/
IA - Information Security Policy For Magnetise Group and its subsidiaries (Internal Administration)

IA - Information Security Policy For Magnetise Group and its subsidiaries (Internal Administration)

Policy Statement

The purpose and objective of this Information Security Policy is to protect the Magnetise Group information assets from all threats, whether internal or external, deliberate or accidental, it also describes measures to ensure business continuity and minimise damage.

Information will be protected from a loss of: confidentiality, integrity and availability.

About this Document

Scope

This policy is designed to be the overarching Information Security Policy for Magnetise Group and its subsidiaries Magnetise Media Ltd and Magnetise Solutions Ltd and is the primary policy under which all other technical and security policies reside.

The policy is designed to ensure that Magnetise Group will comply with all relevant compliance legislation and best practice with respect to information security. The policy will describe specific rules on information security and reference any subservient policies that will describe policy in more detail.

This policy is intended for all staff and any visitors using the Magnetise Group IT systems, data or any other information asset.

For the purposes of this Policy the term “staff” will be taken to mean paid employees, both permanent and contractors.

Roles and Responsibilities

The Information Security Manager for Magnetise Group is the Technical Director.

The Data Controller for Magnetise as named with the ICO and is currently the Technical Director.

For the purposes of the Data Protection Act 1998, Magnetise Media Ltd is registered with the ICO with registration number Z1251409. Magnetise Solutions Ltd is registered with number ZA059381.

The roles and responsibilities of the designated Information Security Manager are to manage information security and to provide advice and guidance on implementation of the Information Security Policy. The Information Security Manager has direct responsibility for maintaining and reviewing the Information Security Policy.

It is the responsibility of all line managers to implement the Information Security Policy within their respective teams.

It is the responsibility of each member of staff to adhere to the Information Security Policy.

Audit and Review

The Information Security Manager will be responsible for arranging and monitoring regular audits of all aspects of the Information Security Policy. The results of audits will be recorded and logged. Audits will be carried out no less than annually.

The Information Security Policy will be reviewed annually by the Information Security Manager.

Policy References

Policies to be read in conjunction with this Policy:

  • Application and Server Security Policy

  • Email and Internet Use Policy

  • Office Network Security Policy

  • IT Code of Conduct

1. Physical Security

All external doors to Magnetise Group buildings will be security locked at ALL times. Internal offices must be locked independently when not in use.

Staff will be issued with key fobs to the building and keys that are appropriate to their level of work. Staff are responsible for their keys and key fobs and to notify the Magnetise Group admin team immediately in the event of loss. Staff must not share or give keys and key fobs to any third parties.

Building entry is manned by security personnel and entry with an individual key fob is logged. Physical security of servers is described further in the Application and Server Security Policy.

2. Application and Server Security

No servers are to be held on premises at Magnetise Group offices.

Full details of application and server security are contained in the Application and Server Security Policy.

3. Network Security

Control measures for Magnetise Group hardware and software are defined in the Magnetise Group Office Network Security Policy.

All staff are expected to have read and understood the Magnetise Group Office Network Security Policy. A hard copy form of the policy will be given to every new member of staff in their induction pack and important elements will be highlighted at the IT induction meeting which all new staff are required to attend.

Any breaches will be reported in the first instance to the Information Security Manager.

4. Authentication and Password Security

Many operations in Magnetise Group require access to various systems at one time or another. In all cases, access to each server is to be granted on a per-user basis. Under no circumstance shall user accounts be shared between staff or users of Magnetise Group systems. Where possible, 2-Factor authentication is the preferred mechanism. Even in cases where 2-Factor authentication is enabled, well secured passwords still are an important aspect of computer security. A poorly chosen password may result in unauthorised access and/or exploitation of Magnetise Group's resources. All users, including contractors and vendors with access to Magnetise Group’s systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

Password Construction Guidelines

Your password must:

  • Have a mix of upper and lower case characters

  • Have at least 1 digit

  • Have at least 10 and at most 128 characters

  • Not more than 2 identical characters in a row

  • Not more than 3 sequential numbers

Password Use

All user-level and system-level passwords must conform to the Password Construction Guidelines.

Users must not use the same password for Magnetise Group accounts as for other non-Magnetise access (for example, personal ISP account, share trading, etc).

Where possible, users must not use the same password for various Magnetise Group access needs.

