Security

1. Overview of this Policy
1. Definitions
2. Introduction
3. Why Is This Policy Important
4. What Is The Aim Of This Policy
5. Who It Applies To
6. Context
7. What Does This Policy Cover
8. Who Is In Charge Of This Policy
9. Staff Awareness
10.Consequences Of Failure To Comply With This Policy
11. How Often Is This Policy Reviewed
12. Organisation Of Information Security
13. Asset Management
14. Information Classification & Handling
15. Personal Data
16. Acceptable Use Policy
17. Access Control
18. Technical Controls
19. Physical Controls
20. Communication & Transfer Controls
21. Operational Management
22. Network Security
23. Patch Management
24. Supplier Management
25. Business Continuity Management
26. Incident Management
27. System Acquisition, Development and Maintenance
28. Compliance
29. HR Security

2. Definitions
2.1 For the purposes of this policy, the following terms and definitions apply.
Control: a means of managing the risk to our information and systems, including policies, procedures, guidelines, practice or organisational structures, which can be of administrative, technical, management, or legal nature.
Incident: a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.
Information Asset: information that holds value to the company Information system: any element of Hastee Pay IT, including: hardware, software, servers, desktops, laptops, mobile computing devices, networks, or technology.
Malware: the collective name given to any type of malicious software (virus, worm, Trojan, spyware).
Media: devices that are capable of storing company information. Media is split into fixed media, which requires the information system to be powered off; and removable media, which is designed to be removed without powering off the information system.
Risk: combination of the probability of an event occurring and its consequence
Risk assessment: the process of identifying the risk to information systems by evaluating the risk against given criteria
Risk management: the overall process of assessing and treating the risk to information systems
Risk treatment: the process of selecting and implementing controls to modify the risk to information
Threat: a potential cause of an unwanted incident, which may result in harm or disruption to the company
Vulnerability: a weakness of an information asset or system, or group of assets, that can be exploited by one or more threats

3. Introduction
3.1 Objective
(a) Like all organisations dealing with large volumes of data via complex IT systems, Hastee Pay Limited, incorporated and registered in England and Wales with company number 10547122 and whose registered office is at 15th Floor, 6 Bevis Marks, Bury Court, London, EC3A 7BA (“Hastee”) has to respect laws, regulations and best practices which set out the levels of information security to which we need to adhere. This Information Security Policy is designed to ensure everyone in our business understands the rules that are in place and can ensure that they are met.
(b) Note: In this Information Security Policy, when we refer to “our”, “ours” or “us”, we mean Hastee.

4. Why is this policy important?
4.1 This Information Security Policy is important from a risk and compliance perspective for our business.
4.2 It may initially seem that data and information security is not directly linked to your job role or that it is not important for your department, however, respecting good information security practices is key to ensuring success. For example, failure to respect this Information Security Policy will have wide effects, and resulting breaches of information security where this policy is not respected could potentially lead to:
(a) Harm or distress to our employees or customers;
(b) Damage to our reputation which gives our competitors an advantage;
(c) Legal consequences;
(d) Irretrievable loss of data which could be business or commercially critical; and
(e) Financial loss, including administrative fines and sanctions.

5. What is the aim of this policy?
5.1 As well as preventing the issues above, the objective of this Information Security Policy is to set out the framework to establish the security of Hastee information systems and to ensure the confidentiality, integrity and availability of the information that is held in those systems is maintained.
5.2 The main objectives of this Information Security Policy are to:
(a) Ensure that information is created, used and maintained in a secure environment;
(b) Ensure that all of the computing facilities, programs, data, network, equipment and documents are adequately protected against loss, misuse or abuse;
(c) Ensure that you read, understand and fully comply with the Information Security Policy and the relevant supporting policies, standards and procedures;
(d) Ensure that you are aware of and fully comply with the relevant legislation, regulation and contractual requirements;
(e) Assist Hastee in ensuring awareness that appropriate security measures must be implemented as part of the effective operation and support of our Information Security Management system (“ISMS”); and
(f) Ensure that you understand your own responsibilities for protecting the confidentiality, integrity and availability of the information you handle as part of your job, in whatever form it may take.

