WSB Policy: Information Security

Updated 22 December 2022 09:39

Purpose

Information is one of our most important assets and each one of us has a responsibility to ensure the security of this information. Accurate, timely, relevant and properly protected information is essential to the successful day-to-day operation of the WSB

The purpose of this Information Technology (IT) Security Policy and its supporting policies, standards and guidelines is to define the security controls necessary to safeguard WSB information systems and ensure the security, confidentiality, availability and integrity of the information held therein.

This policy is mandatory and by accessing any information or Information Technology (IT) resources which are owned or leased by the WSB, users are agreeing to abide by the terms of this policy.

Scope

This policy is authorised by WSB Senior Management Team and represents the WSB’s official position.

The policy takes precedence over all other relevant policies which may have been developed at a local level.

This policy applies to all WSB staff, contractors, consultants, volunteers and interns and authorised third party commercial service providers that use the organisations IT resources and/or process information on behalf of the WSB.

Legislation

The WSB has an obligation to abide by all relevant International and local data protection laws and regulations.

Definitions

A list of terms used throughout this policy are defined in Appendix A.

Policy

It is the policy of the WSB to:

Implement human, organisational, and technological security controls to preserve the confidentiality, availability and integrity of its information systems and the information held therein.
Develop and maintain appropriate policies, procedures and guidelines to affect a high standard of information technology security, reflecting industry best practice.
Monitor, record and log all activity on the WSB network and use of its information technology resources.
Comprehensively assess and manage risks to WSB information systems and the information held therein.
Continuously review and improve WSB information technology security controls, and rapidly determine the cause of any breach of security and minimise damage to information systems should any such incident occur.
Comply with all laws and regulations governing information technology security.
Establish information technology security education and awareness initiatives within the WSB.

Supporting Policies, Standards & Guidelines

There are a number of supporting WSB policies, standards and guidelines to accompany this policy document.

All WSB staff, consultants, contractors, interns, volunteers and third-party commercial service providers authorised to use the WSB’s Information Technology (IT) resources are required to familiarise themselves with these accompanying policies, standards and guidelines and to work in accordance with them.

The following is a list of the accompanying policies, standards and guidelines.

Roles & Responsibilities

Stakeholders	Responsibilities
Senior Management Team	Review, Approve and formally support this policy
Users	Complying with the terms of this policy and all other relevant WSB policies, procedures, regulations and applicable legislation. Respecting and protecting the privacy and confidentiality of the information they process at all times. Complying with instructions issued by the IT Personnel on behalf of the WSB. Reporting all misuse and breaches of this policy to their line manager immediately. Reporting all actual or suspected breaches of data security to their line manager, the ICT Personnel immediately.
IT Department (Senior Manager, Digital & IT Services, IT Coordinators)	The identification, implementation and management of appropriate security controls necessary to safeguard the WSB’s network (LAN/WAN) and supporting infrastructure. The provision of facilities for information backups to Dropbox and/or other centralised information stores but excluding backups of the hard disks on individual computers. The provision of services which enable authorised user’s access to appropriate electronic information systems and data Liaising with and advising the WSB management, individual users and line managers on the appropriate actions to take in the event of an actual or suspected breach data security. Providing assurance that information technology controls and procedures are operated in accordance with the policies, regulations and best practice. Understand the WSB’s needs and expectations, explain the capabilities of the existing technology in production, report on any issues, incidents or disruptions impacting the WSB and how they are addressed, and facilitate the response to any requests from the WSB.
Line Managers, Supervisors, Department Heads	The implementation of this policy and all other relevant WSB policies within the business areas for which they are responsible. Ensuring that all WSB staff, contractors, intern, consultants and volunteers who report to them are made aware of and are instructed to comply with this policy and all other related WSB policies; Consulting with the HR Manager in relation to the appropriate procedures to follow when a breach of this policy has occurred Consulting with the IT Personnel in relation to the appropriate actions to be taken when an actual or suspected breach of data security has occurred
Application Administrators	Implement requests that are approved by the application owner or the IT application team, where applicable. Monitor the status of the applications they are responsible for. Maintain the performance level of applications, working as required with the IT application team, or the IT infrastructure team.

Policy Distribution & Awareness

This policy and it's supporting policies, standards and guidelines will be published on the WSB Dropbox.

