Policy Code: LHPOL0008Date first issued: 26 May 2023Date last updated: 15 February 2024
Version no: 2.0Document owner: James WhitehouseDate of next review: 26 May 2024

 

THS IS AN UNCONTROLLED COPY. UNCONTROLLED COPIES ARE FOR REFERENCE ONLY AND NOT SUBJECT TO AUTOMATIC UPDATE WHEN A NEW VERSION IS RELEASED. CONTACT THE COMPLIANCE MANAGER FOR UPDATES.

 

Information Security and Acceptable Use

 

  1. PURPOSE

The purpose of this policy is to protect the Company, its workers, research participants, clients, leads and prospective clients from all information security threats, whether internal or external, deliberate, or accidental. The Company is critically dependent on information and information systems. If our or our client’s information were disclosed to inappropriate persons, the Company could suffer serious losses or go out of business. The good reputation that the Company enjoys is also directly linked with the way that it manages both information and information systems.

 

Information security is characterised as the preservation of:

  • Confidentiality – ensuring that information is accessible only to those authorised to have access
  • Integrity- safeguarding the accuracy and completeness of information
  • Availability- ensuring that authorised users have access to information when required

 

  1. SCOPE

All Company Workers must comply with the information security measures found in this policy and any related information security documents.

 

All workers, associates, research participants and third-party users should be made aware of this policy, their responsibilities and liabilities, and any information security threats or concerns.

All information owned or otherwise processed by the Company, at all stages of the information lifecycle: creation, use, storage, disposal, is in scope of this policy.

 

This policy and supporting procedures encompass all the Company’s system components, including those that are owned, operated, maintained, and controlled by the Company and all other system components, both internally and externally, that interact with these systems, and all other relevant systems.

 

  1. DEFINITIONS & ABBREVIATIONS
Company·       Lightning Health
Workers·       Means the individuals who this policy is applicable to and includes the Company; employees, contractors, workers, associates, research participants, professional advisors

 

  1. RESPONSIBILITIES
All Workers·       Only use information and information systems that you have authorisation to use

·       Follow all relevant instruction, procedures, guidelines, and codes of practice

·       Report any real or suspect breaches of information security to your line manager

·       Do not use, or attempt to use, any information or information system for illegal of inappropriate purposes

IT Lead – James Whitehouse·       Responsibilities include providing overall direction, guidance, leadership, and support for the entire information systems environment, while also assisting other applicable personnel in their day-to-day operations

 

  1. POLICY

Acceptable Use

This Information Security & Acceptable Use Policy covers the information security and use of all Company IT equipment. It also includes the use of email, internet, platforms, applications, networks, systems, databases and mobile IT equipment. This policy applies to all Company Workers. This policy applies to all information, in whatever form, relating to the Company’s business activities and to all information handled by Workers relating to our clients, prospective clients, research participants, and leads.

 

Access Control and Security

Access to information in the possession of, or under the control of the Company must be provided based on the need to know. Information must be disclosed only to people who have a legitimate business need for the information. To implement the need-to-know concept, the Company will adopt an access request and owner approval and review process.

 

When a Workers’ role changes, including termination, transfer, promotion and leave of absence, the Worker’s line manager must immediately notify our IT Lead.

 

Access to all IT systems is controlled by user logins, passwords and/or two-factor authentication tools where supported. All logins and passwords are to be uniquely assigned to named individuals and consequently, individuals are accountable for all actions on all Company systems.

 

Use of strong passwords

It is important to create unique passwords or passphrases, never using information relating to your favourite sports team, home address, middle name, pet, or family names, etc. Where supported, passwords on all Company systems, applications, websites and IT logins must be at least 12 characters long and comply with the advice below.

 

Workers can use passwords that are difficult for unauthorised parties to hack if they:

  • Combine three random words together to create a passphrase
  • Transform words according to a specific method, such as making every other letter a number reflecting its position in the word
  • Combine punctuation or numbers within words
  • Create acronyms from words in a song, poem, or another known sequence
  • Deliberately misspell words
  • No less than 12 characters

 

You must change your password if you have reused the same or a similar password across multiple logins, systems, websites or applications.

