Information Security Policy
Setting out the fundamental principles & policies for the protection of our systems, information & data.
Setting out the fundamental principles & policies for the protection of our systems, information & data.
As a firm responsible for handling our clients most sensitive data assets, Intrepid realises the central role which data has in its business and that of its clients and stakeholders. Our ability to store, process, host and manage data assets and present informational insights from that data in the most secure way is critical to ensuring the foundation of trust between us and our clients and partners. Intrepid is committed to maintaining the utmost standards of confidentiality, integrity and availability of its information.
The Intrepid Information Security Policy sets out the fundamental principles and policies for the protection of our systems, information and data. This policy establishes the framework for information security risk management within Intrepid based on internal requirements and external regulation.
This policy is a commitment to our clients that we will behave appropriately when we access their strategic and other key corporate data. We use data responsibly in accordance with client agreements and with regulatory and legal requirements, which determine how we use and share information when we deliver our services.
To help our people understand the importance of data privacy and information security, we have an information security awareness programme and a nominated Information Security Officer who offers advice and support on these issues.
This policy applies to the Intrepid Ltd including all business areas, employees and third parties including consultants, suppliers and any third party who is granted access to Intrepid information assets. This policy covers paper documents, electronic data and presentations, as well as transmitted or stored data such as email, files, documents and databases.
The Intrepid Information Security Policy sets out the minimum requirements for the use and protection of Intrepid’s systems, information and data. Everyone at Intrepid is responsible for information security. Intrepid implements security controls through a risk-based approach designed to protect its business, information, clients and employees. The purpose of this policy is to provide guidance and recommendations for complying with Intrepid’s information security policies and procedures for the creation, storage, movement, handling, reproduction, transmission, and disposal of information.
This policy provides the high level description of the requirements and expectations that are to be followed to ensure the protection of Intrepid’s information and systems. This policy must be read in conjunction with the full range of information security policies, standards, guidelines, and procedures.
This policy is designed to:
Ensure the security and confidentiality of Intrepid information.
Protect against any anticipated threats or hazards to the security or integrity of Intrepid information.
Protect against unauthorised access to or use of such information that could result in substantial harm or inconvenience to Intrepid or its stakeholders.
Ensure the proper disposal of Intrepid information and technology resources.
Support the reporting a breach of this policy.
The following principles for information security should be applied to all Intrepid activities:
| 1 | Confidentiality | Confidentiality of information must be consistently maintained according to the information asset classification. |
| 2 | Integrity | Integrity and authenticity (accuracy and completeness) of information must be assured. |
| 3 | Availability | Information must be available in a usable form when required. |
| 4 | Accountability | Intrepid will monitor and audit activity on its network, cloud instances, and information systems. Applications and systems will keep sufficient logs to enable individuals to be held accountable for their actions. |
| 5 | Privacy | Privacy of client and employee information must be assured and consistently maintained in line with the GDPR. |
| 6 | Risk Management | Information resources must be adequately protected. Safeguards must be applied to information and information systems consummate to the business value and associated risk. |
| 7 | Coverage | End-to-end integration must be reliably managed to ensure efficiency of processing and consistency of controls across business processes. |
| 8 | Compliance | Legal, regulatory, and contractual obligations (including employees and suppliers) must be adhered to. |
| 9 | Service Provision | Information security must be incorporated into all processes provided on third party systems or in situations where outside service providers have access to Intrepid information systems, information or data. |
| 10 | Incident Management | Security incidents must be managed, tracked and reported. |
The following policy statements define Intrepid’s policy governing information security:
Only authorised individuals are permitted access to Intrepid’s information resources. Access will be assigned based on an individual’s role and limited to the access necessary to perform their job.
Individuals must be positively identified and authenticated prior to being provided access. Users will be held accountable for their use of information resources.
All information is classified according to the Information Classification Policy.
Information is secured according to classification. Once information has been classified by the business or project owner will ensure the appropriate technical security safeguards are implemented.
