Information security policy

Executive Summary

Information management is an essential part of good IT governance, which in turn is a cornerstone in corporate governance. An integral part of the IT governance is information security, in particular pertaining to personal information. However, many organisations do not have a clear policy for information security management. The security policy provides a policy with information security objectives and strategy, and defines roles and responsibilities.

Core principles for information security management, as defined in ISO/IEC 27002, are adapted to the local situation for the following areas: Governing documents for Information Security Management are also defined. The foundation for this best practice is ISO/IEC 27001 and ISO/IEC 27002 which have been condensed into this manageable and applicable document.

The EU equivalents can be found in:

  • Directive 95/46/EC (Data Protection Directive)
  • Directive 2002/58/EC (the E-Privacy Directive)
  • Directive 2006/24/EC Article 5 (The Data Retention Directive)
  • Risk assessment
  • Organising information security
  • Asset management
  • Human resources security
  • Physical security
  • Communications and operations management
  • Access control
  • System development and maintenance
  • Information security incident management
  • Business continuity management
  • Compliance


This document is based on ISO/IEC 27001 and ISO/IEC 27002 and has been condensed to a manageable and applicable level (22 pages as opposed to the 108 pages of ISO/IEC 27002). The security policy should be signed by the manager of the institution, or whoever has the legal responsibility according to local legislation. The policy template has been used as a starting point in the process of developing a locally agreed security policy. Local involvement and ownership to the policy is a key to its success. In many ways the process itself is more important than the final document. In addition to the information security policy the institution needs a number of underlying documents detailing how the various aspects of the policy should be implemented.

1 Information security policy

1.1 Security goals React2 Limited is committed to safeguard the confidentiality, integrity and availability of all physical and electronic information assets of the institution to ensure that regulatory, operational and contractual requirements are fulfilled.

The overall goals for information security at React2 Limited are the following:

  • Ensure compliance with current laws, regulations and guidelines.
  • Comply with requirements for confidentiality, integrity and availability for React2 Limited's employees and other users.
  • Establish controls for protecting React2 Limited's information and information systems against theft, abuse and other forms of harm and loss.
  • Motivate administrators and employees to maintain the responsibility for, ownership of and knowledge about information security, in order to minimise the risk of security incidents.
  • Ensure that React2 Limited is capable of continuing their services even if major security incidents occur.
  • Ensure the protection of personal data (privacy).
  • Ensure the availability and reliability of the network infrastructure and the services supplied and operated by React2 Limited.
  • Comply with methods from international standards for information security, e.g. ISO/IEC 27001.
  • Ensure that external service providers comply with React2 Limited's information security needs and requirements.
  • Ensure flexibility and an acceptable level of security for accessing information systems from off site.

1.2 Security strategy

React2 Limited's current business strategy and framework for risk management are the guidelines for identifying, assessing, evaluating and controlling information related risks through establishing and maintaining the information security policy (this document). This complies with the DCB0129 Standard. It has been decided that information security is to be ensured by the policy for information security and a set of underlying and supplemental information. In order to secure operations at React2 Limited even after serious incidents, React2 Limited shall ensure the availability of continuity plans, backup procedures, defence against damaging code and malicious activities, system and information access control, incident management and reporting. The term information security is related to the following basic concepts:

  • Confidentiality: The property that information is not made available or disclosed to unauthorised individuals, entities, or processes.
  • Integrity: The property of safeguarding the accuracy and completeness of assets.
  • Availability: The property of being accessible and usable upon demand by an authorised entity. Some of the most critical aspects supporting React2 Limited's activities are availability and reliability for network, infrastructure and services. React2 Limited practises openness and principles of public disclosure, but will in certain situations prioritise confidentiality over availability and integrity. Every user of React2 Limited's information systems shall comply with this information security policy. Violation of this policy and of relevant security requirements will therefore constitute a breach of trust between the user and React2 Limited, and may have consequences for employment or contractual relationships.