 

Workers must not:

  • Allow anyone else to use their user login and password on any IT system
  • Allow anybody else, including members of their household, to use Company issued devices
  • Leave their user accounts logged in at an unattended and unlocked computer
  • Use someone else’s login and password to access any IT system
  • Leave their password unprotected (for example writing it down)
  • Perform any unauthorised changes to the Company’s IT systems or information
  • Attempt to access data that they are not authorised to use or access
  • Exceed the limits of their authorisation or specific business need to interrogate the system or data
  • Connect any non-authorised device to the Company’s network or IT systems (for example personal laptop or computer)
  • Access or store Company data on any non-authorised equipment or personal owned equipment or devices
  • Share or transfer Company data or software to any person or organisation outside of the Company without authority

 

For Contractors, the use of company data on devices outside of company ownership is only permitted once the supplier assurance onboarding process is completed in full. Finance will provide notice once all assurance checks are complete.

 

Finance will conduct regular risk reviews. In the event that any identified risks change, or new risks are identified, the appropriate mitigations will be applied in line with Supplier Assurance – LHSOP0009.

 

Anti-Virus and Malware

The Company is implementing centralised, automated virus detection and virus software updates. All computers have antivirus software installed to detect and remove any virus automatically.

 

Workers must not

  • Remove or disable anti-virus software
  • Attempt to remove virus-infected files or clean up an infection. Should an infection be suspected, it should be reported to the IT lead immediately, who will resolve the matter

Permitted Apps and Online Portals for Accessing Company Data

The Company uses a number of applications and online portals to store and process our data. Using Company equipment only, you are authorised to download and access only the permitted apps and online portals. No other software should be downloaded unless prior approval is obtained from the IT Lead. The list of permitted Apps and Online Portals for Accessing Company Data can be found on Bolt.

Internet and Email

Use of Company internet and email is intended for business use. Personal use is permitted where such use does not affect the individual’s business performance, is not detrimental to the Company in any way, not in breach of any term and condition of employment and does not place the individual or Company in breach of statutory or other legal obligations. All individuals are accountable for their actions on the internet and email systems. The Company may monitor all internet use by everyone using the Company’s systems. You are expressly forbidden from accessing web pages or files downloaded from the internet that could in any way be regarded as illegal, offensive, in bad taste or immoral.

 

Internet access is monitored to ensure that Workers continue to be in compliance with security policies.

 

Phishing

To avoid phishing or scam emails, you must take additional care when opening e-mails from unknown external sources. Be diligent when in receipt of emails claiming to be from Workers by checking the sender address is a valid email address for the sender. Any email which is unexpected, creates a sense of urgency, has an unusual greeting, poor spelling or grammar, requires you to open an attachment, click on a link or enter credentials should be viewed with suspicion. Do not click on attachments or links that look suspicious. Any warnings from the anti-virus programme must be reported to your line manager or IT lead immediately. All information received from the Internet should be considered to be suspect until confirmed by reliable sources. If you feel that an email you have received is suspicious please report it to: James Whitehouse and Andrew Satherley straight away.

 

E-mails can be the subject of legal action (for example, claims of defamation, breach of confidentiality or breach of contract) against both the person who sent them or the Company and can also be disclosed to an individual mentioned in them in response to that individual’s right of access request. As e-mail messages may be disclosed to any person mentioned in them, you must always ensure that the content of the e-mail is appropriate.

 

Every Company Worker who uses computers in the course of their duties will be granted an Internet electronic mail address and related privileges. All business communications sent by electronic mail must be sent and received using their Company electronic mail address. E-mails should be written in accordance with the standards of any other form of written communication and the content and language used in the message must be consistent with best practice. Messages should be concise and directed to relevant individuals on a need-to-know basis.

 

When transmitting messages to groups of people outside of the Company, you must always use either the blind carbon copy (Bcc) facility or the distribution list facility. This does not apply to messages being sent to multiple contacts at the same company, providing the messages are related to ongoing work or existing communications.

 

When transmitting marketing messages Workers must ensure that they have screened the recipients through the Company’s opt out lists prior to sending.

