Information Security

Purpose

The protection of our information is of primary importance to our organisation. Maintaining the confidentiality, integrity, and availability (CIA) of the information we use ensures that the operations we perform, and the services we provide, continue to meet our business objectives, comply with regulatory and legal requirements, and fulfil the requirements of our stakeholders. It also ensures that any personal data we process about our employees and customers is kept secure, minimising any potential risks or harm that may be caused by a breach of that data. Management is committed to the security of our information, and have developed and approved this information security policy in line with the requirements of the international standard for information security (such as SOC2 Type 2 or ISO 27001), and our organisation's business requirements. This document sets out the approved information security policy so that it can be clearly communicated to all employees, contractors, and other relevant third-parties.

Scope

This policy shall apply to all the business processes and information processing activities that fall within the scope of our organisation's Information Security Management System (ISMS). For simplicity, we consider all work-related activities of employees, contractors, or other relevant third-parties to be within the scope of this policy document unless explicitly excluded.

Audience

All employees, contractors, and other relevant third-parties shall adhere to this Information Security Policy while performing work-related activities as part of their day-to-day duties. For the purposes of this document, policy instructions directed at employees shall also apply to contractors, and other relevant third-parties, and shall be collectively referred to as "users". Where discussing the classification and handling of information, users with overall responsibility for the data shall be referred to as the "data owner".

Communication

This Information Security Policy shall be communicated to all employees and agency staff as part of our employee induction programme, and periodically following any changes to the policy. All contractors and other relevant third- parties shall be provided with a copy of this policy document as part of the process for contracting services, and shall be re-issued with updated versions periodically following any changes to the policy.

Disciplinary Process

Where an employee, contractor, or other relevant third-party performs an activity or activities in breach of this Information Security Policy, they shall be subject to the disciplinary process documented in the Company Manual/ HR Manual or the applicable service contract.

Improvement

Management is committed to the continual improvement of our Information Security Policy, and shall review this document on an annual basis, or whenever an independent review of our organisation's ISMS reveals a non-conformance or opportunity for improvement. The Management Review shall determine if this policy continues to meet the requirements of our organisation. Management also endeavours to plan our business operations so that our information and information assets are not misused, either intentionally or unintentionally. This is done by identifying and assigning separate duties throughout our critical business activities to guard against misuses such as fraud, or errors in data processing activities, etc. Where a user identifies potential conflicts or misuse of information or information assets due to improper planning and assignment of duties, users should raise their concern immediately with their line manager, or the ISMS Manager. 

Classification & Handling of Information

To ensure that the information we process is handled appropriately and securely, it is important that all users know how to identify the sensitivity of the data, and follow our requirements for how to handle that data. This section sets out how our organisation classifies information, and how users should handle that information.

Data Classifications

All data shared with customers should be converted to PDF before sending unless it's a collaborative document, in this case it should contain a label "draft" or "work in progress". In addition to the table below, users shall review and adhere to the data handling principles set out in the supporting document, Data Handling & Retention Guidelines. This will ensure that even unclassified data is properly handled and protected.

Confidentiality Level

Description

Typical Examples

Labelling

Legal/Regulatory Considerations

Handling

Availability/Disposal

Public

Information that is or can be made publicly available.

publishing and marketing materials, website content, published financial statements, social media communication and content, advertised job titles and roles, product catalogues and brochures, public policies on Intranet, User Manual

No labelling required. We are a remote-first company and the only public data, printed on physical medium is marketing material that can be publicly shared. Material that can be shared publicly (video & content) is placed on Intranet and marked adequately. Other information that can be shared can be found in Evercam Trust Centre.

Internal content regulations (Company Manual)

No restriction on copying, printing and distribution

No requirement for source destruction;

No data retention requirements on published data;

Retain a redundant copy of published data for reference purposes when required.

Internal

Information that is intended for internal business use only. Unauthorised disclosure of internal information may pose some risk of reputation damage to our organisation.

meeting agendas and minutes, contracts, operational documentation, internal policies and procedures, training material, employee training records, internal email communication, Intranet content, contact directories, purchasing data (payments authorisations, invoices)

Due to the volume of internal data generated, labelling is not required. All unlabelled data shall be considered to be internal unless specifically labelled "Confidential" or "Highly Confidential".

