SECURITY POLICY

1.Introduction

Cooper Parry and its group companies (“CP”) recognise that information is an important business asset of significant value to CP. The confidentiality, integrity and availability of information held by CP needs to be rigorously protected from threats that could disrupt business continuity.

This policy has been written to provide a mechanism to establish procedures to protect against security threats and minimise the impact of security incidents.

This policy outlines the standards you must adhere to when using our systems.

The Risk and Compliance Partner has approved this policy and has overall responsibility for this policy, including keeping it under review.

It is the responsibility of each individual handling any information for or on behalf of CP to ensure that you adhere to the principles described in this policy. Breach of this policy may be dealt with under our disciplinary procedure (where applicable) and/or may amount to a material breach of a supply contract. You should therefore read it carefully and make sure that you understand and comply with it.

This policy does not form part of any employee’s contract of employment, and we may amend it at any time.

2.Contact

If you have any questions regarding this policy or need to make a report or notification in accordance with its requirements, please use the following details:

Simon Atkins
Risk and Compliance Partner
simona@cooperparry.com
07817 974008

Michelle McDonald
Risk and Compliance Manager
michelle.mcdonald@cooperparry.com
07471 218625

Stewart Etches
Information Technology Director
stewarte@cooperparry.com
07706 341309

Matt Bell
Cyber Security Manager
mattb@cooperparry.com
07989 405913

3.Who does this policy apply to?

This policy applies to all employees, officers, consultants, self-employed contractors, casual workers, volunteers and interns. It also applies to anyone else who at any time has access to our IT and communications systems.

4. Equipment security

You are responsible for the security of the equipment allocated to you and any other equipment used by you in the course of your employment. You should use passwords on all IT equipment and take particular care when taking any equipment outside of the office.

You should keep your passwords confidential and change them when prompted to do so every 90 days.

You must not use another individual’s username, password or any other login credentials and should not allow any other individual to login using your credentials.

If you are aware from your desk, you should lock your computer. You should log out and ensure your computer is fully shut down at the end of each working day.

5.Systems and Data security

You should not delete, destroy or modify existing systems or programs unless authorised by the Tech Support Team.

You must not download or install software from external sources without the prior consent of the Tech Support Team.

You must not attach any device or equipment including mobile phones, tablet computers, USB storage devices or any other removable media to our systems without the prior consent of the Tech Support Team.

You should exercise particular caution when opening unsolicited emails from unknown sources. If an email looks suspicious you should immediately report it to the Tech Support Team. Do not reply to it, open any attachments or click any links in it.

Inform the Tech Support Team immediately if you suspect your computer may have a virus.

6.Email use

You should ensure that any emails to clients and other third parties include our standard email signature.

You must not send abusive, obscene, derogatory, discriminatory, harassing or otherwise inappropriate emails.

Consider using password protection and any other appropriate safeguards when sending any particularly sensitive or confidential information.

Do not use your own personal email account to send or receive emails for the purpose of our business.

7.Internet use

You should not access any web page or download any image or other file from the internet which could be regarded as illegal, offensive, discriminatory, immoral or otherwise inappropriate.

We may block or restrict access to certain websites at any time, at our discretion.

8.Cyber Incidents

You should immediately report any actual or suspected information security incident to Michelle McDonald and should not engage in your own investigation unless authorised to do so.

9.Personal data breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This could be as a result of a breach of cyber security (see above), such as a hack or virus, or it could be as a result of a breach of physical security such as a loss or theft of a mobile device or paper records. Some examples include:

(a) leaving a mobile device on a train

(b) destruction of the only copy of a document

(c)sending an email or attachment to the wrong recipient

If you suspect a data breach may have occurred, then you must contact Michelle McDonald immediately.

We may need to report the matter to the Information Commissioner’s Office within 72 hours of discovery of the breach. This is why it is important that all potential data breaches are reported internally to Michelle McDonald immediately. Anyone who fails to report a data breach could face disciplinary action.

You should not communicate with the press and shall treat all actual or potential data breaches as confidential unless otherwise instructed in writing by Michelle McDonald.

For further information, please refer to our Data Breach Notification Policy, which is available upon request.

10.Confidential Information

Confidential information includes any information that is marked or otherwise identified as confidential, or information that would otherwise be considered by a reasonable person to be confidential in the context and circumstances in which it is known or used.

You must treat all confidential information as strictly confidential both during employment and after your employment ends. This includes:

(a) not accessing or using any confidential information to which you have not been provided access or authorisation to use

(b) not disclosing, publishing, communicating or otherwise making available confidential information to anyone who does not have the authority to know and use the confidential information, except as required to properly perform your role

(c) if you do need to share confidential information with a third party, you must ensure the third party enters into a confidentiality agreement

(d) not removing confidential information from the workplace unless specifically approved by your line manager or business contact (for suppliers)

(e) not discussing confidential information in public

(f) returning any confidential information in your possession on termination of your employment

(g) if you do inadvertently disclose any confidential information, you should inform Michelle McDonald immediately

If you are unsure whether information should be kept confidential check with your line manager / job manager or business contact (for suppliers).

11. Monitoring

Our systems enable us to monitor telephone, email, internet and other communications. For business reasons, and in order to carry out our legal obligations as an employer, your use of our systems may be continually monitored.

We reserve the right to retrieve the contents of email messages or to check internet usage as reasonably necessary in the interests of the business to:

(a) monitor compliance with this policy

(b) assist with investigating any allegations of wrongdoing

(c) comply with any legal obligation

12. Prohibited use of our systems

Misuse or excessive personal use of our systems or inappropriate internet use will be dealt with under our disciplinary procedure and/or may amount to a material breach of a supply contract. Misuse of the internet in certain circumstances may also be a criminal offence.

Creating, viewing, accessing, transmitting or downloading any of the following material will usually amount to gross misconduct:

(a) pornographic material

(b) offensive, obscene or criminal material or material which is likely to cause embarrassment to us or to our clients

(c) a false and defamatory statement about any person or organisation

(d) material which is discriminatory, offensive, derogatory or may cause embarrassment to others

(e) confidential information about us, our business, or any of our employees or clients (unless such use is authorised in the proper performance of your duties)

(f) unauthorised software

(g) music or video files or other material in breach of copyright

This is a non-exhaustive list. Any such action will be treated seriously and is likely to result in summary dismissal.

13. Other policies

To ensure that the confidentiality, integrity and availability of information held by the company is protected, you must also comply with any other policies relating to information security which are provided to you at any time.