Information Access Policy

This policy only applies to KS Staff and third parties who access to KS Systems.

Scope

The Information Security Policy and its supporting controls, processes and procedures apply to all information used at KS, in all formats. This includes information processed by other organisations in their dealings with KS.

The Information Security Policy and its supporting controls, processes and procedures apply to all individuals who have access to KS information and technologies, including third parties that provide information processing services to KS.

Compliance

Compliance with the controls in this policy will be monitored by the InfoSec team.

Review

A review of this policy will by the undertaken by the InfoSec team.

Policy Statement

It is KS’s policy to ensure that information is protected from loss of:

  • Confidentiality – information will be accessible only to authorised individuals
  • Integrity – the accuracy and completeness of information will be maintained
  • Availability – the information will be accessible to authorised users and processes when required.

1 – Information Security Policies

A set of lower level controls, processes and procedures for information security will be defined, in support of the high-level Information Security Policy and its stated objectives. This will include identification and allocation of security responsibilities, to initiate and control the implementation and operation of information security within KS.

2 – Access Controls

Access to all information will be controlled and will be driven by business requirements. Access will be granted or arrangements made for users according to their role and the classification of information, only to a level that will allow them to carry out their duties.

3 – Cryptography

KS will provide guidance and tools to ensure proper effective use of cryptography to protect the confidentiality, authenticity and integrity of information and systems.

4 – Operations Security

KS will ensure the correct and secure operations of information processing systems. This will include:

  • Documented operating procedures
  • The use of formal change and capacity management
  • Controls against malware
  • Defined use of logging
  • Vulnerability management

5 – Communications Security

KS will maintain network security controls to ensure the protection of information within its networks, and provide the tools and guidance to ensure the secure transfer of information both within its networks and with external entities, in line with the classification and handling requirements associated with that information.

6 – Information Security Aspects of Business Continuity Management

KS will have in place arrangements to protect critical business process from the effects of major failure of information systems or disasters and to ensure their timely recovery in line with documented business needs.

This will include appropriate backup and built-in resilience.

Business impact analysis will be undertaken of the consequences of disasters, security failures, loss of service and lack of service availability