Dean Turnbull, CSO, React2 Ltd, 14/07/2023

2 Roles and areas of responsibility

The administration has the overall responsibility for managing React2 Limited's values in an effective and satisfactory manner according to current laws, requirements and contracts.

The CSO has the overall responsibility for information security at React2 Limited, including information security regarding personnel and IT security.

2.1.1 Owner of the security policy The CSO is the owner of the security policy (this document). The CSO is also the CSO (Chief Security Officer). All policy changes must be approved and signed by the CSO.

2.1.2 Chief Security Officer (CSO) The Chief Security Officer (CSO) holds the primary responsibility for ensuring the information security at React2 Limited. Mr Dean Turnbull currently has this role.

2.1.3 System owner The system owner, in consultation with the IT department, is responsible for purchasing requirements, development and maintenance of information and related information systems. All systems and all types of information must have a defined owner. The system owner must define which users or user groups are allowed access to the information and what authorized use of this information consists of.

2.1.4 System administrator System administrators are persons administering React2 Limited's information systems and the information entrusted to the Company by other parties. Each type of information and system may have one or more dedicated system administrators. These are responsible for protecting the information, including implementing systems for access control to safeguard confidentiality, and carry out backup procedures to ensure that critical information is not lost. They will further implement, run and maintain the security systems in accordance with the security policy. Each system must have one or more system administrators. This shall be documented.

2.1.5 Users Employees are responsible for getting acquainted and complying with React2 Limited's IT regulations. Questions regarding the administration of various types of information should be posed to the system owner of the relevant information, or to the system administrator.

2.1.6 Consultants and contractual partners Contractual partners and contracted consultants must sign a confidentiality agreement prior to accessing sensitive information. The System owner is responsible for ensuring that this is implemented.

3 Principles for information security at React2 Limited.

3.1 Risk assessment and management

3.1.1 React2 Limited's approach to security should be based on risk assessments.

3.1.2 React2 Limited should continuously assess the risk and evaluate the need for protective measures. Measures must be evaluated based on React2 Limited's role as a limited company and with regards to efficiency, cost and practical feasibility.

3.1.3 An overall risk assessment of the information systems should be performed annually.

3.1.4 Risk assessments must identify, quantify and prioritise the risks according to relevant criteria for acceptable risks.

3.1.5 Risk assessments are to be carried out when implementing changes impacting information security. Recognized methods of assessing risks should be employed, such as ISO/IEC 27005.

3.1.6 The CSO is responsible for ensuring that the risk management processes at React2 Limited are coordinated in accordance with the policy.

3.1.7 The system owners are responsible for ensuring that risk assessments within their area of responsibility are implemented in accordance with the policy.

3.1.8 Risk management is to be carried out according to criteria approved by the management at React2 Limited.

3.1.9 Risk assessments must be approved by the management at React2 Limited and/or the system owners.

3.1.10 If a risk assessment reveals unacceptable risks, measures must be implemented to reduce the risk to an acceptable level.

3.2 Information security policy

3.2.1 The CSO shall ensure that the information security policy, as well as guidelines and standards, are utilised and acted upon.

3.2.2 The CSO must ensure the availability of sufficient training and information material for all users, in order to enable the users to protect React2 Limited's data and information systems.

3.2.3 The security policy shall be reviewed and updated annually or when necessary, in accordance with principles described in ISO/IEC 27001.

3.2.4 All important changes to React2 Limited's activities, and other external changes related to the threat level, should result in a revision of the policy and the guidelines relevant to the information security.

3.3 Security organisation

3.3.1 Security organisation React2 Limited

Security responsibility is distributed as follows:

  • The CSO is primarily responsible for the security and is the controller according to the 95/46/EC, Article 2 (d), IT systems and infrastructure, information security, executive responsibility for information security according to the Personal Data Act and is the controller on a daily basis of the personal information of the employees, research related personal information, quality work (while the operational responsibility is delegated according to the management structure).
  • React2 Limited's information security will be revised on a regular basis, through internal control and at need, with assistance from an external IT auditor.
  • React2 Limited will review and recommend information security policy and accompanying documentation and general distribution of responsibility.
  • React2 Limited will monitor substantial changes of threats against the information assets of the organisation.
  • Review and monitor reported security incidents.
  • Authorise initiatives to strengthen information security.