6. Who this Information Security Policy applies to
6.1 Remember that Information Security is not something that can be solely maintained by management, so it is important that all of us do our part, regardless of our level in the organisation or in which location we are based. We therefore require that you all respect and follow this policy.
6.2 All of our information must be treated as commercially valuable and be protected from loss, theft, misuse or inappropriate access or disclosure. We therefore expect that:
(a) You should discuss with line managers the security arrangements which are appropriate and in place for the type of information they access in the course of their work.
(b) You should ensure you attend any information security training you are invited to unless otherwise agreed by line managers.
(c) You understand that all information is owned by us, Hastee, and not by any individual or team.
(d) You must only use our information in connection with work being carried out on our behalf and not for other commercial or personal purposes.
(e) If you have any doubts or questions about how this policy applies to you or you have a query or concern related to Information Security, please contact our IT Security Team or your direct line manager.

7. Context
7.1 This Information Security Policy provides an overview of our information security strategy.
7.2 As is the case for many large organisations, we have an ISMS which has been developed in order help us to protect our information and information belonging to our customers, colleagues and other third parties. This Information Security Policy also allows us to evidence that we are compliant with legal, statutory, regulatory and contractual requirements.

8. What does this policy cover?
8.1 The information covered by this Information Security Policy includes all written, spoken and electronic information held, used or transmitted by or on our behalf, in whatever media. This includes information held on computer systems, hand-held devices, phones, paper records and information transmitted orally.
8.2 The Information Security Policy applies to all people, processes and technology at Hastee sites, customer sites and any customer portals or other third parties working for us.
8.3 This Information Security Policy also supplements our other ISMS policies relating to information management, data breaches, data protection, Internet, email and communications, document retention and our privacy notice.

9. Who is in charge of this policy?
9.1 The CTO is responsible for defining and creating this policy and for obtaining approval on behalf of the CEO.

10. Staff Awareness
10.1 This Information Security Policy applies to all employees, temporary and agency workers, other contractors, interns and volunteers of Hastee (“Staff”). It is the responsibility of each member of Staff to read, understand and adhere to this Information Security Policy and any other policies and standards.
10.2 However, the divisional Managing Directors (or delegates) should monitor that all Staff are familiar with this Information Security Policy and comply with its terms and that the policy is integrated into their business.
10.3 As such, all Staff will be required to undertake Information Security Awareness training on a regular basis.
10.4 This Information Security Policy does not form part of any member of Staff’s contract of employment or engagement and so we may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to Staff once it has been adopted.

11. Consequences of failing to comply with this policy:
11.1 We take compliance with this Information Security Policy very seriously. Failure to comply puts both Staff and the business at risk.
11.2 The importance of this Information Security Policy means that failure to comply with any requirement may lead to disciplinary action, which may result in dismissal.
11.3 If you have any questions or concerns about anything in this policy don’t hesitate to contact your line manager.

12. How often is this policy reviewed?
12.1 This Information Security Policy and the Hastee ISMS will be reviewed at least once a year by the CTO and and a representative of the CEO.

13. Organisation of Information Security
13.1 Our management system has been established to allow the integrity of our ISMS. The IT security team meet regularly to highlight any feedback to the Board.
13.2 Hastee Pay is committed to a programme of auditing, testing, and checking activities, which we use to make sure that this policy is being respected.

14. Asset Management
14.1 In order to protect our information, it is important that all critical information assets (i.e. assets which are vital to the organisation achieving its business goals, and which could cause major disruption and financial losses if harmed) form part of an inventory. As such, these assets also need to be classified in accordance with our information handling and classification standard.

15. Information Classification and Handling
15.1 Our information classification and handling standard is communicated to all staff and sets out how information needs to be protected. The level of protection is based on the sensitivity of the information and the impact of loss of confidentiality, availability or integrity of our company, from both a financial and reputational perspective.

16. Personal Data
16.1 The laws relating to personal data changed in the UK and across Europe on 25th May 2018 with the implementation of the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/ (“GDPR”).
16.2 The GDPR sets outs rights for individuals (called data subjects) and obligations on organisations such as ours, when processing personal data. The rights contained in the GDPR also provide standards which apply to the security and confidentiality of personal data and Hastee is proud to adhere to those standards.
16.3 A copy of our privacy notice can be found here: https://www.hasteepay.com/privacy-policy/ . This sets out in more detail the rights of data subjects in relation to their personal data and more information about the way we use personal data during the course of our business activities.
16.4 If you wish to have more information about your rights under the GDPR or more specific information about these rights in relation to our Information Security Commitment, please contact our Data Privacy Point at dpo@hasteepay.com