GDPR; Contractual obligations; ePrivacy Regulations 2011; Data Protection and Privacy Laws in the UK, USA, Australia, Singapore

Access rights restricted when necessary;

Shall only be printed/copied where absolutely necessary;

Shall only be emailed externally with prior approval of data owner or where it is part of an approved business process;

Shall only be saved to and stored on approved business systems, devices and removable media;

Physical media and paper records shall be transferred in our data transfer policy outlined in Information Security Policy

Digital records shall not be moved or deleted without prior approval from data owner;

Physical media and paper shall not be relocated or destroyed without prior approval from the data owner;

When no longer required printed records shall be shredded using the secure shredding facilities;

Devices and removable media containing internal data shall be returned to IT or a line manager for secure disposal.

Confidential

Information that is intended for internal business use only. Unauthorised disclosure of confidential information may pose moderate risk of reputation damage and/or financial costs such as fines or penalties.

customer personal data eg. customer records, analytics that contain extensive PII etc.; employee personal data eg. HR records, disciplinary records, quarterly reviews, etc.; unpublished financial records and reports; procurement/tender process documentation; source code; proprietary company data

Documents of this nature created by Evercam should be labelled as "Confidential" or “Do-Not-Share” in the footer of a document and in the file name. Any documents received from customers and labelled as "Confidential" should be treated as such. For digital records data owners shall save confidential data only to the organisation's units and/or folders specifically designed for confidential data. Access rights shall be approved by the owner as required.

Employee HR records are stored in secure folders with access restriction in place.

GDPR; Data Protection Act 2018; Contractual obligations; Data Protection and Privacy Laws in the UK, USA, Australia, Singapore

Access restricted and approved only by data owner;

Shall not be printed/copied unless approved by the data owner;

Shall not be printed to printers located in unsecured areas or general working areas;

Shall only be shared with authorised third parties with a non-disclosure and confidentiality agreement in place;

Shall only be emailed internally or externally with approval of data owner or where it is part of an approved business process;

Digital records shall only be shared externally using approved encrypted transfer method in line with our Data Transfer Policy

Shall only be saved to and stored on approved business systems;

Shall only be saved to and stored on approved and encrypted devices and removable media;

Physical media and paper records shall be transferred in our Data Transfer Policy.

Digital records shall not be moved or deleted without prior approval from data owner;

Physical media and paper shall not be relocated or destroyed without prior approval from the data owner;

When no longer required printed records shall be shredded using the secure shredding facilities;

Encrypted devices and removable media containing confidential data shall be returned to IT or a line manager for secure disposal.

Highly Confidential

Information that is intended for internal business use only. Unauthorised disclosure of highly confidential information may pose significant risk to the organisation and users, resulting in data breach, reputational damage and/or significant financial costs.

special categories of personal data eg. medical records generic and biometric data, trade union memberships, ethical origin, religious believes; financial data eg. credit and debit card information; passwords, pin codes, security tokens; corporate negotiations, funding information

Documents of this nature, created by Evercam should be labelled as "Highly Confidential" in the footer of a document and in the file name. Any documents received from customers and labelled as "Highly Confidential" should be treated as such. For digital records data owners shall save confidential data only to the organisation's units and/or folders specifically designed for confidential data. Access rights shall be approved by the owner as required.

GDPR; Data Protection Act 2018; Contractual obligations; Data Protection and Privacy Laws in the UK, USA, Australia, Singapore, Copyright and Related Rights Act 2000

Access restricted and approved only by data owner;

Access is strictly monitored;

Shall not be printed/copied unless approved by the data owner;

Shall not be printed to printers located in unsecured areas or general working areas;

Must be claimed immediately at the approved printer or be released for printing by PIN, ID and/or password authentication at the printer;

Shall only be shared with authorised third parties with a non-disclosure and confidentiality agreement in place;

Shall not be emailed other than in situation where on-time passwords and/or PIN is required;

Digital records shall only be shared externally using approved encrypted transfer method in line with our Data Transfer Policy;

Shall only be saved to and stored on approved business systems;

Shall only be saved to and stored on approved and encrypted devices and removable media;

Physical media and paper records shall be transferred in our Data Transfer Policy.

