fbpx

IT

Information Security Policy

The Board and management of Thorncliffe Communications Ltd (“Thorncliffe”), are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout their organisation in order to preserve its competitive edge, cash-flow, profitability, legal, regulatory and contractual compliance and commercial image. Information and information security requirements will continue to be aligned with Thorncliffe’s goals and the Information Security Management System (ISMS) is intended to be an enabling mechanism for information sharing, for electronic operations, and for reducing information-related risks to acceptable levels.

Thorncliffe’s current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS. The Risk Assessment, Statement of Applicability and Risk Treatment Plan identify how information-related risks are controlled. Deborah Paterson, our head of compliance, is responsible for the management and maintenance of the risk treatment plan. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks.

In particular, business continuity and contingency plans, data backup procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy.

All colleagues of Thorncliffe and our third party suppliers are expected to comply with this policy and with the ISMS that implements this policy. All colleagues and relevant third party suppliers will receive and be required to provide appropriate training. The consequences of breaching the information security policy are set out in Thorncliffe’s disciplinary policy and in contracts and agreements with third parties. 

The ISMS is subject to continuous, systematic review and improvement.

Thorncliffe has established a Board-level steering group, chaired by the MD and including the head of compliance and board members to support the ISMS framework and to periodically review the security policy.

Thorncliffe is committed to complying with industry standards to ISO27001.

This policy will be reviewed to respond to any changes in the risk assessment or risk treatment plan and at least annually. 

In this policy, ‘information security’ is defined as:

Preserving the availability, confidentiality, and integrity of the physical and information assets of Thorncliffe.

Preserving means that management, all full time or part time colleagues and third party suppliers have, and will be made aware of, their responsibilities (which are defined in their job descriptions or contracts) to preserve information security, to report security breaches (in line with the policy and procedures identified in Section 16 of the Manual) and to act in accordance with the requirements of the ISMS. All colleagues will receive information security awareness training.

Availability means that information and associated assets should be accessible to authorised users when required and therefore physically secure. The computer network must be resilient and Thorncliffe must be able to detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems and information.  There must be appropriate business continuity plans.

Confidentiality involves ensuring that information is only accessible to those authorised to access it and therefore to preventing both deliberate and accidental unauthorised access to Thorncliffe’s information, proprietary knowledge and its systems (including its IT network, websites, intranet, and e-commerce systems.

Integrity involves safeguarding the accuracy and completeness of information and processing methods, and therefore requires preventing deliberate or accidental, partial or complete, destruction or unauthorised modification, of either physical assets or electronic data. There must be appropriate contingency including for the IT network, websites, and data backup plans and security incident reporting. Thorncliffe must comply with all relevant data-related legislation in those jurisdictions within which it operates (the UK).

The physical assets of Thorncliffe including, but not limited to, computer hardware, data cabling, filing systems and physical data files. 

The information assets include information printed or written on paper, transmitted by post or shown in films, or spoken in conversation, as well as information stored electronically on servers, websites, intranet, PCs, laptops, mobile phones and PDAs, as well as on CD ROMs, USB sticks, and any other digital or magnetic media, and information transmitted electronically by any means.  In this context, ‘data’ also includes the sets of instructions that tell the systems how to manipulate information (i.e. the software: operating systems, applications, utilities, etc).

Thorncliffe and such partners that are part of our integrated network and have signed up to our security policy and have accepted our ISMS.

The ISMS is the Information Security Management System, of which this policy and other supporting and related documentation is a part, and which has been designed in accordance with the specification contained in ISO27001:2013.

A SECURITY BREACH is any incident or activity that causes, or may cause, a break down in the availability, confidentiality or integrity of the physical or electronic information assets of Thorncliffe.

Document Owner and Approval

The Head of Compliance is the owner of this document and is responsible for ensuring that this policy document is reviewed.

A current version of this document is available to all colleagues on the server. It does not contain confidential information and can be released to relevant external parties.

This information security policy was approved by the Board in February 2025. It will be reviewed in February 2027.

ISMS

  • Our business objectives are to ensure we have adequate security controls in place designed to support the ISMS and an upfront clarification of these – across the business – is vital.
  • Identifying information assets (such as electronic documents, hardware, software, paper and people) – our key information assets are as follows:
    • Employee data on Microsoft and paper-copyClient data on MicrosoftResident data in hard-copyResident data on Nationbuilder
  • We have secured organizational commitment – project’s objectives need to be understood and endorsed throughout the organization. Cross-functional organizational participation and management engagement is important.
  • Developing an asset-based risk assessment and treatment plan – By prioritising information assets and correlating against potential threats, an idea of the perceived risks can be developed during the ISMS design process. 
  • Considering compliance requirements (legal/statutory/regulatory) and contractual agreements – External factors must be translated into the ISMS implementation’s design. Compliance requirements such as SOX (Sarbanes-Oxley) 404, HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry Data Security Standard), GLBA (Gramm-Leach-Bliley Act), and DPA (Data Protection Act) are common these days and could become impossible to assimilate if not factored into the early stages of ISMS design.
  • Engaging third parties/partners – Entities involved in business processes need to be advised, monitored and controlled as part of ISMS design and implementation stages. Too often, security control implementation can be delayed thanks to third party ignorance.

Leave a comment

Your email address will not be published. Required fields are marked *