3.4 Classification and control of assets

3.4.1 "Assets" include both information assets and physical assets.

3.4.2 Information and infrastructure should be classified according to security level and access control.

3.4.3 Information as mentioned in item should be classified as one of three categories for confidentiality: Sensitive Information of a sensitive variety where unauthorised access (including internally) may lead to considerable damage for individuals, React2 Limited or their interests. [Sensitive information is here synonymous with being kept from public access or sensitive personal information as defined by the UK Data Protections Act 1998] This type of information must be secured in "red" zones, see chapter 3.6. Internal Information which may harm React2 Limited or be inappropriate for a third party to gain knowledge of. The System owner decides who may access and how to implement that access.

###Open Information

Other information is open.

3.4.4 React2 Limited shall carry out risk analyses in order to classify information based on how critical it is for operations (criticality).

3.4.5 Routines for classification of information and risk analysis must be developed.

3.4.6 Users administrating information on behalf of React2 Limited should treat said information according to classification.

3.4.7 Sensitive documents should be clearly marked.

3.4.8 Classification of equipment according to criticality will be discussed in chapter

3.4.9 A plan for electronic storage of essential documentation should be developed.

3.4.10 Information that is vital for operations should be accessible independent of which systems the information was created or processed in.

3.5 Information security in connection with users of React2 Limited's services

3.5.1 Prior to employment Security responsibility and roles for employees and contractors should be described. A background check is to be carried out of all appointees to positions according to relevant laws and regulations. A confidentiality agreement should be signed by employees, contractors or others who may gain access to sensitive and/or internal information. IT regulations should be accepted for all employment contracts and for system access for third parties.

3.5.2 During employment The IT regulations refer to React2 Limited's information security requirements and the users' responsibility for complying with these regulations. The IT regulations should be reviewed regularly with all users and with all new hires. All employees and third party users should receive adequate training and updating regarding the Information security policy and procedures. The training requirements may vary. Breaches of the Information security policy and accompanying guidelines will normally result in sanctions. [Refer to the relevant laws and valid regulations at React2 Limited.] React2 Limited's information, information systems and other assets should only be utilised for their intended purpose. Necessary private usage is permitted. Private IT equipment in React2 Limited's infrastructure may only be connected where explicitly permitted. All other uses must be approved in advance by the IT department. Use of React2 Limited's IT infrastructure for personal commercial activities is under no circumstances permitted.

3.5.3 Termination or change of employment The responsibility for termination or change of employment should be clearly defined in a separate routine with relevant circulation forms. React2 Limited's assets should be handed in at the conclusion of the need for the use of these assets. React2 Limited should change or terminate access rights at termination or change of employment. Notification on employment termination or change should be carried out through the procedures defined in the personnel system.

3.6 Information security regarding physical conditions

3.6.1 Security areas IT equipment and information that require protection should be placed in secure physical areas. Secure areas should have suitable access control to ensure that only authorised personnel have access. The following zones should be utilised:

Security level Area Security

Green Areas: No access restrictions

  • Public areas.
  • No access control during ordinary office hours.
  • Internal and sensitive information should not be printed out in this zone.

Yellow Areas: where internal information may be found during office hours.

  • Offices, meeting rooms, some archives, some technical rooms like labs, printer rooms.
  • All printouts should be protected.
  • Access control: Key card

Red Restricted Areas: requiring special authorization.

