1. Statement of Intent
SCC prides itself as being a leader in the IT services industry. As part of this, we recognise that we have a responsibility to protect all of the data we hold or process, whether it belongs to SCC, our employees, partners, customers, or suppliers. By protecting this data we can ensure that we maintain our reputation as a trusted employer and partner, enabling us to grow as a business and deliver exceptional service to our customers.
To demonstrate our commitment to information security SCC implement industry best practice security controls and assure the effectiveness of our controls through certification to ISO 27001, the global standard for managing information security.
It is the responsibility of all our staff, regardless of grade, to become familiar with our security management processes and to comply with all information security and privacy policies and the procedures that underpin them.
In turn, we commit to ensure that our security management systems and processes are efficient, effective and continuously improving to protect our data assets while avoiding the reputational, legal and financial harm that would result from a data breach.
The Executive Board fully support the information security management system and require all our staff, whether permanent or temporary, partner organisations, suppliers and contractors to do the same.
2. Purpose and Scope
Further Information Security and Privacy policies, standards and procedures shall be in place to ensure the principles within this document are met.
All members of SCC are responsible for the delivery of information security;
- The Executive Board ensure adequate and appropriate resources are in place to fulfil this policy statement.
- Directors and senior leaders within SCC are responsible for supporting and ensuring adherence to policies and standards within their functional areas.
- Managers and team leads are responsible for day to day management and implementation of security policies within their business areas and for ensuring compliance by their staff.
- All employees, suppliers and our partners are responsible for understanding and adhering to the principles of this policy and the details defined in SCC polices and standards.
4. Information Security Principles
SCC is committed to a number of security principles that apply to all areas and employees of SCC regardless of role or geographical location:
- Protect SCC systems, buildings and information against unauthorised access.
- Protect the confidentiality, integrity and availability of the information it collects, stores, transfers and processes in accordance with legislation, regulation, contractual requirements, and industry best practice.
- Ensure policy requirements are communicated and understood by providing training and awareness to all employees
- Apply SCC security standards to its supply chain and delivery partners
- Ensure all actual or suspected breaches of information security are reported, assessed and investigated where necessary.
- Ensure security risks are identified and managed through the appropriate channel
- Assessing and measuring the maturity of information security controls and delivering on continuous improvement measures
5. Information Privacy Principles
SCC is also committed to protecting personally identifiable Information and ensuring compliance with the European General Data Protection Regulation;
- Collect only the personal information it needs and explaining why it needs it.
- Sharing personal information within SCC or with other approved organisations only where there is a lawful reason for doing so and where the person concerned has given their consent.
- Allowing people to request access to the personal information SCC holds on them, the right to have this information corrected if necessary and right to object if they believe their information has been mishandled.
- Keeping personal information only as long as is necessary.
- Taking appropriate measures to protect the rights and freedoms of individuals whose personal information may be transferred to countries with differing data protection laws.
- Ensuring that actual or suspected breaches of these principles are reported and investigated appropriately.
- Applying these standards to SCCs supply chain and delivery partners.
- Reviewing this policy annually to reflect new legal and regulatory developments and ensure we meet best practice.
Maintaining the Confidentiality, Availability and Integrity of both our own and our customers information is a requirement on all of us, from the most junior employee in the most distant part of our business to the senior executives at its head.
We will treat the information entrusted to us by our customers respectfully and professionally taking account of Confidentiality, Integrity and Availability of the information as if it were our own. We will ensure that any information we process is done so legally and for legitimate business reasons.