SP03 Supplier Information Security and Acceptable Use Policy

Document Control

Document History:

Approvals: This document requires the following approvals:

Frequency of review required: annual, and on an ad hoc basis.

1. Introduction

This policy provides you with a summary of the way the Group expects you to work with regards to the acceptable use and protection of Group information, alongside the security and usage of your personal devices. You are required to ensure that they have adequate procedures in place to demonstrate their conformance to all applicable Privacy Regulation. 

This policy should be considered as an addendum to your contractual terms with the Group. You are required to adhere to this policy and any other information security policies that may be communicated to you from time to time. 

2. Definitions

3. Responsibility 

Information security is every individuals’ responsibility and you are legally obliged to protect personal data and intellectual property; for these reasons you have a responsibility to adhere to this policy and any other information security policies that are communicated to you. 

It is essential that you read and understand this policy and all other information security policies communicated to you from time to time. 

4. Incidents & Breaches 

In the event that you encounter or are in involved in any actual or potential incidents relating to Group information please notify your Group Representative as soon as possible. You are expected to have procedures in place for the identification, investigation and escalation of any incidents. You may also be expected to provide a full written report of the investigation including any steps you have taken to contain and manage the incident. 

5. Computing Equipment

5.1 Equipment Security

You are responsible for the security of your equipment and must not allow it to be used by any unauthorized individuals. Guidance on this can be found at www.ncsc.gov.uk

5.2 Monitoring 

Where you have been granted access, the use of EWUK systems (be that systems created by EWUK or those purchased by EWUK) is for EWUK business purposes only. Monitoring (where applicable) is only carried out to the extent permitted or as required by law and as necessary and justifiable for business purposes. The Group has control procedures in place in order to ensure this monitoring is not misused. 

6. Electronic Communication 

6.1 Email and General Consent

If you are required to correspond via email you must always be mindful that you are creating a permanent, irretrievable statement which could be used in legal proceedings in just the same way as a paper document. 

You should take care with the content of email, as incorrect or improper statements can give rise to claims for discrimination, harassment, defamation, breach of confidentiality or breach of contract. You should assume that the email messages may be read by others and not include anything which would offend or embarrass any reader, or the recipient, if it found its way into the public domain. 

You should not:

1. Send abusive, obscene, discriminatory, racist, harassing, derogatory, defamatory, or otherwise inappropriate emails;
2. Send or forward private emails which you would not want a third party to read;
3. Send or forward chain mail, junk mail, cartoons, jokes or gossip;
4. Unless you are authorised to do so, agree to terms, enter into contractual commitments or make representations by email;
5. Share or use email, text, music and other content which is subject to copyright protection;
6. Send or forward any work related Group information for the purposes of personal use.

6.2 Emails and Sensitive Personal Data

You are expected to ensure that you have appropriate security controls in place when transferring Group information of a sensitive nature. If you receive an email from the Group that is not intended for you and contains Sensitive Personal Data then you should report the incident to your Group Representative, before taking any action. 

6.3 Viruses and Emails from Unknown Sources

You should exercise caution when opening emails from unknown external sources or where, for any reason, an email appears suspicious. You should inform your Group Representative immediately if you suspect a virus or if you have entered your log-in information into something malicious. 

Where applicable, if you are using our internal email system, we reserve the right to block access to attachments to emails for the purpose of effective use of the system and for compliance with this policy. We also reserve the right not to transmit any email message. 

7. Misuse 

Personal misuse or inappropriate use of Group Systems is a breach of this policy and is not permitted. Misuses of the Group’s systems or Group data can, in certain circumstances, constitute a criminal offence. 

Whilst working for the Group, and using our systems, you are prohibited from creating, viewing, accessing, transmitting or downloading any of the following material. To do so will amount to a breach of this policy and may also result in the termination of your contract. 

1. Pornographic material (that is, writing, pictures, films and video clips of a sexually explicit or arousing nature);
2. Offensive, obscene, or criminal material or material which is liable to cause embarrassment to us or to our clients;
3. A false and defamatory statement about any person or organisation; Material which is discriminatory, offensive, derogatory or may cause embarrassment to others;
4. Online gambling
5. Confidential information about the Group or any of our employees or clients (which you do not have authority to access);
6. Any other statement which is likely to create any liability (whether criminal or civil, and whether for you or the Group); or
7. Material in breach of copyright.
   You should not delete, destroy or modify existing systems, programs, information or data which could have the effect of harming the Group or exposing it to risk. You should not attempt to gain access to restricted areas of the network, or to any password-protected information, unless specifically authorised to do so. 