Digital records shall not be moved, changed or deleted without prior approval from data owner;

Physical media and paper shall not be relocated,marked or destroyed without prior approval from the data owner;

When no longer required printed records shall be shredded using the secure shredding facilities;

Encrypted devices and removable media containing highly confidential data shall be returned to IT or a line manager for secure disposal.

1.1  Transferring Data

The handling requirements for the identified confidentiality levels of data are provided at a high level in the table above. This section provides detail on our approved policy for transferring data.

1.1.1   Digital data

Where there is a requirement to transfer internal, confidential, or highly confidential digital data outside of our organisation, the following shall apply:

  • Use only the approved method for transferring the data. These methods are approved by data owners and system administrators. Examples include, but are not limited to:

    • Forced TLS

    • Secure web transfer e.g. secure web-portals, API, etc. SFTP

    • GPG

    • Approved document sharing methods such as Google Drive

    • Encrypting individual files and sending as encrypted email attachments with expiry and restriction of sharing applied 

Where users encrypt individual files as email attachments, the encryption key must be sent to the recipient using a second channel, such as SMS, or phone call. Users must never send both the data and the encryption key via email.

1.1.2   Physical data

Where there is a requirement to transfer internal, confidential, or highly confidential data in physical format such as paper records, backup media, tape, CD/DVD, USB, etc. the following shall apply:

  • Use only approved couriers for physical media collection and transfer. Couriers that are approved for use ensure the required levels of security in handling and delivering the physical media.

  • Ensure that physical media storing digital data, such as USB, hard disk, etc. is encrypted wherever possible.

  • Ensure that physical media is packaged in a way that does not allow the physical media to be accessed and/or damaged during transit.

  • Request confirmation from the courier that the package has been delivered as expected, and that it has been signed for by the intended recipient, or persons nominated by the recipient.

  • Confirm with the recipient that the package is received in an undamaged/un-accessed state.

  • When receiving physical media, ensure that users are available to sign for the package wherever possible.

    • Where this is not possible, users must nominate another user to sign, and must ensure that the user knows how to secure the package.

1.2  Protecting Data From Loss

Even where users adhere to the handling requirements set out in the table above, the daily use, coping, and sharing of information may result in unintended loss, or data leakage. To minimise the likelihood of data leakage, the following policies shall apply:

  • Do not take photos or screenshots of sensitive or confidential information. Where the photo or screenshot is saved to the device, it may be stored in an un-secure location, and accessible to unauthorised users.

  • Regularly review and purge temporary file locations, such as the "Downloads" folder, draft document locations, operating system recycle bins, and other trash functions. Files created and downloaded for temporary use may contain sensitive or confidential data, and remain stored in unsecured locations indefinitely, increasing the risk of unauthorised access and data breach.

  • Do not use auto-completion of email addresses when sending emails. Where auto-completion of email addresses is used, this can result in the wrong email address being selected, and sensitive or confidential information being sent to unintended recipients. Either copy and paste, or fully type out, the correct email address when it is necessary to send sensitive or confidential information via email.

  • Sensitive or confidential information shall always be secured.

2.    Securing Working Environments

Whether in the office or at home, physical security measures are essential for ensuring that users, information, and information assets are protected at all times. This section sets out our requirements for physical security.

2.1  Security in the Office

When working from our designated offices or warehouses, the following policies shall apply:

  • When issued with keys or access fobs do not lend or transfer them to any other member of staff without prior authorisation.

  • Report the loss of any keys or access fobs immediately.

  • Ensure any company offices or warehouses are secured before departure and inform management if, for any reason, you are unable to secure the premises.

  • Ensure that all site visitors are accompanied by a staff member.

  • Do not allow tailgating into the office i.e. users shall not allow anyone who does not have their own key or access fob to follow them into controlled office areas.

  • When you notice an unauthorised person, or unaccompanied guest, in our office area/s, approach them only if you consider it safe to do so. In a situation where it may be unsafe to challenge the person, alert security staff and/or colleagues, and ensure the person remains in sight until assistance arrives.

  • Where PIN codes are used for access, do not write down their PINs, or communicate their PINs to other users.

  • When working in secure areas do not leave the secure area unlocked when not present.

  • Where maintenance is required in secure areas, ensure that the work taking place is monitored at all times.

  • When receiving deliveries at a loading area or service access area, ensure that delivery or service personnel are monitored at all times until the delivery is complete. Ensure that the delivery is appropriately secured.

