SP03 Supplier Information Security and Acceptable Use Policy

Document Control

Document History:

Approvals: This document requires the following approvals:

Frequency of review required: annual, and on an ad hoc basis.

1. Introduction

This policy provides you with a summary of the way the Group expects you to work with regards to the acceptable use and protection of Group information, alongside the security and usage of your personal devices. You are required to ensure that they have adequate procedures in place to demonstrate their conformance to all applicable Privacy Regulation.
This policy should be considered as an addendum to your contractual terms with the Group. You are required to adhere to this policy and any other information security policies that may be communicated to you from time to time.

2. Definitions

3. Responsibility 

Information security is every individuals’ responsibility and you are legally obliged to protect personal data and intellectual property; for these reasons you have a responsibility to adhere to this policy and any other information security policies that are communicated to you.

It is essential that you read and understand this policy and all other information security policies communicated to you from time to time.

4. Incidents & Breaches 

In the event that you encounter or are in involved in any actual or potential incidents relating to Group information please notify your Group Representative as soon as possible. You are expected to have procedures in place for the identification, investigation and escalation of any incidents. You may also be expected to provide a full written report of the investigation including any steps you have taken to contain and manage the incident.

5. Computing Equipment

5.1 Equipment Security

You are responsible for the security of your equipment and must not allow it to be used by any unauthorized individuals. Guidance on this can be found at www.ncsc.gov.uk

5.2 Monitoring 

Where you have been granted access, the use of EWUK systems (be that systems created by EWUK or those purchased by EWUK) is for EWUK business purposes only. Monitoring (where applicable) is only carried out to the extent permitted or as required by law and as necessary and justifiable for business purposes. The Group has control procedures in place in order to ensure this monitoring is not misused.

6. Electronic Communication 

6.1 Email and General Consent

If you are required to correspond via email you must always be mindful that you are creating a permanent, irretrievable statement which could be used in legal proceedings in just the same way as a paper document.

You should take care with the content of email, as incorrect or improper statements can give rise to claims for discrimination, harassment, defamation, breach of confidentiality or breach of contract. You should assume that the email messages may be read by others and not include anything which would offend or embarrass any reader, or the recipient, if it found its way into the public domain.

You should not:

1. Send abusive, obscene, discriminatory, racist, harassing, derogatory, defamatory, or otherwise inappropriate emails;
2. Send or forward private emails which you would not want a third party to read;
3. Send or forward chain mail, junk mail, cartoons, jokes or gossip;
4. Unless you are authorised to do so, agree to terms, enter into contractual commitments or make representations by email;
5. Share or use email, text, music and other content which is subject to copyright protection;
6. Send or forward any work related Group information for the purposes of personal use.

6.2 Emails and Sensitive Personal Data

You are expected to ensure that you have appropriate security controls in place when transferring Group information of a sensitive nature. When processing involves Sensitive Personal Data, this should only be transferred via email if you have received authorisation from the Group to do so. If you receive an email from the Group that is not intended for you and contains Sensitive Personal Data then you should report the incident to your Group Representative, before taking any action.

6.3 Viruses and Emails from Unknown Sources

You should exercise caution when opening emails from unknown external sources or where, for any reason, an email appears suspicious. You should inform your Group Representative immediately if you suspect a virus.

Where applicable we reserve the right to block access to attachments to emails for the purpose of effective use of the system and for compliance with this policy. We also reserve the right not to transmit any email message.

7. Misuse 

Personal misuse or inappropriate use is a breach of this policy and is not permitted. Misuses of the Group’s systems or Group data can, in certain circumstances, constitute a criminal offence.

Whilst working for the Group you are prohibited from creating, viewing, accessing, transmitting or downloading any of the following material. To do so will amount to a breach of this policy and may also result in the termination of your contract.

1. Pornographic material (that is, writing, pictures, films and video clips of a sexually explicit or arousing nature);
2. Offensive, obscene, or criminal material or material which is liable to cause embarrassment to us or to our clients;
3. A false and defamatory statement about any person or organisation; Material which is discriminatory, offensive, derogatory or may cause embarrassment to others;
4. Online gambling
5. Confidential information about the Group or any of our employees or clients (which you do not have authority to access);
6. Any other statement which is likely to create any liability (whether criminal or civil, and whether for you or the Group); or
7. Material in breach of copyright.

