dotdigital Information Security
Policy – June 2021
AIM & PURPOSE |
|
We have defined our commitment to protecting information with our Integrated Management System (IMS); which ensures confidentiality, integrity, and availability of internal, customer and supplier information, and the appropriate handling of all Personally Identifiable Information (PII). The IMS has been designed to address the legal requirements identified and listed in our Legislation Reregister. |
|
Our IMS effectiveness is achieved through understanding the risks and opportunities that may impact information within our business, and by using a number of controls including policies, processes, procedures, software, and hardware functions, and by managing these in ways that stakeholders would expect, and that continue to drive future benefit to our business. |
|
These controls are continually monitored, reviewed, and improved to ensure that specific security, privacy, and business objectives are met. This is operated in conjunction with other business management processes and incorporates the applicable statutory and contractual requirements. |
|
Objectives have been defined primarily through the SWOT and PESTLE, although some may come from the Information Security risk assessment, Privacy Impact Assessments (PIAs) and the Management Review; they are designed to drive the management system forward and bring about continual improvement. Objectives will be focused on improving Information Security controls. |
|
Information Security is controlled through the preservation of: |
| CONFIDENTIALITY: | ensuring that information is accessible only to those authorized to have access; |  |
| INTEGRITY: | safeguarding the accuracy and completeness of information and processing methods; | |
| AVAILABILITY: | ensuring that authorized users have access to information and associated assets. |
|
Additionally, the protection of PII is controlled through the adherence to Data Protection principles as defined in applicable legislation. We operate a programme of Information Security and Data Protection awareness and compliance through company inductions, training, and internal audits. |
|
All our employees are empowered to identify any potential weaknesses and/or events which could be information security or privacy incidents (including actual or suspected data breaches) and report through the appropriate management channels. |
| A robust system is in place to continually improve the security controls by: |
|
|
The overall intent of our management system is to give customers and all other interested parties confidence in our ability to protect all information held and processed by our business. |
