CTSW Banner 2021.png

Cyber Security Policy

Cyber Security Policy

Policy statement

CTSW Skills Ltd cyber security policy outlines the guidelines and provisions for preserving the security of data and the technology infrastructure.

The more the company relies on technology to collect, store and manage information, the greater the vulnerability to severe security breaches. Human error, hacker attacks and system malfunctions could cause great financial damage and may jeopardise the company’s reputation.

For this reason, CTSW Skills Ltd have implemented several security measures and prepared instructions that may help mitigate security risks. Both provisions are outlined in this policy.

Scope

This policy applies to CTSW Skills Ltd employees, contractors, associate assessors and anyone who has permanent or temporary access to company systems and hardware.

Policy elements

Confidential data

Confidential data is secret and valuable. Common examples are:

  • Unpublished financial information

  • Data of customers/partners/vendors

  • Patents, formulas or new technologies

  • Customer lists (existing and prospective)

All employees are obliged to protect this data. This policy will give employees instructions on how to avoid security breaches.

Protect personal and company devices

When employees use their digital devices to access company emails or accounts, they introduce security risk to company data. Employees should keep both their personal and company-issued computer, tablet and cell phone secure. The following direction should be adhered to:

  • Keep all devices password protected

  • Ensure that antivirus software has been installed by the external IT provider

  • Ensure devices are not left exposed or unattended

  • Ensure that security updates of browsers and systems are installed by the external IT provider as they come available

  • Log into company accounts and systems through secure and private networks only

Employees should not access internal systems and accounts from other people’s devices and should not lend their own devices to others.

If an employee has concerns about any aspect of security or think that their IT infrastructure has been abused, then they should report that concern to the company information manager or direct to the external IT provider if the information manager is not available.

Keep emails safe

Emails often host scams and malicious software. To avoid virus infection or data theft, Employees should:

  • Avoid opening attachments and clicking on links when the content is not adequately explained (e.g., “watch this video, it’s amazing.”)

  • Be suspicious of clickbait titles (e.g., offering prizes, advice.)

  • Check email and names of people they received a message from to ensure they are legitimate.

  • Look for inconsistencies or giveaways (e.g., grammar mistakes, capital letters, excessive number of exclamation marks.)

If an employee is not sure that an email they have received is safe, they should refer to the company information manager or direct to the external IT provider if the information manager is not available.

Manage passwords properly

Password leaks are dangerous since they can compromise the IT infrastructure. For this reason, we advise our employees to:

  • Choose passwords with at least eight characters (including capital and lower-case letters, numbers and symbols) and avoid information that can be easily guessed (e.g., birthdays.)

  • Remember passwords instead of writing them down. If employees need to write their passwords, they are obliged to keep the paper or digital document confidential and destroy it when their work is done

  • Exchange credentials only when necessary. When exchanging them in person is not possible, employees should use the telephone instead of email, and then only if they personally recognise the person they are talking to

  • Change their passwords every three months

Transfer data securely

Transferring data introduces security risk. Employees must:

  • Avoid transferring sensitive data (e.g., customer information, employee records) to other devices or accounts unless necessary. When mass transfer of such data is needed employees should ask the information manager for help, or the external IT provider if the information manager is not available

  • Share confidential data over the company network/ system and not over public Wi-Fi or private connection

  • Ensure that the recipients of the data are properly authorised people or organisations, and that they have adequate security policies

  • Report scams, privacy breaches and hacking attempts

The company information manager needs to know about scams, breaches and malware so they can report them to the external IT provider who will then work with the company to better protect the IT infrastructure. For this reason, employees must report perceived attacks, suspicious emails or phishing attempts as soon as possible. Only then can issues be investigated and resolved, and IT alerts sent out to users.

Additional measures

To reduce the likelihood of security breaches, employees should:

  • Turn off their screens and lock their devices when leaving their desks

  • Report stolen or damaged equipment as soon as possible to their Line Manager

  • Change all account passwords at once when a device is stolen

  • Report a perceived threat or possible security weakness in company systems to the company information manager

  • Refrain from downloading suspicious, unauthorised or illegal software on their company equipment

  • Avoid accessing suspicious websites

Employees must also comply with the Social Media and Internet usage policy.

The company information manager in consultation with the external IT provider will:

  • Install firewalls, anti-malware software and access authentication systems

  • Arrange for security training to all employees

  • Inform employees regularly about new scam emails or viruses and ways to combat them

  • Investigate security breaches thoroughly

  • Follow this policies provisions as other employees do

Remote employees

Remote employees will adhere to this policy in the same way as working from a company office. Company IT equipment used to work from home, or otherwise remotely, must be set up to operate in the same way as all other IT equipment.

The company information manager will ensure that IT equipment, and the means used to connect into company servers to access company information, is as secure as accessing the same information from a company office. This will be done in consultation with the external IT provider for all cases of remote working and portable IT equipment.

Disciplinary Action

Employees must adhere to this policy. Those who cause security breaches may face disciplinary action:

  • First-time, unintentional, small-scale security breach: Issued with a verbal warning and given advice and guidance on security.

  • Intentional, repeated or large-scale breaches (which cause severe financial or other damage): More severe disciplinary action up to and including termination of employment based on findings of an investigation. 

Additionally, employees who are observed to disregard security instructions will face progressive discipline, even if their behavior has not resulted in a security breach.