Where evidence of misuse is found our internal Compliance team may undertake a more detailed investigation. This may involve the examination and disclosure of monitoring records to those nominated to undertake the investigation and any witnesses or managers involved in the incident. If necessary, such information may be handed to the police in connection with a criminal investigation.

8. Software and Hardware

You should be cautious around the security and the validity of the software that you download onto your device to ensure that the risks around the loss of Group data stored on your device is minimized.

You should ensure that your device and software is up to date with the latest security and Operating System patching, has strong antivirus software installed and that the hard drive is encrypted where possible.

If your computer will not support updates to the latest version of the Operating System, then it is considered “end of life” and is vulnerable to cyber attacks as vulnerabilities can no longer be fixed. You should strongly consider obtaining a computer that can support the latest versions. Failure to do so will be at your own risk and the Group will accept no liabilities where losses come as a result.

You should not delete, destroy or modify existing systems, programs, information or data which could have the effect of harming the Group or exposing it to risk.

The unauthorised installation of software on a Group network is strictly prohibited; this includes the illegal copying of software, music, films or other media. You should not download, attempt to download or install software from external sources. This includes but is not limited to:

• Software programs,
• Instant messaging programs,
• Screensavers, photos,
• Video clips
• Music files

9. Use of Portable Media

The use of portable media for the storage and transfer of Group information is strictly prohibited. Under no circumstances should any information be imported or exported unless authorised by a member of the Group.

If you are required to store and process data using portable media then this media device must be encrypted and kept secure during transfer. Once processing is complete you are required to delete all Group information from the device.

10. Protecting Information in Transit

Any transfer of equipment and/or information should only be undertaken in accordance with agreed Group procedures.

Ensure that data is sent in an encrypted format, i.e. password protected.

Under no circumstances should equipment containing Group data and/or information be left unattended in a public place or inside a vehicle.

11. Use of Mobile Devices

Access to Group information and systems is only permitted via Group approved channels and in line with the instructions you have received from the Group.

12. Password & Log-in IDs

You are responsible for the use of any login IDs given to you in order to access Group systems, or those used for your own systems. Any use or misuse of Group systems or services under your login ID will be attributable to you. Please do not share your login or password details with anyone. If anyone attempts to coerce you into providing your personal password, then you should report the matter to your Group Representative immediately.

It may be necessary to obtain your login and password details in order to resolve a major incident; where this is the case, only an Authorised Representative from the Group is permitted to obtain this information from you.

Please ensure you consider the following when creating and managing passwords as part of using Group systems, and your own personal systems, accounts, or devices:

Passwords should:

1. Contain both upper and lower case characters (e.g., a-z, A-Z)
2. Have digits and punctuation characters as well as letters (e.g., 0-9,!@#$%^&*()_+|~-=\`{}[]:”;’<>?,./)
3. Are at least fifteen alphanumeric characters long and is a passphrase (Ohmy1stubbedmyt0e).
4. Are not words in any language, slang, dialect, jargon, etc.
5. Are not based on personal information, names of family, etc.
6. Be changed if they are believed to be compromised
7. Utilize Multi-Factor Authentication (MFA) where possible.

Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be “This May Be One Way To Remember” and the password could be “TmB1w2R!” or “Tmb1W>r~” or some other variation.

13. Data Subject Requests 

If you have received a Data Subject Request (Subject Access Request (SAR) or Right to Be Forgotten (RTBF) Request) in relation to any work you conduct for the Group, you are responsible for reporting that request to your Group Representative as soon as possible. You are also obliged to manage any requests you receive in line with your own internal data protection procedures.

14. Data Management 

You should ensure that any Group data transmitted to you as part of your service is only processed in the manner required to fulfil that service.

You should ensure that any Group data transmitted to you as part of your service is securely disposed of as soon as you no longer require access to this. Inclusive of any hard or soft copies made, additional data generated during the course of your service.

You have an obligation to ensure the confidentiality and integrity of the Group data provided to you, and to act in accordance with all Privacy Regulations. In addition, you have a responsibility to manage the retention of data (both electronic and hard-copy data) in accordance with all Privacy Regulations.   If you require any assistance with this, consult the ICO website and/or your Group Representative.