2.2  Security at Home

When working from home, follow this set of recommendations:

  • Do not leave guests, builders, or service engineers unattended in the designated home office area. Where this is unavoidable, observe strict clean desk and clear screen policies as set out in section below, and do not leave mobile phones or other easily removable devices in plain view.

  • Instruct family members or housemates who may share the space to not leave guests, builders, or service engineers unattended in the designated home office area.

  • Ensure work-related deliveries are not left in shared areas where they may be inadvertently opened.

2.3  Security in Public or Shared Spaces

When working in public areas, or other shared spaces such as co-working environments, it can be more difficult to implement physical security measures than in a home environment. The following policies apply for working in public and shared spaces:

  • Ensure that you are familiar with, and abide by, the physical security policies of any co-working spaces that may be used while carrying out work on behalf of our organisation. This may include being issued with a unique ID badge for authorised access to work spaces and facilities, reception sign-in, secure check-in, adherence to safety instructions and drills, etc.

  • Where there is a lack of physical security controls in a co-working space, or the controls contradict the requirements set out for office security in section above, adhere to the requirements of this section wherever possible. This will ensure a minimum level of physical security is applied, no matter where you may be required to work from.

  • Immediately raise any concerns regarding the security of your physical working environment to the line manager. Concerns may include, but not be limited to:

    • No facility to securely receive work-related deliveries

    • Other users of the space sharing authentication mechanisms such as PIN codes, ID badges, fobs, etc.

    • No facilities for secure document disposal such as lockable waste bins or document shredders.

    • No facility to print documents securely such as personal printers or authenticated print release.

    • No facilities to secure equipment or belongings such as lockers or lockable drawers.

    • No perimeter security for the building or work space.

    • Lack of appropriate health and safety mechanisms that may make the space unsafe to work in.

  • When working in more public environments such as a hotel, conference centre, public transport, etc., it may not be possible to apply necessary physical security measures. In this case, adhere to section 3 of this policy, and ensure to appropriately protect all information assets that may be used while travelling or working outside of the office or home.

  • Where there is a lack of suitable privacy in any public environment, do not conduct confidential calls or meetings related to their work. Wait until a suitable level of privacy is available, or alternatively issue required communications via a secure channel, such as company email.

3.    Using Information Assets

Our organisation provides approved applications and services to users so that they can carry out their work-related duties. The applications and services are our information assets, and this section sets out the policies for using those assets appropriately.

3.1  Monitoring

To ensure that our information and information assets are accessed and used in a secure way that minimises any information security risks, and that we meet our legal and regulatory requirements, our organisation retains the right to carry out monitoring of employee devices and company services. These monitoring activities are not productivity monitoring activities, and any examination of user account activity shall be done only with appropriate management and/or HR approval. 

In order to carry out monitoring activities, we may:

  • Configure alerting or activity reporting on services provided to users

  • Store and review logs or other data generated from monitoring activities

  • Request ad hock endpoint security checks on employee devices

Users shall comply with our monitoring activities as follows:

  • Users should strictly comply with the company BYOD policy and not attempt to remove or tamper with the prescribed configurations (as per the Endpoint Security Review checklist)

  • Users shall not attempt to disable or bypass settings that facilitate monitoring, such as proxy server or web- filtering settings

  • Users shall use only the user account assigned to them when using our services unless authorised to use service

  • Administrators of services shall not attempt to alter or temper any logging data that may be stored.

3.2  Securing Equipment & Records

While using equipment and services, the following policies shall apply:

  • Do not leave equipment such as laptops and mobile phones unattended in communal office areas such as meeting rooms, toilets, kitchens, reception, etc.

  • When leaving laptops unattended in unsecured areas is unavoidable, use the security cables provided to secure laptops to desks, meeting room tables, etc.

  • Adhere to the clear desk and clear screen principle, by ensuring the following whenever you step away from the desk: 

    • All work-related documents and mobile devices are placed in drawers or secured in lockable cabinets.

    • Your computer or laptop is locked and cannot be viewed or accessed by any other person.

    • Ensure any paper records are secured in designated filing areas or secure filing cabinets. When working from home, keep printing to a minimum, and do not leave work-related documents in general areas.

    • Ensure that any printed records required for filing are disposed in the secure recycling bins provided.

