a phishing attack. Staff are encouraged to share phishing attack examples with the IT Support team, so all new threats are recognised and managed as quickly as possible.

Quarterly phishing testing emails are sent to all internal staff and any potential compromises require the user to go through phishing training.  These test emails are sent through Ironscales.

 

  • Software Management Systems

esynergy’s computers/laptops have controls in place to prevent the downloading of particular types of files that could contains threats.    Any suspicious incoming messages are caught in our filters and can only be released into our systems once scanned and approved by a member of the IT Support Team.   No new software can be accessed from or introduced in to our systems unless it has been reviewed and cleared by the IT Support Team and authorised by an esynergy Director, and any authorised software could only installed by the IT Support Team.

 

  1. Compliance, Policy Awareness and Disciplinary Procedures

Any security breach of esynergy’s information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on the information systems. The loss or breach of confidentiality of personal data is an infringement of the General Data Protection Regulation, contravenes esynergy’s Data Protection Policy, and may result in legal action against us.

The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against esynergy.   Therefore, it is crucial that all users of the company’s information systems adhere to the Information Security Policy and supporting policies.

All current staff and other authorised users will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines.

Any security breach will be handled in accordance with all relevant Data Protection policies and the esynergy’s disciplinary procedures.

 

  • Incident Handling

If a member of the company is aware of an information security breach, they must report it to the IT Support Team at helpdesk@esynergy.co.uk

Breaches of personal data will be reported to the Information Commissioner’s Office by esynergy’s GDPR Team.

 

  • Supporting Policies

Supporting policies have been developed that support and enhance this policy.   These are available on esynergy Sharepoint and in HiBob.     All staff and any third parties authorised to access esynergy’s network or computing facilities are required to familiarise themselves with these supporting documents and to adhere to them in the working environment.

 

  • Review and Development

This policy shall be reviewed and updated regularly to ensure that it remain appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations.

 

 

  1. Responsibilities
    • All staff

All members of esynergy staff, third parties and collaborators on esynergy projects will be users of information. This carries with it the responsibility to abide by this policy and its principles and relevant legislation, supporting policies.  No individual should be able to access information to which they do not have a legitimate access right. Notwithstanding systems in place to prevent this, no individual should knowingly contravene this policy, nor allow others to do so.

 

  • Data Controllers:

Many members of staff will have specific or overarching responsibilities for preserving the confidentiality, integrity and availability of information. These include:

 

  • Senior Information Risk Owners (SIRO) – Senior Management Team.

Responsible for reporting on Information Security and Management to the Leadership Team. The SIRO acts as advocateS to the CEO and will collaborate with other company officers in regard to managing security risks.

 

  • Data Protection Officer (DPO) – Currently Head of Contracts and Compliance.

Responsible for esynergy’s  Data Protection Policy, data protection and records retention issues. Breach reporting to ICO.  The Data Protection Officer is responsible for ensuring critical business systems meet all the information security and risk management standards.

 

  • Heads of Departments

Responsible for the information systems (e.g. Finance/Operations/Administration/Sales /Marketing) both manual and electronic that support esynergy’s work.   Heads of Departments are responsible for ensuring that staff in their teams meet the information security standards required by esynergy and for briefing the SIRO on any issues or concerns.

 

  1. Related Policies Data Privacy and Retention NoticeData Protection PolicyInternet and Social Media Policy

    Acceptable Use- Electronic Equipment and Communications Policy

    Email Usage Policy

    Disaster Recovery and Business Continuity

    Bring Your Own Device Policy

 

This policy has been approved by the Board and will be reviewed biannually to ensure the Company continues to promote and maintain the highest standards.

January 2024