Responsibilities
Responsibility for secure configuration and maintenance of IT equipment and services is assigned to a dedicated team. All staff are required and trained to be vigilant in their use of equipment and services.
Cyber Essentials
As a baseline, Institute equipment and processes conform to the requirements of Cyber Essentials, a Government-backed, industry-supported scheme to help organisations protect themselves against common online threats. The Institute is certified to Cyber Essentials PLUS which requires cyber security verification by an accredited expert. Our Cyber Essentials and Cyber Essentials Plus certifications are through URM Consulting Services.
Device firewalls
Devices are firewall protected. Only services required to fulfil business needs are allowed through firewalls. All firewalls are set to block external access to any services that do not have an approved, documented business case.
Device and cloud encryption
Devices used for data storage are configured to protect data through encryption. Cloud data services used by the Institute encrypt data held on their servers.
Data access and transmission
Access to and transmission of data is protected through encryption.
Device passwords
The Institute operates a strict passwords policy for access to devices.
Approved software
Only properly licensed software that is currently required is installed on Institute devices. Installed software is maintained at the latest available version.
Device user accounts
Staff access their devices through secure accounts which do not have administrative access.
Auto-run on laptops
Auto-run is disabled on laptops.
Device updates
Device operating systems, drivers and firmware are kept up to date.
Threat protection
Devices are protected using endpoint security from a leading cyber security company. Protection is configured with daily scanning, real-time scanning and web filtering.
The Institute uses a productivity suite configured with advanced threat protection. This actively protects data held in the cloud, including both incoming and outgoing email, from malicious activity.