IT Security Policy - Smith Institute

Responsibilities

Responsibility for secure configuration and maintenance of IT equipment and services is assigned to a dedicated team. All staff are required and trained to be vigilant in their use of equipment and services.

Cyber Essentials

As a baseline, Institute equipment and processes conform to the requirements of Cyber Essentials, a Government-backed, industry-supported scheme to help organisations protect themselves against common online threats. The Institute is certified to Cyber Essentials PLUS which requires cyber security verification by an accredited expert. Our Cyber Essentials and Cyber Essentials Plus certifications are through URM Consulting Services.

Device firewalls

Devices are firewall protected. Only services required to fulfil business needs are allowed through firewalls. All firewalls are set to block external access to any services that do not have an approved, documented business case.

Device and cloud encryption

Devices used for data storage are configured to protect data through encryption. Cloud data services used by the Institute encrypt data held on their servers.

Data access and transmission

Access to and transmission of data is protected through encryption.

Device passwords

The Institute operates a strict passwords policy for access to devices.

Approved software

Only properly licensed software that is currently required is installed on Institute devices. Installed software is maintained at the latest available version.

Device user accounts

Staff access their devices through secure accounts which do not have administrative access.

Auto-run on laptops

Auto-run is disabled on laptops.

Device updates

Device operating systems, drivers and firmware are kept up to date.

Threat protection

Devices are protected using endpoint security from a leading cyber security company. Protection is configured with daily scanning, real-time scanning and web filtering.

The Institute uses a productivity suite configured with advanced threat protection. This actively protects data held in the cloud, including both incoming and outgoing email, from malicious activity.