3.3  Using Equipment

Our organization requires employees to use their personal devices for work purposes, a policy commonly referred to as Bring Your Own Device (BYOD). We evaluate the risks associated with using personal equipment through our standard Risk Management Process. Consequently, in certain scenarios, such as for users who handle highly confidential information, the use of personal devices may be restricted or prohibited. Furthermore, all devices used for company business are subject to annual endpoint security reviews. The following information outlines the general security requirements for utilizing both company-provided (where relevant) and personal equipment.

3.3.1   Company equipment (currently not applicable)

When using company computers, laptops, or mobile phones, the following policies apply:

  • Users shall not log into, or attempt to log into, company equipment that is not assigned to them. 

  • Users shall not install unapproved applications or software.

  • Users shall not connect unapproved removable media such as USBs, external hard-drives, and mobile phones.

  • Users shall not insert, or run applications from, removable media such as CDs and DVDs.

  • Users shall not transfer data from their company equipment to any removable media unless approved by their line manager and IT.

  • Users shall not tamper with, or disable, any anti-virus and/or anti-malware applications installed. Users shall not tamper with, or disable, any firewall applications installed.

  • Users shall not tamper with, or disable, any MDM software installed.

  • Users shall not tamper with, or disable, any web-filtering applications installed.

  • Users shall not tamper with, or disable, any VPN software installed, and shall ensure that it is used when connecting to office services and network drives, etc.

  • Users shall use only the provided applications to edit and store data. For example, company network drives and folders, Microsoft 365, OneDrive, Upscaler, etc. Information stored locally on the device may be lost if the computer fails, mobile is stolen, etc.

  • Users shall not attempt to log onto company equipment with a user account that does not belong to them.

  • Users shall not take or remove company equipment unless approved. For example, where provided with a desktop computer, a user shall not take the computer home unless authorised to do so by their line manager and IT.

  • Users shall ensure that reasonable precautions are taken when carrying or transporting company equipment outside of the office. For example, laptops should be locked in the boot of the car while unattended, laptops should not be left unattended while on public transport, etc.

  • Users shall notify their line manager and IT immediately if any device is lost or stolen. 

  • Users shall not disable security update applications.

3.3.2   Personal equipment

When using personal computers, laptops, or mobile phones, the following policies apply:

  • Ensure current anti-virus software is installed on your personal laptop, desktop, or mobile phone. Contact your line manager if you need to purchase a license.

  • Edit and store all company data exclusively within approved web-based applications (e.g., Google Drive, Zoho, GetOutline). Do not store company data locally on your device to prevent loss from device failure or security breaches.

  • Take reasonable precautions to secure equipment. For example, never leave laptops unattended in public places, such as on public transport.

  • Ensure all devices are secured with at least a PIN, fingerprint, or strong password/passcode.

  • Notify your line manager and IT immediately if any device used to access company services or information is lost or stolen.

  • If VPN software is installed and required, do not tamper with or disable it. Always connect to office services using the VPN and disconnect as soon as the work session is complete.

  • Always enable and use 2FA for accessing company services from personal devices where available, and ensure you log out of the service after each session.

Further Guidelines on required security measures are provided in Evercam BYOD Policy.

3.4  Returning Equipment & Records

When leaving the organisation or completing a contract for services, the following policies apply:

  • Return all company assets on departure from the organisation.

  • Where personal devices have been used, ensure that you logged off of all company services (system administrators will disable access on the last day).

  • Ensure that any company information that may have been stored locally on personal devices is transferred to company services and/or networks, and is deleted permanently from the device.

  • Where working from home, contact your line manager to discuss providing either collection services, or separate shredding facilities for paper records.

3.5  Using the Internet

Users working from home and using wi-fi should carry out the below steps to ensure that their home network is reasonably secure:

  • Change the default SSID to settings that do not identify the modem, provider, or network location

  • Enable WPA2

  • Set a strong network password; default passwords should be changed immediately

  • Do not provide the network password to guests, builders, or service engineers; where this is absolutely necessary, the password should be changed immediately after they no longer require access 

  • When using cabled internet, ensure that the cabling from their equipment to the modem does not run outside of the home in a way that could be tampered with or damaged

  • Avoid using open, unsecured wi-fi hotspots as they are frequently exploited by malicious attackers

  • Avoid connecting to wi-fi networks that request personal data and/or login credentials to access the service. These may be attempts to steal data.