17. Acceptable Use Policy
17.1 It is really important that all of our Staff are aware of their responsibilities to use all assets responsibly, whether the asset is a physical item (e.g. laptop, phone, USB device, documents in filing cabinets or in storage) or a digital asset (e.g. data).
17.2 All users of our assets must understand what is expected of them and what they need to do in order to maintain the confidentiality, integrity and availability of assets that they handle and/or are responsible for.
17.3 An Acceptable Use Policy has been documented for all key technologies used, including but not limited to:
(a) Email.
(b) Internet.
(c) Networks and computers.
(d) Mobile phones and tablets.
(e) Removable media.
(f) Social media.
Acceptable Use – Home, Remote or Off-site working:
17.4 You should not take confidential or other information home without the permission of their line manager and only do so where satisfied appropate technical and practical measures are in place within the home to maintain the continued secuty and confidentiality of that information.
17.5 In the limited circumstances in which Staff are permitted to take our information home, you must ensure that:
(a) confidential information must be kept in a secure and locked environment where it cannot be accessed by family members or visitors; and
(b) all confidential material that requires disposal must be shredded or, in the case of electronic material, securely destroyed, as soon as any need for its retention has passed.
17.6 You should not store confidential information on home computers (PCs, laptops or tablets).
17.7 If you have any queries relating to how this applies to you, please contact your line manager or HR department.

18. Access Control
18.1 Only authosed personnel are permitted to have access to facilities and information systems. That access is limited, depending on the role of the individual concerned. We have therefore adopted the following principles.

19. Technical Controls:
19.1 Access will only be provided to our networks, systems, information or other assets based on a business need. This access shall be controlled by relevant access control policy and procedures.
19.2 Access to systems and applications shall follow a formal granting and revoking process.
19.3 All users will be given a unique user ID for our systems and applications. Sharing of company user accounts is strictly prohibited.
19.4 Access to systems and services will be recorded (including failed attempts) and will be monitored.
19.5 Guidance on the expected usage of accounts and the minimum standards expected in password selection and use will be documented and communicated.
19.6 Privileged access to systems which contains sensitive data will require multi-factor authentication.
19.7 Access from third parties will only be provided where necessary to allow the third party to carry out their specified tasks and will be logged and monitored.
19.8 Access will be reviewed periodically.
19.9 Access no longer required will be revoked in a timely manner.
19.10 The allocation of privileges shall be restricted and controlled based on business need.
19.11 We will use appropriate methods to ensure that information assets are protected against unauthorised access. Such methods include, as an example:
(a) Use of a User ID (or email address) and a password
(b) Certificate-based authentication
(c) One-time passwords
(d) Physical tokens
(e) Other methods approved by Information Security, depending on the nature and sensitivity of the data.

20. Physical controls:
20.1 Office doors must be kept secure at all times and visitors must not be given keys or access codes.
20.2 Documents containing confidential information and equipment displaying confidential information should be positioned in a way to avoid them being viewed by people passing by, e.g. through office windows.
20.3 Visitors should be required to sign in at reception, accompanied at all times and never be left alone in areas where they could have access to confidential information.
20.4 Wherever possible, visitors should be seen in meeting rooms. If it is necessary for a member of staff to meet with visitors in an office or other room which contains Hastee Pay information, then steps should be taken to ensure that no confidential information is visible.
20.5 At the end of each day, or when desks are unoccupied, all paper documents, backup systems and devices containing confidential information must be securely locked away.
21. Communications and Transfer controls:
21.1 You should be careful about maintaining confidentiality when speaking in public places.
21.2 Confidential information must not be removed from our offices without permission from your line manager.
21.3 In the limited circumstances when confidential information is permitted to be removed from our offices, all reasonable steps must be taken to ensure that the integrity of the information and confidentiality are maintained. Staff must ensure that confidential information is:
(a) not transported in see-through or other unsecured bags or cases;
(b) not read in public places (e.g. waiting rooms, cafes, trains); and
(c) not left unattended or in any place where it is at sk (e.g. in conference rooms, car boots, cafes).
21.4 Postal, document exchange (DX), fax and email addresses and numbers should be checked and verified before information is sent to them. Particular care should be taken with email addresses where auto-complete features may have inserted incorrect addresses.
21.5 All sensitive or particularly confidential information should be encrypted before being sent by email or be sent by tracked DX or recorded delivery.
21.6 Sensitive or particularly confidential information should not be sent by fax unless you can be sure that it will not be inappropriately intercepted at the recipient fax machine.
21.7 There are restrictions on international transfers of personal data. If you are based in the EU, you must not transfer or take personal data outside the EEA (which includes the EU, Iceland, Liechtenstein and Norway) without first consulting your local Legal team or line manager.