Soft copies of the policy and its supporting policies, standards and guidelines will be available on WSB Staff Support Center.

The IT Personnel and/or the Senior Manager, Digital & IT Services may make periodic policy announcements by email.

WSB line managers will ensure that all existing and new staff, contractors, consultants, interns, volunteers and third-party commercial service providers who report to them are made aware of and have access to the policy and its supporting policies, standards and guidelines.

Individuals requiring clarification on any aspect of the policy and its supporting policies, standards and guidelines and/or advice on general I.T. security matters may email their queries to the Senior Manager, Digital & IT Services or the local IT Personnel.

Exceptions to this Policy

Exceptions to the guiding principles in this policy must be documented and formally approved by the Global Director, Communications , with evidence of support from the appropriate Senior Management Team.

Policy exceptions must describe:

The nature of the exception.
A reasonable explanation for why the policy exception is required
Any risks created by the policy exception.
Evidence of approval.

Policy Enforcement

The WSB reserves the right to take such action as it deems appropriate against individuals who breach the conditions of this policy. WSB staff, contractors, consultants, interns and volunteers who breach this policy maybe subject to disciplinary action, including suspension and dismissal as provided for in the WSB disciplinary procedure.

Breaches of this policy by a third-party commercial service provider, may lead to the withdrawal of WSB information technology resources to that third party commercial service provider and/or the cancellation of any contract(s) between the WSB and the third-party commercial service provider.

The WSB reserves the right to refer any use of its IT resources for illegal activities to the relevant Authorities.

Review & Update

This policy will be reviewed and updated annually or more frequently if necessary, to ensure any changes to the WSB’s organisation structure and business practices are properly reflected in the policy.

Breaches of Security

For security and technical reasons, the WSB reserves the right to monitor, record and log all use of its information technology resources and activity on the WSB network.

Any individual suspecting that there has been or is likely to be a breach of data security must inform their line manager and their local IT Personnel immediately. The IT Personnel will advise the individual and their line manager on what action should be taken.

The WSB reserves the right to take such action as it deems appropriate against individuals who breach the conditions of this policy.

WSB staff, contractors, consultants, interns and volunteers who breach this policy maybe subject to disciplinary action, including suspension and dismissal as provided for in the WSB disciplinary procedures.

Appendix A: Definitions

Authorisation / Authorised: Official WSB approval and permission to perform a particular task.

Availability: Ensuring that authorized users have access to information and associated assets whenever required.

Breach of Data Security: The situation where WSB confidential or restricted data has been put at risk of unauthorized disclosure as a result of the loss or theft of the data or, the loss or theft of a computer or storage device containing a copy of the data or through the accidental or deliberate release of the data

Confidentiality: Ensuring that information is only accessible to those users who are authorized to access the information.

WSB Network: The data communication system that interconnects different wired and wireless WSB Local Area Networks (LAN) and Wide Area Networks (WAN).

Information Technology (IT) resources: Includes all computer facilities and devices, networks and data communications infrastructure, telecommunications systems and equipment, internet/intranet and email facilities, software, information systems and applications, account usernames and passwords, and information and data that are owned or leased by the WSB.

Information: Any data in an electronic format that is capable of being processed or has already been processed.

Information Security: The preservation of confidentiality, integrity and availability of information.

Information System: A computerised system or software application used to access, record, store, gather and process information.

Integrity: Ensuring the accuracy and completeness of information and associated processing methods.

Line manager: The individual a user reports directly to.

Process / Processed / Processing: Performing any manual or automated operation or set of operations on information including:

1. 1. Obtaining, recording or keeping the information.
  2. Collecting, organising, storing, altering or adapting the information.
  3. Retrieving, consulting or using the information.
  4. Disclosing the information or data by transmitting, disseminating or otherwise making it available.
  5. Aligning, combining, blocking, erasing or destroying the information.

Risk: The potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organisation.

Third Party Commercial Service Provider: Any individual or commercial company that have been contracted by the WSB to provide goods and/or services (for example, project / contract management, consultancy, information system development and/or support, supply and/or support of computer software / hardware, equipment maintenance, data management services etc.) to the WSB.

Threat: A potential cause of an incident that may result in harm to a system or organisation

Users: Any authorised individual who uses the WSB’s IT resources

Articles in this section