  • Where in any doubt, use the tethering facility on your mobile phone for internet access. 

3.6  Using Email

The following is a set of recommendations apply:

  • Do not use work email when placing personal online orders.

  • Always use 2FA for accessing company email services (enforced by default).

  • Always check which email is used before sending any work-related communication.

  • Avoid using auto-complete when selecting recipient email addresses, and check the recipient address is correct before sending any work-related email.

  • Be careful of any email asking for confirmation of login credentials and do not click on email links unless you have just requested a password reset and the email has been received as part of the reset process.

3.7  Using Company Social Media

Acceptable use of social media services is set out in the Evercam Social Media Policy. Policies governing the secure use of personal social media while working from home on personal devices is outside the scope of this document. Users working from home and using their own equipment should keep the following in mind when using social media services: 

  • Always check which social media profile is used before posting any work-related communications or content.

  • Wherever possible, use 2FA for accessing company social media services.

4.    Controlling Access to Information Assets

Our organisation uses various authentication information such as passwords, security tokens, 2FA, and PIN codes to authenticate our users, and to secure our services and equipment from unauthorised use. The following policies apply for securing authentication information:

  • Do not write down, or share login credentials or PIN codes with anyone. IT and colleagues should never ask for login credentials, and a request for your details might be an attempt to steal them, or bypass anti-fraud measures, etc.

  • Create strong, complex passwords. Strong, complex passwords will typically have: 

    • A minimum of 8 characters

    • A mix of numbers, uppercase, lowercase, and special symbols such as (*%!&)

  • Create passwords that are not easily guessed. Passwords that include the names of friends, family, children, pets, birth dates, etc. are easily guessed and may be brute-forced by a malicious attacker. Examples of weak passwords:

    • Month Day Year e.g. January0120!, February2012*, etc.

    • Name Birthday e.g. JohnSmith2390! 

  • Always use a unique password for each service and account used, regardless of whether it is a personal or company account. If a personal social media account or other personal web-based service account is compromised, malicious persons might gain unauthorised access to company services, or vice versa.

  • Do not share login credentials or PIN codes with family members, or allow family members to use the devices.

  • Use 2FA for accessing company services, wherever possible.

  • Do not tamper with or remove security tokens.

5.    Identifying & Reporting Incidents

While performing work-related activities, a situation may arise where a user suspects that a security incident has taken place. Users may notice some of the following:

  • Suspicious emails such as replies to emails they didn't send, phishing emails, large numbers of spam emails, multiple password reset request emails, etc.

  • Pop-ups, notifications, or web-pages that they do not recognise

  • Sudden slowness of their device and inability to use company services

  • Malware notifications

  • Disconnection from the office network

  • Inability to log into company services

  • Persons in office areas that they should not be in

  • Persons without staff badges who are unaccompanied

  • Passwords or PINs written down

  • Users verbally sharing their user credentials, or logging onto each other's devices

  • Confidential documents left at printers

  • Security doors propped open and unattended

  • Theft of a mobile phone or laptop

  • Email containing confidential data accidentally sent to the wrong person

  • Reports from customers or other third-parties of unavailability of services, or suspicious activity such as spam

Where users suspect that an incident has taken place, the following policy applies:

  • Users shall immediately contact IT and their line manager regarding the suspected incident

  • Users shall provide the following information when reporting the incident: 

    • Name

    • Department

    • Contact details

    • The time that they first noticed the issue

    • A description of the issue, to the best of their ability

  • Where appropriate, users can take photos of the affected device's screen, or in situations where they have seen doors propped open, where there is evidence of potential theft or break-in, etc. Caution should be used in taking any photos which may display personal data, such as other users in the image, visible personal information on printed documents, etc.

  • Users shall treat the incident as confidential, and shall not discuss the incident with other users unless it is necessary for assisting the incident investigation.

  • Users shall not communicate any detail of the incident on any social media service, or to any external persons or third-parties. Communication of the incident externally is considered a data breach, and will be investigated. Communication of the incident will be handled and approved as required by management.

—————————————————————

Created by: Compliance Manager (ISMS team)

Creation date: 23.05.2023

Last modification date:  27.11.2025

Document approver: Head of Compliance