  • Computer rooms, server rooms, archives, etc. containing sensitive information.
  • All printouts should be protected.
  • Access control: Key card and access key Zones should be marked on construction drawings or explicitly described in a separate document. The IT security manager is responsible for approving physical access to technical computer rooms. The Physical security manager is responsible for the approval of physical access to areas other than technical computer rooms. All of React2 Limited's buildings should be secured according to their classification by using adequate security systems. See table above. Security managers for the various areas of responsibility should ensure that work performed by third parties in secure zones is suitably monitored and documented. All personnel should be able to be identified when present in yellow or red zones. Red zones should be properly secured against damage caused by fire, water, explosions, vibrations, etc. All external doors and windows must be closed and locked at the end of the work day. Access cards may be supplied to workmen, technicians and others after proper identification [and a signed confidentiality agreement]. Anyone receiving visitors in the yellow zone is responsible for the supervision of their visitors. Visitors in the red zone must be signed in and out, and must carry visible guest cards or personal access cards. Visitors in the red zone must be escorted [or monitored, e.g. with cameras].

3.6.2 Securing equipment IT equipment classified as "high" (see chapter must be protected against environmental threats (fires, flooding, temperature variations, etc.). Classification of equipment should be based on risk assessments. Information classified as "sensitive" must not be stored on portable computer equipment (e.g. laptops, cell phones, memory sticks, etc.). If it is necessary to store this information on portable equipment, the information must be password protected and encrypted in compliance with guidelines from the IT department. During travel, portable computer equipment should be treated as carry-on luggage. Areas classified as "red" must be secured with suitable fire extinguishing equipment with appropriate alarms. Fire drills shall be carried out on a regular basis.

3.7 IT communications and operations management

3.7.1 Operational procedures and areas of responsibility Purchase and installation of IT equipment must be approved by the IT department. Purchase and installation of software for IT equipment must be approved by the IT department. The IT department should ensure documentation of the IT systems according to React2 Limited's standards. Changes in IT systems should only be implemented if well-founded from a business and security standpoint. The IT department should have emergency procedures in order to minimise the effect of unsuccessful changes to the IT systems. Operational procedures should be documented. Documentation must be updated following all substantial changes. Before a new IT system is put in production, plans and risk assessments should be in place to avoid errors. Additionally, routines for monitoring and managing unforeseen problems should be in place. Duties and responsibilities should be separated in a manner reducing the possibility of unauthorised or unforeseen abuse of React2 Limited's assets. Development, testing and maintenance should be separated from operations in order to reduce the risk of unauthorised access or changes, and in order to reduce the risk of error conditions.

3.7.2 Third party services All contracts regarding outsourced IT systems should include

  • information security requirements, including confidentiality, integrity and availability,
  • a description of the agreed security level,
  • requirements for reporting security incidents from third parties,
  • a description of how React2 Limited may ensure that third parties are fulfilling their contracts,
  • a description of React2 Limited 's right to audit third parties.

3.7.3 System planning and acceptance Requirements for information security must be taken into consideration when designing, testing, implementing and upgrading IT systems, as well as during system changes. Routines must be developed for change management and system development/maintenance. IT systems must be dimensioned according to capacity requirements. The load should be monitored in order to apply upgrades and adjustments in a timely manner. This is especially important for business-critical systems.

3.7.4 Protection against malicious code Computer equipment must be safeguarded against viruses and other malicious code. This is the responsibility of the IT security manager.

3.7.5 Backup The IT department is responsible for carrying out regular backups and restore of these backups, as well as data storage on React2 Limited's IT systems according to their classification. Backups should be stored externally or in a separate, suitably protected zone.

3.7.6 Network administration The IT department has the overall responsibility for protecting React2 Limited's internal network. There should be an inventory containing all equipment connected to React2 Limited's wired networks. All access to React2 Limited's networks should be logged.

3.7.7 Management of storage media There should be procedures in place for the management of removable storage media.

Implementation is the responsibility of each employee. Storage media should be disposed of securely and safely when no longer required, using formal procedures.

3.7.8 Exchange of information Procedures and controls should be established for protecting exchange of information with third parties and information transfer. Third party suppliers must comply with these procedures. React2 Limited has the right to access personal e-mail and other personal data stored on React2 Limited's computer networks [according to the Data Protection Act,1998]

3.7.9 Use of encryption Storage and transfer of sensitive information (see class model in chapter 3.11) should be encrypted or otherwise protected.