22. Operational Management
22.1 We aim to ensure that the IT applications and infrastructure that we provide to you are:
(a) Secure by Design; and
(b) Operated in a secure manner i.e. does not pose a risk to our overall information.
22.2 To help us to achieve this, we implement the following mechanisms:
(a) Malware Protection – we use industry recognised anti-malware software which must be installed on devices within the network as appropriate (for example on all Windows and Mac OSX platforms), with real time monitong and continuous updates.
(b) Control of Installed Software – we set all privileges on IT equipment and ensure that they are restricted whenever possible, so that users are not able to disable or amend key security controls. Users are also provided with clear instructions that they are not permitted to install any software.
(c) Backups – this is where business information is backed up according to an agreed backup schedule to ensure that data can be recovered when required. The decision on which data to back-up is taken based on the classification of the data i.e. business need or legal requirement.

23. Network Security
23.1 We are committed to ensuring the integrity, availability and confidentiality of our data.
23.2 We therefore ensure that the following points are met:
(a) Boundary Firewalls – All entry points to the network must have appropriate border controls (e.g. Firewalls, Intrusion Prevention and Detection) to protect internal data from unauthorised access and disclosure.
(b) Secure Configuration – All end-user devices connecting to the company networks must conform to a minimum security standard. All servers shall be built to a minimum standard which includes “hardening” of such systems to prevent security vulnerabilities from affecting these systems and the data which they access.
(c) Encryption – Specific controls to encrypt (“scramble”) data with industrial-strength encryption should be established to safeguard the confidentiality and integrity of data passing over public networks or wireless networks
(d) Logging and Monitong – Sufficient audit trails will be generated to allow user activity to be monitored, and to allow us to investigate any breaches or incidents as necessary. Logs will be protected, backed up and will be reviewed as needed.
(e) Clock synchronization – Critical systems will have the correct and consistent time, synchronized to a centralized time source
(f) Regular Testing – Networks and applications will be subject to vulnerability testing on a Quarterly basis. Technical vulnerability testing will also be considered when systems undergo significant change, as well as before the deployment of new systems or applications

24. Patch Management
24.1 We ensure that Application, Systems and Services are assessed for vulnerabilities and routinely patched. We achieve this by having appropate mechanisms in place and also liaise with the business and specialists so that any information about vulnerabilities is received by us in a timely manner. In the event that a vulnerability issue reported to us, we will evaluate the overall risk of this vulnerability.
24.2 If risks are identified, we ensure that appropriate measures are implemented to address the risk.
24.3 This is conducted via our vulnerability management processes which set out that:
(a) Roles and responsibilities are defined.
(b) Information resources that will be used to identify relevant technical vulnerabilities shall be identified for each key software in use.
(c) Processes for detecting and dealing with vulnerabilities are documented.
(d) Procedures must be created setting out how to deal with vulnerabilities, such as:
(i) Turning off services or capabilities related to the vulnerability.
(ii) Adapting or adding access controls, e.g. firewalls, at network borders.
(iii) Increased monitong to detect actual attacks.
(iv) Raising awareness of the vulnerability.
(v) Third-party suppliers (such as Cloud Service Providers, for example), shall provide all necessary guarantees.

25. Supplier Management
25.1 We ensure that security risks related to products and services provided by any third party have been assessed, and that appropriate controls are put in place to minimise those risks.
25.2 During our vendor or product selection process, it is important that due diligence on third parties is carried out in order to determine:
(a) What information assets the third party may have access to.
(b) Whether third parties themselves use sub-contracted services to fulfil their obligations to Hastee Pay.
(c) The locations and management of any systems used to store Hastee Pay data, particularly when that information is sensitive.
(d) Compliance with relevant legislation.
25.3 So that we can control supplier risk, it is important that contracts and agreements include appropriate provisions for information security. Alongside these documents, suppliers also need to sign a NDA (Non Disclosure Agreement) to ensure confidential handling of our company data.
25.4 The controls and procedures in meeting this policy must be outlined and if you have any queries related to contractual documents or supplier risk, please contact your line manager or HR dept.

26. Business Continuity Management
26.1 Our aim is to reduce information security breaches and the risks and impact that this can have on our business taking into account what is possible or cost effective on a case-by-case basis. Therefore, we have identified the following scenarios that may be assessed as part of the business continuity planning activities:
(a) Loss/unavailability of key locations (e.g. fire, flood, disease outbreak or political unrest)).
(b) Loss/unavailability of key systems (email, telephones)).
(c) Loss/unavailability of key people.
(d) Data loss or cyber threat.
(e) Denial of Service (e.g. DDoS attack, cryptolocker/ransomware, malicious software (e.g. Conficker, Web Store Attack).
(f) Loss/unavailability of key supplier services.
(g) Business continuity plan and testing which must be carried out at least once a year.