Appropriate access controls are in place by default. File and database access control permissions for all Intrepid networked systems are set to block access automatically for unauthorized users before being placed into production.
Access to information resources is controlled through a managed process. The process must address the procedure and controls for granting, modifying and revoking access, as well as requirements for periodically validating access entitlements and system privileges.
Appropriate policies are in place for identity and access management. Sharing personal user IDs is prohibited. Generic user-IDs based on job function, as well as group user IDs, are prohibited. Use of strong passwords is enforced on both servers and employee computers. Intrepid’s Password Policy sets policy for the minimum complexity / strength, maximum lifetime and resetting of passwords.
All systems and applications management functions will be undertaken with the minimum privilege required to conduct the activity. Duties must be segregated in accordance with a user’s role.
Information resources are to be used for approved business and personal purposes. In instances where personal use is permitted, such uses must not conflict with Intrepid’s business principles or processes.
Secure by default. Processes, systems, and information must be delivered with appropriate security. Security should not be an afterthought added on at a later point.
An acceptable baseline of security must be defined and applied to the information and information systems. Security controls must be applied to information resources and facilities to ensure they are adequately protected at all times.
Connections to and from external networks are only permitted through the secure methods that have been approved. All such entry points to the network must be secured.
Appropriate network security must be in place at all times. Fundamental and comprehensive network security including firewalling and intrusion protection, web protection, email protection, wireless protection, endpoint protection, and secure remote access are enabled.
All Intrepid servers, workstations, and laptops are encrypted by default. All encryption meets recognised business and security standards.
Periodic audits, information security risk assessments and management reviews must be undertaken to ensure compliance to policies and standards. Results of the reviews must be reported to management.
All Intrepid employees and contractors are made aware of their security responsibilities. For staff working on client sites, staff take security awareness tests Staff will receive initial security awareness training and be briefed on security procedures and standards on a per-project basis. Training will involve periodically reminding staff of their responsibilities in respect of information security.
Legal, regulatory and contractual obligations must be adhered to; therefore this policy may be supplemented or modified to accommodate geographical, regulatory and legal requirements.
Any and all violations of the policy are escalated immediately to the executive team. All such escalations are acted on immediately by the Information Security Officer.
Security is the responsibility of everyone at Intrepid. Individuals are responsible for ensuring that the information security policy and principals are applied within their function.
Users (All employees, contractors, temporary staff, consultants and third parties) are responsible for the actions and activities they perform. Users must:
Adhere to policy, standards and procedures.
Request access only to the systems required for their work and report to their managers if they have access to data that they do not need.
Use systems for approved business and permitted personal purposes only.
Protect information to which they have access.
Ensure the physical security of Intrepid devices and equipment.
Report issues relating to non-compliance or security breaches.
Management (Including team leaders), in addition to the User responsibilities above, are responsible for:
Supporting, communicating and enforcing adherence to information security policies and procedures.
Assigning access to Intrepid’s systems based on the users’ role, limiting functions to those necessary for users to perform their jobs.
Ensuring that a periodic review of staff access to systems and data is performed.
Establishing and implementing appropriate practices and procedures to protect systems and data within their area of responsibility.
Ensuring that information security is incorporated into all processes outsourced to third party service providers and in all situations where service providers, including consultants, have access to Intrepid’s systems.
Assisting in non-compliance reviews and reporting.
All employees and service providers must report incidents involving breach of systems, policies, and procedures, and/or improper disclosure of information. Breaches must be reported immediately, including suspected breach of systems that could involve disclosure of personal, confidential, or proprietary information, whether accidental or intentional, to their manager and the executive team.
Violations of this policy will be handled in line with Intrepid’s disciplinary policy.
Requests for exception to this policy can be made through Intrepid’s risk management process with approval required from the Information Security Officer.
This policy has been reviewed and approved by the Intrepid Board and the Intrepid executive team.
On-going oversight of the Policy implementation will be provided by an Information Security Officer.
This policy will be reviewed annually.