Information Technology Security
1.0 Policy Objectives
Juice Stored Energy operates a rolling programme of internal audits, in order to assess the performance and effectiveness of all of the Company’s Management Systems by determining whether:
each conforms to the documented requirements of applicable British or International Standards, and any applicable legislation or regulations
they continue to align with the Company’s goals and objectives
they are being properly managed, implemented and maintained
any identified corrective or preventive actions required are implemented
2.0 Policy Scope
Juice Stored Energy Information Security Management System (ISMS), and all related activities that are necessary to allow the Company to continue to conform to required standards, including all policies, processes, control objectives, controls and supporting records.
3.0 Policy Statements
The Company shall compile and communicate in advance a programme of internal audits, which shall include details of those audits which have been arranged to cover the activities, functions and processes detailed within the Scope of this Policy. The frequency of internal audits for each activity, function or process shall be determined by the organisation after full consideration of:
The activity’s level of criticality to the organisation
The documented results of previous internal audits
The existence of any known issues, incidents or operational challenges
Whether the activity is new and has not been subject to a previous internal audit
All software assets intended to be installed on Juice Stored Energy information systems shall be submitted to formal change management approval, and shall only be authorised if:
they have been fully and properly evaluated for information security vulnerabilities
they have received specific authorisation from change management process for the installation
the company holds a valid software license for the intended installation
they are to be installed strictly in accordance with the vendor’s software license
the company has the ability to support the software with updates and security patches
Juice Stored Energy reserves the right to monitor and audit instances of installed software on Company assets and systems. Any attempts by users to prevent or interfere with such monitoring or audits will be subject to disciplinary action (see Section 3.1).
Juice Stored Energy shall not permit the connection of any external storage device, including external hard drives, USB memory sticks and memory cards to any Juice Stored Energy system without prior permission from Senior Management issued against a valid business requirement. Dependent upon each individual request and the permission granted. Any such data shall be securely and permanently removed and the device cleansed to acceptable levels at the first available opportunity: simple file deletion shall not be acceptable for this purpose.
The Computer Misuse Act 1990 covers the offences of illegal accessing and using computer systems without authority, and also the unauthorised introduction of software into a computer system with the intention of either (a) affecting the normal operation of the computer system, or (b) interfering with any data or program stored or installed on the computer system. Users shall maintain awareness of the offences covered by this law.
3.1 Inventory of Assets
Define and maintain a comprehensive Inventory of Assets, including all information assets and supporting assets as defined within Section 2.0 of this Policy. The Inventory of Assets shall detail a named owner for each asset, who shall fully understand their responsibilities for the protection of the asset.
3.2 Access Control Policy
Ensure that all information assets, and their supporting assets, are protected so as to ensure their confidentiality, integrity and availability is maintained, and be restricted to the minimum required to undertake authorised business activities, and Juice Stored Energy has adopted the principle that “access is forbidden unless it has been specifically and formally "pre-authorised”.
3.3 Risk Assessment
Perform regular risk assessments on all information assets, and their supporting assets. The documented results of risk assessments shall be reviewed to understand the level of risk to information and supporting assets, and appropriate controls implemented as appropriate to address any unacceptable risks that have been identified. A Statement of Applicability (SoA) shall be produced to record which controls have been selected and the reasons for their selection, and the justification for any controls not selected.
3.4 Information Security Incidents
Provide a mechanism for the prompt identification, reporting, investigation and closure of information security incidents to Juice Stored Energy, in accordance and to fully analyze reported incidents to identify the root cause of issues and take advantage of any improvement opportunities which may have been identified.
3.5 Acceptable Use of “Mobile Devices”
Users of Juice Stored Energy issued mobile devices, including laptops, mobile telephones and Personal Electronic Devices (PEDs) shall at all times comply with the issued documented requirements detailing how they are to be accessed, used, stored and protected. Such devices shall be protected by passwords. Any actual or suspected loss, theft or misuse shall be promptly reported as an Information Security Incident.
Information on mobile devices, including laptops, mobile telephones and Personal Electronic Devices (PEDs) shall be kept to an absolute minimum to ensure that in the event of loss, theft, misuse or damage then the exposure and liability has been kept to an absolute minimum.