Information Security & Information Risk Management Policy

Introduction

This policy outlines OKS Group Limited’s approach to safeguarding information assets and managing associated risks. It ensures compliance with relevant UK laws, standards, and best practices, including the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and ISO 27001, to protect the confidentiality, integrity, and availability of data handled by the company. This policy applies to all employees, contractors, third-party vendors, and stakeholders who access, process, or manage information related to OKS Group Limited’s operations, clients, and employees within the United Kingdom.

1.Objectives

  • Ensure the security and protection of all information assets.
  • Identify and mitigate risks associated with information handling and storage.
  • Comply with legal, regulatory, and contractual obligations regarding information security in the UK.
  • Foster a culture of security awareness within the organization.

2. Roles and Responsibilities

  • Information Security Officer (ISO) and/or Legal Compliance Department: Responsible for implementing and maintaining this policy, overseeing risk management processes, and ensuring compliance with UK laws and regulations.
  • Employees: Required to follow security policies and procedures, report incidents, and complete mandatory training.
  • Third-Party Vendors: Must adhere to agreed-upon security standards and contractual obligations.

3 Information Security Principles

3.1. Confidentiality

  • Restrict access to information to authorized personnel only.
  • Implement role-based access controls and ensure data is shared on a need-to-know basis.

3.2. Integrity

  • Protect information from unauthorized alteration or destruction.
  • Use robust change management practices for systems and data.

3.3. Availability

  • Ensure that information is accessible to authorized users when needed.
  • Implement redundancy, backup, and disaster recovery measures.

4. Risk Management Framework

4.1. Risk Assessment

  • Conduct regular risk assessments to identify threats, vulnerabilities, and potential impacts to information assets.
  • Prioritize risks based on their likelihood and impact.

4.2. Risk Mitigation

  • Implement controls to address identified risks, such as firewalls, encryption, multi-factor authentication, and physical security measures.
  • Regularly review and update controls to ensure effectiveness.

4.3. Monitoring and Review

  • Continuously monitor systems and networks for suspicious activity.
  • Conduct periodic internal and external audits to evaluate the security posture.

5. Data Protection and Compliance

  • Comply with GDPR and the UK’s Data Protection Act 2018 requirements, including data subject rights, data minimization, and lawful processing.
  • Maintain a Data Processing Agreement (DPA) with all third-party data processors.
  • Regularly review data protection practices to ensure ongoing compliance.

6. Incident Management

6.1. Reporting and Response

  • All security incidents, including data breaches, must be reported immediately to the ISO or to our Legal Compliance Department.
  • Activate the Incident Response Plan (IRP) to contain, assess, and resolve incidents promptly.

6.2. Notification

  • Notify affected parties and the Information Commissioner’s Office (ICO) or Legal Compliance Department as required by UK law in the event of a data breach.

7. Security Awareness and Training

  • Provide mandatory information security training for all employees.
  • Conduct regular awareness campaigns to reinforce best practices.

8. Third-Party Security Management

  • Evaluate third-party vendors’ security measures before engaging in partnerships.
  • Include information security requirements in vendor contracts.
  • Regularly review and audit third-party compliance with contractual obligations.

9. Physical and Environmental Security

  • Restrict physical access to sensitive areas to authorised personnel only.
  • Ensure that servers, storage devices, and other critical infrastructure are protected from environmental hazards.

10. Policy Review and Updates

  • This policy will be reviewed annually or in response to significant changes in the legal or regulatory environment in the UK.
  • Updates will be communicated to all relevant stakeholders.

Acknowledgment & Contact for Policy Queries

For any questions or clarifications regarding this policy, please contact the Information Security Officer or our Legal Compliance Department at legal@oksgroup.co.uk

All employees and stakeholders must acknowledge their understanding and agreement to comply with this policy. Failure to adhere to the policy may result in disciplinary action, up to and including termination.

Last Updated: January 2025