3.7.10 Electronic exchange of information Information exchanged across public networks in connection with e-commerce, should be protected against fraud, contractual discrepancies, unauthorised access and changes. The IT department should ensure that publicly accessible information, e.g. on React2 Limited's web services, is adequately protected against unauthorised access.

3.7.11 Monitoring of system access and usage Access and use of IT systems should be logged and monitored in order to detect unauthorised information processing activities. Usage and decisions should be traceable to a specific entity, e.g. a person or a specific system. The IT department should register substantial disruptions and irregularities of system operations, along with potential causes of the errors. Capacity, uptime and quality of the IT systems and networks should be sufficiently monitored in order to ensure reliable operation and availability. The IT department should log security incidents for all essential systems. The IT department should ensure that system clocks are synchronised to the correct time.

3.8 Access control

3.8.1 Business requirements Written guidelines for access control and passwords based on business and security requirements should be in place. Guidelines should be re-evaluated on a regular basis. Guidelines should contain password requirements (frequency of change, minimum length, character types which may/must be utilised, etc.) and regulate password storage.

3.8.2 User administration and responsibility Users accessing systems must be authenticated according to guidelines. Users should have unique combinations of usernames and passwords. Users are responsible for any usage of their usernames and passwords. Users should keep their passwords confidential and not disclose them unless explicitly authorised by the CSO.

3.8.3 Access control/Authorization Access to information systems should be authorised by immediate superiors in accordance with the system owner directives. This includes access rights, including accompanying privileges. Authorizations should only be granted on a "need to know" basis, and regulated according to role. The immediate superior should alert the system administrator about granting access and changes in accordance with the directives from the system owner. Roles and responsibilities with accompanying access rights should be described based on the following classifications.

  • Internal (several roles)
  • External (several roles)
  • Employee
  • Public
  • Others

3.8.4 Network access control The CSO is responsible for ensuring that network access is granted in accordance with access policy. Users should only have access to the services they are authorised for. The access to privileged accounts and sensitive areas should be restricted. Users should be prevented from accessing unauthorised information.

3.8.5 Mobile equipment and remote workplaces Remote access to React2 Limited's computer equipment and services is only permitted if the security policy has been read and understood and the IT regulations signed. Remote access to React2 Limited's network may only take place through security solutions approved by the IT department. Mobile units should be protected using adequate security measures. Information classified as sensitive must be encrypted if stored on portable media, such as memory sticks, PDAs, DVDs and cell phones. [The use of cryptography may be subject to local legislation.]

3.9 Information systems acquisition, development and maintenance

3.9.1 Security requirements for information systems Definitions of operational requirements for new systems or enhancements to existing systems must contain security requirements.

3.9.2 Cryptographic controls Guidelines for administration and use of encryption for protecting information should be in place.

3.9.3 Security of system files All changes to production environments should comply with existing routines. The implementation of changes to the production environment should be controlled by formal procedures for change management, in order to minimise the risk of damaged information or information systems.

3.9.4 Security in development and maintenance Systems developed for or by React2 Limited must satisfy definite security requirements, including data verification, securing the code before being put in production, and use of encryption. All software should be thoroughly tested and formally accepted by the system owner and the IT department before being transferred to the production environment.

3.9.5 Risk assessment Prior to new systems classified as “high”, or substantial changes in systems classified as “high” (see Table 1: System classification) are put in production, a risk assessment must be carried out.

3.10 Information security incident management

3.10.1 Responsibility for reporting All breaches of security, along with the use of information systems contrary to routines, should be treated as incidents. All employees are responsible for reporting breaches and possible breaches of security. Incidents should be reported to management or directly to the CSO.

3.10.2 Measurements Routines are to be developed for incident management and reporting. The routines should contain measures for preventing repetition as well as measures for minimising the damage. The CSO should ensure that routines are in place for defining the cost of security incidents.