Password Protection Guidelines

  • You should never write down a password. Instead, try to create passwords that you can remember easily.

  • Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential Magnetise Group information.

  • Passwords must not be inserted into email messages or other forms of electronic communication.

  • Passwords must not be revealed over the phone to anyone.

  • Do not reveal a password on questionnaires or security forms.

  • Do not hint at the format of a password (for example, "my family name").

  • Do not share Magnetise Group passwords with anyone, including administrative assistants, secretaries, managers, co-workers while on vacation, and family members.

  • Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption.

  • Do not use the "Remember Password" feature of applications (for example, web browsers).

  • Any user suspecting that his/her password may have been compromised must report the incident and change all passwords immediately.

5. Data Encryption

Encryption will not be used on standard electronic storage unless a risk assessment highlights the need. If required Cryptographic controls will be complaint with the current international standards (NIST).

No data of a sensitive nature and no personally identifiable data will be removed from the unit under any circumstances except in accordance with the delivery of services in which case data transfer comes under the control of the Magnetise Solutions Ltd Lead Intelligence contract, or Magnetise Media Ltd purchase order terms.

Data in transit over HTTP must be secured at a minimum by SSL, with TLS preferred, in accordance NIST recommendations.

Data to be delivered to an insecure server (FTP and FTPS) must be encrypted, preferable with key based GPG encryption. Data to be delivered to a secure server (SFTP) must have the risk assessed before agreeing to store data unencrypted.

Staff are not permitted under any circumstance to remove data of a sensitive nature or personally identifiable data from Magnetise Group.

6. Email and Internet use

The acceptable Email and Internet usage policy is detailed in the Email and Internet Use Policy, and is to be read in conjunction with Schedule 5 of the employment contract - Email and Internet Use Policy.

7. Security Awareness

In addition to awareness of this policy, new staff members will be required to review the security awareness resources relevant to their position during their induction period. It is the responsibility of line managers to ensure their team members have conducted their security awareness induction and training.

Staff awareness training resources are detailed in the staff Security Awareness Resources document.

Developer training resources are detailed in the Developer Security Awareness Resources document.

8. IT Code of Conduct

All staff are required to adhere to a common IT code of conduct when using Magnetise Group systems. Please refer to the IT Code of Conduct.

9.  Departing Employee Checklist

When an employee of Magnetise Group terminates their employment they must have:

  • Their application account access revoked (where applicable) for: TopFox, Lead Intelligence, AdCentre

  • Suspend Magnetise Google account.

  • Remove their company computer operating-system account access.

  • Revoke ssh key from servers if applicable.

  • Revoke AWS user privileges and suspend account

  • Any additional third-party platform access relevant to their role, including but not limited to: Jira, Bitbucket, TeamCity, ExactTarget, Litmus, BrowserStack, Google Analytics, Google Adwords.

10.  Incident Response

In the event a breach of systems has been detected, or services are interrupted due to malicious activity, or have been informed of such an event, then the following steps will be followed:

  • First, alert the Information Security Manager

  • The Information Security Manager will decide to investigate individually, or form an incident response team.

  • The incident response team will verify the incident and any supporting evidence.

  • If verified, the incident response team will identify the scope of the issue and any affected individuals or clients.

  • If not verified, the incident response team will continue to monitor services for signs of a breach or threat.

  • The incident response team will alert those affected detailing the scope of the issue within 1 hour of the issue being raised and verified.

  • If the issue is ongoing, or has the potential to recur, then immediate remedial action is to be taken to close the risk.

  • The incident response team will investigate the nature of any data exposed during the breach and communicate this to those affected.

  • Any further communication, including passing of evidence to relevant authorities, will be assessed on a case by case basis.

Examples of an Information Security Incident may include but are not limited to:

  • the theft or physical loss of computer equipment known to hold personally identifiable information.

  • a server known to hold sensitive data is accessed or otherwise compromised by an unauthorised party

  • a server is subjected to a Distributed Denial of Service (DDoS) attack

 

Report an issue

To report an issue, you can email one of the following senior managers or directors: Peter Gowrie-Smith at petergs@magnetisegroup.com or Sebastian Mosny at sebastianm@magnetisegroup.com. If you prefer to raise a concern in confidence, you may leave an anonymous note on the desk of either director mentioned above.

Review and Revision History

Document created: August 2014
Last reviewed/updated: January 2025