27. Incident Management
27.1 Proper reporting and management of information security incidents allows us to understand if the security of our information has been breached, what the underlying cause is, and how we can improve.
27.2 Therefore, we ensure that appropriate controls are put in place to ensure that we all act in the same way when reporting or dealing with any untoward security event, weakness or incidents.
27.3 The documented incident management procedures must set out procedures for:
(a) monitoring, detecting, analysing and reporting of information security events and incidents.
(b) assessing information security events and assessment of information security weaknesses.
(c) responding and communication to internal and external people or organizations.
27.4 All Information Security incidents (or suspected incidents) must be reported to the Hastee Pay CTO or service desk as soon as you become aware of it. If an incident requires escalation it must be reported to the CTO. If in doubt, please contact your line manager or HR department.

28. System Acquisition, Development and Maintenance
28.1 Information security must be embedded during the acquisition, development or maintenance of any system or application.
(a) Systems and Services will be Secure by Design; and
(b) Operated in a secure manner i.e. does not pose a risk to the information security posture of the company.
28.2 Where software development or maintenance effort is performed by Hastee Pay development resource, standards must be in place to allow those teams to:
(a) Deliver secure, fit for purpose systems that meet business needs.
(b) Ensure that information security requirements are identified early on.
(c) Ensure that developers are aware of the threats and are well equipped to defend against those threats.
(d) Ensure clear principles for engineering secure systems have been developed.
(e) Ensure that all developed code is tested as secure and fit-for-purpose, and that all changes to live environments are controlled.
(f) Ensure that security associated with development and test environments has designed and applied.
(g) Ensure that source code is appropriately protected. There shall be a segregation among development, test, quality assurance production environments.
28.3 These requirements will ensure third parties develop products to our standards.

29. Compliance
29.1 We must remain compliant with all legal, statutory, regulatory and contractual requirements impacting on our operation.
29.2 Our policies, standards, processes and procedures allow us to meet our legal obligations and are regularly reviewed. As such, employees must be provided with appropriate training, awareness and support to allow them to comply with those policies and standards.
29.3 The law varies vary from country to country which means that information created in one country and sent to another might need to be treated differently when it is received by the other country (i.e. trans-border data flow). Typical requirements that should be taken into consideration include:
(a) Data Protection and Privacy of personal information.
(b) General Data Protection Regulation and other local data protection laws.
(c) Software Licensing
(d) Prevention of the misuse of information systems; and
(e) Regulation of cryptographic controls.
29.4 The business must ensure that all the relevant legal, regulatory and contractual obligations are explicitly defined, documented, and kept up to date.
29.5 The controls and procedures for software licensing, Intellectual Property, misuse of systems, regulation of cryptographic controls should also be outlined in each regions ISMS.

30. HR Security
30.1 Given the internal confidentiality of personnel files, access to such information is limited to relevant role holders. Except as provided in individual roles, other staff are not authorised to access that information.
30.2 Any staff member in a management or supervisory role must keep personnel information confidential.
30.3 Staff may ask to see their personnel files in accordance with the relevant provisions of data protection law.
30.4 The reasons for any information collected are to verify that any individual:
(a) Is eligible to work in the territory in which the role is employed.
(b) Has the skills and experience to carry out the role.
(c) Has been vetted appropriately for where the role calls for such contact.
(d) Can evidence their stated employment history and explain any gaps in that history.
(e) Can provide verifiable previous employment references who must be contacted to obtain a reference on the employee’s previous employment and performance, and reason for leaving.

31. Other Related Documents & Information
(a) Privacy Policy
(b) Employee Data Protection Policy
(c) Website Privacy Policy

Project ID: HP – 2018
Document Owner: Peter Ingram, CTO
Version number: 1.1
Version date: 18/10/2018
Security classification: Company Confidential
Document Owner Privacy & Security SME

Document Information
The Document Owner is responsible for document management and version control.

Revision history
Version Revision / release date Changes made by (author) Summary of changes
0.1 18/10/2018 Lee Wickens Initial Draft
0.1 30/05/2018 Peter Ingram Issued for signoff, includes all previous versions
1.1 10/01/2019 Peter Ingram Cleaned up, finalised, approved version.
Approvals
Name of approver Title of approver Method of approval Date approved Version approved
Peter Ingram CTO Email 12/01/2019 1.1
James Herbert CEO Email 12/01/2019 1.1
Reviewers
Name of reviewer Title of approver Method of approval Comments Received Version reviewed
Lee Wickens DP Point Email N 1.1