 

Workers must not

  • Use the internet or email for the purposes of harassment or abuse
  • Use profanity, obscenities, or derogatory remarks in communications
  • Access, download, send or receive any data (including images), which the Company considers offensive in any way, including sexually explicit, discriminatory, defamatory, or libellous material
  • Use the internet or email to make personal gains or conduct a personal business
  • Use the internet or email to gamble
  • Use the email systems in a way that could affect its reliability or effectiveness, for example distributing chain letters or spam
  • Place any information on the internet that relates to the Company, alter any information about it, or express any opinion about the Company, unless they are specifically authorised to do this. (Please see the Company Handbook for our policy regarding use of Social Networking Sites and Blogs)
  • Send unprotected sensitive or confidential information externally. (Please see email encryption section of this document)
  • Forward company mail to a personal email account
  • Issuing false or defamatory statements about any person or organisation via the Company’s electronic systems
  • Undertake unauthorised sharing of confidential information about the Company or any person or organisation connected to the Company
  • Undertake unauthorised disclosure of personal data
  • Download copyrighted/licensed material such as music media (MP3) files, film, images and video files (not an exhaustive list) without appropriate approval
  • In any way infringe any copyright, database rights, trademarks, or other intellectual property
  • Download or run any games or software from the internet without prior approval of the company

Any evidence of misuse may result in disciplinary action in line with the Company Handbook. If necessary, information gathered in connection with any investigation may be handed to the police.

Actions upon Worker leaving the Company

All Company equipment and data, for example laptops and mobile devices including telephones, smartphones and USB memory devices must be returned to the Company upon leaving the Company. Workers will not be allowed to have any e-mails forwarded to them once they have left.

 

All Company data or intellectual property developed or gained during the period of contractual engagement remains the property of the Company and must not be retained beyond departure or reused for any other purpose.

Email Encryption

Email encryption is encryption of email messages to protect the content from being read by anyone other than the intended recipients. Email encryption may also include authentication.

 

Internal email between company workers is secure (encrypted). Office 365 always encrypts connections to other Office 365 accounts. When you send mail to a recipient that is within Lightning Health, i.e., @lightning.health to @lightning.health, that email is automatically sent over a connection that is encrypted. Also, all email that you send externally to other Office 365 customers is sent over connections that are encrypted. Office 365 encryption is opportunistic and will always attempt to send the email using the highest level of security that is supported by the recipient.

 

The majority of our clients and prospective clients, research participants and contractors are likely to be using operating systems that can support this encryption.

 

Monitoring and Filtering

All data that is created, stored and transmitted on Company computers, email & internet, websites, systems, applications, networks, platforms and databases is the property of the Company and there should be no expectation of data privacy for Workers, however wherever possible, the Company will avoid opening personal emails.

 

IT systems activity is continuously logged and monitored, and investigations will be commenced where reasonable suspicion of a breach of security or policy exists. The Company has the right to monitor activity on its systems, including internet and email use, to ensure systems security, effective system operation and to protect against misuse. Any monitoring will be carried out in accordance with controlled internal processes and in compliance with the follow legislation:

  • The Data Protection Act 2018
  • The Regulation of Investigatory Powers Act 2000
  • The Telecommunications (Lawful Business Practice Interception of Communications) Regulations 2000
  • GDPR & UK GDPR
  • Computer Misuse Act 1990

 

It is your responsibility to report suspected breaches of security policy without delay to the IT Lead and enquiries@lightning.health.

 

All breaches of information security policies will be investigated. Where investigations reveal misconduct, disciplinary action may follow in line with the Disciplinary procedures set out in the Company Handbook.

 

  1. RELATED DOCUMENTS
Company HandbookAccessible via HR software platform
Apps and Online Portals for Accessing Company DataAccessible via Bolt
SOPSupplier Assurance (LHSOP0009)

 

  1. REFERENCES

 

  1. APPENDICES

 

  1. DOCUMENT HISTORY
VersionEffective date (superseded versions)Summary of changes
2.015 February 2024·       Exception regarding Contractors use of company data on devices outside of company ownership added

·       Encryption section added