Where evidence of misuse is found our internal Compliance team may undertake a more detailed investigation. This may involve the examination and disclosure of monitoring records to those nominated to undertake the investigation and any witnesses or managers involved in the incident. If necessary, such information may be handed to the police in connection with a criminal investigation. 

8. Software and Hardware

You should be cautious around the security and the validity of the software that you download onto your device to ensure that the risks around the loss of Group data stored on your device is minimized.  

You should ensure that your device and software is up to date with the latest security and Operating System patching, has strong antivirus software installed and that the hard drive is encrypted where possible. 

If your computer will not support updates to the latest version of the Operating System, then it is considered “end of life” and is vulnerable to cyber-attacks as vulnerabilities can no longer be fixed. You should strongly consider obtaining a computer that can support the latest versions. Failure to do so will be at your own risk and the Group will accept no liabilities where losses come as a result. 

If you use Group systems or devices, You should not delete, destroy or modify existing systems, programs, information or data which could have the effect of harming the Group or exposing it to risk. 

The unauthorised installation of software on a Group network is strictly prohibited; this includes the illegal copying of software, music, films or other media. You should not download, attempt to download or install software from external sources. This includes but is not limited to: 

• Software programs,
• Instant messaging programs,
• Screensavers, photos,
• Video clips
• Music files

9. Use of Portable Media

If you are a member of our outsourcing panel, you are responsible for the security of any portable media storage devices, as you would be responsible for any of your own devices, and should take all due care with handling the Group Data in any format. You should strongly consider the use of encryption to ensure that if they are lost or stolen, the data cannot be accessed. 

10. Protecting Information in Transit

Any transfer of equipment and/or information should only be undertaken with the proper precautions in place. 

Ensure that data is sent in an encrypted format, i.e. password protected. 

Under no circumstances should equipment containing Group data and/or information be left unattended in a public place or inside a vehicle. 

11. Password & Log-in IDs

You are responsible for the use of any login IDs given to you in order to access Group systems, or those used for your own systems. Any use or misuse of Group systems or services under your login ID will be attributable to you. Please do not share your login or password details with anyone. If anyone attempts to coerce you into providing your personal password, then you should report the matter to your Group Representative immediately. 

It may be necessary to obtain your login and password details in order to resolve a major incident; where this is the case, only a Group Representative is permitted to obtain this information from you. 

Please ensure you consider the following when creating and managing passwords as part of using Group systems, and your own personal systems, accounts, or devices: 

Passwords should: 

1. Contain both upper and lower case characters (e.g., a-z, A-Z) 
2. Have digits and punctuation characters as well as letters (e.g., 0-9,!@#$%^&*()_+|~-=\`{}[]:”;’<>?,./) 
3. Are at least fifteen alphanumeric characters long and is a passphrase (Ohmy1stubbedmyt0e). 
4. Are not words in any language, slang, dialect, jargon, etc. 
5. Are not based on personal information, names of family, etc. 
6. Be changed if they are believed to be compromised 
7. Utilize Multi-Factor Authentication (MFA) where possible. 

Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be “This May Be One Way To Remember” and the password could be “TmB1w2R!” or “Tmb1W>r~” or some other variation. 

12. Data Subject Requests 

If you have received a Data Subject Request (Subject Access Request (SAR) or Right to Be Forgotten (RTBF) Request) in relation to any work you conduct for the Group, you are responsible for reporting that request to your Group Representative as soon as possible. You are also obliged to manage any requests you receive in line with your own internal data protection procedures. 

13. Data Management 

You should ensure that any Group data transmitted to you as part of your service is only processed in the manner required to fulfil that service. 

You should ensure that any Group data transmitted to you as part of your service is securely disposed of as soon as you no longer require access to this. Inclusive of any hard or soft copies made, additional data generated during the course of your service. 

You have an obligation to ensure the confidentiality and integrity of the Group data provided to you, and to act in accordance with all Privacy Regulations. In addition, you have a responsibility to manage the retention of data (both electronic and hard-copy data) in accordance with all Privacy Regulations. If you require any assistance with this, consult the ICO website and/or your Group Representative.