3.10.3 Collection of evidence The IT security manager should be familiar with simple routines for collecting evidence.

3.11 Continuity planning

3.11.1 Continuity plan A plan for continuity and contingencies covering critical and essential information systems and infrastructure should exist. The continuity plan(s) should be based on risk assessments focusing on operational risks. The continuity plan(s) should be consistent withReact2 Limited's overall contingencies and plans. The continuity plan(s) should be tested on a regular basis to ensure adequacy, and to ensure that management and employees understand the implementation. Production systems and other systems classified as "high" should have backup solutions.

System classification:

  • Level 3 – High: the system may be unavailable for up to 8 hours
  • Level 2 – Medium: the system may be unavailable for up to 24 hours
  • Level 1 – Low: the system may be unavailable for up to 3 days

3.12 Compliance

3.12.1 Compliance with legal requirements React2 Limited must comply with current laws, as well as other external guidelines, such as (but not limited to):

List of relevant national legislation, e.g.:

  • Act relating to the working environment, working hours and employment protection, etc.
  • Regulations relating to systematic health, environmental and safety activities in enterprises
  • Act relating to the processing of personal data
  • Act relating to civil servants, etc.
  • Act relating to annual accounts, etc.
  • Act relating to limited companies
  • Act relating to the right of access to documents held by public authorities and public undertakings
  • Act relating to electronic signature
  • Act relating to archives
  • Regulations relating to fire preventing measures and supervision Other relevant references
  • Collective agreements

3.12.2 Safeguarding personal information according to the legal requirements Insert relevant statements for your organisation according to e.g. 95/46/EC and 2002/58/EC.

3.12.3 Compliance with security policy All employees must comply with the Information security policy and guidelines. Enforcement is the responsibility of line management. Employees must comply with IT regulations. Employees should be aware that evidence from security incidents will be stored and may be handed over to law enforcement agencies following court orders.

3.12.4 Controls and audits Audits should be planned and arranged with the involved parties in order to minimise the risk of disturbing the activities of React2 Limited.

4 Governing documents for safety work

4.1 Purpose of governing documents Governing documents for information security should contribute to a balanced level of measures with regards to the risks and requirements related to React2 Limited. Documented requirements and guidelines should exist for information security based on up-to-date risk assessments. Systems and infrastructure should be covered by best practices for information security.

4.2 Document structure React2 Limited has organised a document structure describing their security architecture in three levels. The structure for governing documents for information security work is as follows:

Level 1: Security policy defining goals, purposes, responsibility and overall requirements. Additionally, it gives an overview over established governing documents regarding information security and why it is important. This is the governing documentation.

Level 2: Overall guidelines and principles for information security. This defines what must be done in order to comply with the established policy. React2 Limited has adopted the OECD Guidelines of Information Systems and Networks 2002. This is governing documentation.

Level 3: Standards and procedures for information security. Contains details for how these guidelines and principles (level 2) should be implemented. This is implementation and control documentation.


Internal references

The CSO is responsible for:

  • IT regulations at React2 Limited
  • Strategy plan at React2 Limited
  • Quality assurance system React2 Limited
  • IT strategy at React2 Limited
  • Risk assessments
  • Personnel policy
  • Guidelines for the disposal of IT equipment
  • Confidentiality agreement
  • Role description CSO
  • Other relevant IT related documents

External references

[ISO27001] ISO 27001: 2005. Information security – Security techniques – Information security management systems – Requirements.

[ISO27002] ISO/IEC 27002: 2005 Information security – Security techniques – Code of practice for information security management.

[ISO27005] ISO/IEC 27005: 2008 Information security – Security techniques – Information security risk-management.

[OECD] OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security.

[BPD107] Power Supply Requirements for ICT Rooms. Best Practice Document.

[BPD108] Ventilation and Cooling Requirements for ICT Rooms. Best Practice Document.

© Original version UNINETT 2010 | ©TERENA 2010. All rights reserved

© React2 Ltd 2023 | 20 Standalane View | Peebles | EH45 8LS| E: