Cyber Security Policy

Our Commitment

We are committed to:

1. Protection — Defending our systems and data against cyber threats
2. Prevention — Implementing controls to prevent common attacks
3. Awareness — Ensuring everyone understands their security responsibilities
4. Resilience — Maintaining the ability to respond to and recover from incidents
5. Compliance — Meeting legal, regulatory, and contractual security requirements
6. Continuous Improvement — Regularly reviewing and strengthening our security posture

Cyber Essentials Framework

Our security controls are based on the five technical controls of the Cyber Essentials scheme:

Control	Purpose
Firewalls	Protect our network boundaries
Secure Configuration	Ensure systems are configured securely
User Access Control	Manage who can access what
Malware Protection	Defend against viruses and malicious software
Security Update Management	Keep systems patched and up to date

These controls protect against the most common cyber attacks and form the foundation of our security programme.

Scope

This policy covers:

• All company-owned IT equipment (computers, laptops, tablets, phones)
• All company networks and internet connections
• All software and applications used for business purposes
• All data stored, processed, or transmitted by the company
• Cloud services and software-as-a-service applications
• Personal devices used for work (BYOD)
• Remote and home working

Roles and Responsibilities

Managing Director

• Overall accountability for cyber security
• Ensuring adequate resources for security
• Championing security culture

IT Manager / IT Service Provider

• Implementing technical security controls
• Managing security systems and tools
• Monitoring for security threats
• Responding to security incidents
• Maintaining security documentation
• Reporting on security status

Data Protection Lead

• Ensuring security measures protect personal data
• Coordinating breach response for data breaches
• Liaising with the ICO on data security matters

Managers

• Ensuring team compliance with this policy
• Authorising access for team members
• Reporting security concerns
• Supporting security awareness

All Employees

• Following this policy and security procedures
• Protecting their accounts and devices
• Reporting security incidents and concerns
• Completing security training
• Remaining vigilant against threats

Control 1: Firewalls

Firewalls protect our network by controlling incoming and outgoing traffic.

Boundary Firewalls

Requirements:

• All connections to the internet pass through a firewall
• Firewall is configured to block unauthorised access
• Default deny rule for inbound connections
• Only necessary services are allowed through
• Firewall rules are documented and reviewed regularly

Our Controls:

Control	Implementation
Hardware firewall	Installed at network perimeter
Default deny	All inbound traffic blocked unless explicitly allowed
Rule documentation	Firewall rules documented with business justification
Rule review	Rules reviewed at least annually
Logging	Firewall logs retained for security monitoring
Management access	Restricted to authorised IT personnel

Software Firewalls

Requirements:

• All computers and devices have a software firewall enabled
• Personal firewalls are configured to block unauthorised connections
• Users cannot disable the firewall

Our Controls:

Control	Implementation
Windows Firewall	Enabled on all Windows devices
macOS Firewall	Enabled on all Apple devices
Mobile devices	Firewall/security enabled where available
User restrictions	Users cannot disable firewalls
Configuration	Managed centrally where possible

Home and Remote Working

Requirements:

• Remote workers are protected by firewalls
• Home router firewalls should be enabled
• VPN connections used for accessing company network

Our Controls:

Control	Implementation
Home routers	Guidance provided to enable firewall
VPN	Required for accessing internal network
Device firewall	Enabled on all remote devices
Public Wi-Fi	Prohibited for accessing sensitive data without VPN

Control 2: Secure Configuration

Systems are configured securely to reduce vulnerabilities.

Secure Configuration Principles

Requirements:

• Remove or disable unnecessary software and services
• Change default passwords
• Disable unnecessary user accounts
• Configure systems to prevent unauthorised changes

Our Controls:

Control	Implementation
Default accounts	Disabled or renamed where possible
Default passwords	Changed on all systems and devices
Unnecessary software	Removed or disabled
Unnecessary services	Disabled
Auto-run	Disabled for removable media
Guest accounts	Disabled

Password Policy

Requirements:

• Strong passwords required for all accounts
• Passwords protected from brute force attacks
• Multi-factor authentication where available

Our Password Standards:

Requirement	Standard
Minimum length	12 characters
Complexity	Mix of uppercase, lowercase, numbers, and symbols
Uniqueness	Different password for each account
Password history	Cannot reuse last 12 passwords
Maximum age	90 days (or risk-based)
Account lockout	Lock after 10 failed attempts
Lockout duration	15 minutes or manual unlock

Multi-Factor Authentication (MFA):

MFA is required for:

• Remote access to company network (VPN)
• Cloud services (email, file storage, applications)
• Administrator accounts
• Any internet-facing services

Password Protection:

Prohibition	Requirement
Password sharing	Never share passwords
Written passwords	Do not write down passwords
Password storage	Use approved password manager only
Password transmission	Never send passwords by email
Browser storage	Only with IT approval

Device Configuration

Computers and Laptops:

Control	Implementation
Operating system	Supported version (Windows 10/11, macOS)
Automatic updates	Enabled
Screen lock	After 5 minutes of inactivity
Encryption	Full disk encryption enabled (BitLocker/FileVault)
Antivirus	Installed and updated
Local admin	Restricted to IT only

Mobile Devices:

Control	Implementation
Screen lock	PIN, password, or biometric required
Minimum PIN	6 digits
Encryption	Device encryption enabled
Remote wipe	Enabled for company devices
Automatic updates	Enabled
App sources	Official app stores only
Jailbreaking/rooting	Prohibited

Servers:

Control	Implementation
Hardening	Security baseline applied
Unnecessary services	Disabled
Default accounts	Disabled or secured
Access	Restricted to authorised administrators
Logging	Security events logged
Updates	Regular patching schedule

Removable Media

Control	Implementation
Auto-run	Disabled
Scanning	Automatic malware scanning on insert
Encryption	Required for sensitive data
Approved devices	Only company-approved USB devices
Personal devices	Prohibited unless approved

Control 3: User Access Control

Access to systems and data is controlled and managed.

Access Control Principles

Requirements:

• Users only have access they need (least privilege)
• User accounts are unique and not shared
• Administrator accounts are controlled and limited
• Access is removed when no longer needed

Our Controls:

Principle	Implementation
Least privilege	Users have minimum access needed
Unique accounts	Each user has a unique account
No shared accounts	Shared accounts prohibited
Role-based access	Access based on job role
Regular review	Access reviewed at least annually
Prompt removal	Access removed within 24 hours of leaving

User Account Management

Account Creation:

• Accounts created only with manager authorisation
• Access request documented and approved
• Minimum access granted initially
• Additional access requested as needed

Account Review:

Review	Frequency
Access rights review	Annual (minimum)
Privileged access review	Quarterly
Inactive account review	Monthly
Leaver account removal	Within 24 hours

Account Removal:

• Leavers reported to IT immediately
• Access disabled on last working day
• Accounts deleted after 30 days
• Data retained as per retention policy

Privileged Access

Administrator Accounts:

Control	Implementation
Separate accounts	Admins have separate admin and standard accounts
Limited users	Minimum number of admin accounts
MFA required	Multi-factor authentication mandatory
Logging	All admin actions logged
Review	Admin accounts reviewed quarterly
No email/browsing	Admin accounts not used for email or browsing

Local Administrator:

Control	Implementation
User access	Standard users do not have local admin
IT only	Local admin restricted to IT personnel
Password management	Unique passwords per device
Emergency access	Documented break-glass procedure

Remote Access

Control	Implementation
VPN required	For accessing internal network
MFA required	For all remote access
Approved devices	Company or approved personal devices only
Session timeout	Automatic disconnect after inactivity
Logging	Remote access logged

Control 4: Malware Protection

We protect against viruses, ransomware, and other malicious software.

Anti-Malware Software

Requirements:

• Anti-malware software installed on all devices
• Software configured to scan automatically
• Definitions updated regularly
• Users cannot disable protection

Our Controls:

Control	Implementation
Antivirus software	Installed on all computers and laptops
Mobile protection	Security software on mobile devices
Server protection	Antivirus on all servers
Real-time scanning	Enabled
Scheduled scans	Weekly full system scan
Definition updates	Automatic, at least daily
User restrictions	Users cannot disable antivirus
Central management	Managed and monitored centrally

Malware Prevention

Email Protection:

Control	Implementation
Spam filtering	Enabled on email system
Attachment scanning	All attachments scanned
Dangerous attachments	Blocked (.exe, .js, .vbs, etc.)
Link protection	Malicious links detected and blocked
Phishing protection	Anti-phishing filters enabled

Web Protection:

Control	Implementation
Web filtering	Malicious sites blocked
Download scanning	Downloads scanned for malware
HTTPS inspection	Where appropriate
Category blocking	High-risk categories blocked

Application Control:

Control	Implementation
Approved software	Only approved software permitted
Installation rights	Users cannot install software
App stores	Official stores only for mobile apps
Whitelisting	Considered for high-security systems

Responding to Malware

If malware is detected or suspected:

1. Disconnect — Disconnect the device from the network (unplug cable, disable Wi-Fi)
2. Report — Report immediately to IT
3. Do not use — Do not continue using the device
4. Do not spread — Do not connect USB devices or send files
5. Preserve evidence — Do not attempt to fix or clean

Control 5: Security Update Management

Systems are kept up to date to protect against known vulnerabilities.

Patch Management

Requirements:

• All software is licensed and supported
• Security updates applied promptly
• Unsupported software removed or isolated

Patching Timescales:

Severity	Timescale
Critical/High risk	Within 14 days of release
Medium risk	Within 30 days of release
Low risk	Within 90 days of release
Zero-day/actively exploited	As soon as possible (within 48 hours)

Our Controls:

Control	Implementation
Automatic updates	Enabled where possible
Windows Update	Automatic updates enabled
macOS updates	Automatic updates enabled
Mobile updates	Automatic updates enabled
Application updates	Regular update schedule
Server patching	Scheduled maintenance windows
Patch testing	Critical systems tested before deployment
Patch monitoring	Compliance monitored

Supported Software

Requirements:

• Only use supported operating systems and software
• Plan for end-of-life before support ends
• Remove or isolate unsupported systems

Supported Versions:

Software	Minimum Supported Version
Windows	Windows 10 (current feature update)
macOS	Current and previous two major versions
iOS	Current and previous two major versions
Android	Manufacturer-supported versions
Microsoft Office	Microsoft 365 or supported perpetual version
Browsers	Current version (auto-updating)

End-of-Life Planning:

• Inventory of software and support dates maintained
• Upgrade plans in place before end-of-life
• Business case for exceptions documented
• Unsupported systems isolated and monitored

Vulnerability Management

Activity	Frequency
Vulnerability scanning	Monthly (minimum)
Patch compliance reporting	Monthly
Critical vulnerability response	Within 48 hours
Penetration testing	Annual (or after significant changes)

Additional Security Controls

Beyond Cyber Essentials, we implement additional controls.

Email Security

Control	Implementation
SPF	Configured to prevent spoofing
DKIM	Email signing enabled
DMARC	Policy configured and monitored
Encryption	TLS for email in transit
Attachment limits	Large attachment limits enforced
External email warning	Banner on external emails

Data Protection

Control	Implementation
Encryption at rest	Sensitive data encrypted
Encryption in transit	TLS/HTTPS for all connections
Data classification	Data classified by sensitivity
DLP	Data loss prevention for sensitive data
Backup encryption	Backups encrypted

Network Security

Control	Implementation
Network segmentation	Separate networks for different purposes
Guest Wi-Fi	Isolated from corporate network
Wireless security	WPA3 or WPA2-Enterprise
Network monitoring	Traffic monitored for anomalies
Intrusion detection	IDS/IPS implemented

Physical Security

Control	Implementation
Secure premises	Access controls on buildings
Server room	Restricted access, environmental controls
Device security	Laptops secured when unattended
Visitor management	Visitors escorted in secure areas
Clear desk	Sensitive information secured
Secure disposal	Secure destruction of hardware and media

Backup and Recovery

Control	Implementation
Regular backups	Daily backups of critical data
Backup testing	Regular restore testing
Offsite storage	Backups stored offsite/cloud
Ransomware protection	Offline or immutable backups
Recovery plan	Documented recovery procedures
Recovery time	Defined recovery objectives

Acceptable Use

All users must use systems and data responsibly.

Permitted Use

Company systems are provided for business use. Limited personal use is permitted if it:

• Does not interfere with work
• Does not consume excessive resources
• Does not breach this or other policies
• Does not create legal or security risks

Prohibited Activities

The following are prohibited:

Category	Prohibited Activities
Security	Attempting to bypass security controls, sharing passwords, installing unauthorised software, disabling security software
Content	Accessing or distributing illegal, offensive, or inappropriate material
Malware	Deliberately introducing viruses or malicious code
Hacking	Attempting to access unauthorised systems or data
Personal use	Running a personal business, excessive personal use
Copyright	Downloading pirated software, music, or videos
Data	Unauthorised copying or sharing of company data
Email	Sending spam, phishing attempts, chain letters
Social media	Posting confidential information, damaging company reputation

Internet Use

Allowed	Not Allowed
Business research	Illegal content
Professional development	Gambling
Appropriate personal browsing	Adult content
Approved cloud services	Unapproved file sharing services
	Circumventing web filters

Email Use

Allowed	Not Allowed
Business communication	Sending confidential data to personal accounts
Appropriate personal email	Forwarding chain emails
Encrypted attachments	Sending sensitive data unencrypted
	Opening suspicious attachments

Social Media

Allowed	Not Allowed
Professional networking	Disclosing confidential information
Company-approved posts	Posting on behalf of company without approval
	Damaging company reputation
	Harassing or discriminatory content

Personal Devices (BYOD)

Personal devices may only be used for work if:

• Approved by IT in advance
• Security requirements are met (PIN, encryption, remote wipe)
• Antivirus/security software installed
• Operating system is current and updated
• Work data kept separate from personal data
• Device can be wiped if lost or stolen
• Access can be revoked

Security Awareness

Everyone must understand and manage cyber security risks.

Training Programme

Training	Audience	Frequency
Cyber security induction	All new starters	On joining
Annual security awareness	All employees	Annual
Phishing awareness	All employees	Annual
Secure development	Developers	As required
Incident response	IT team	Annual
Advanced security	IT administrators	Ongoing

Training Content

Training covers:

• Recognising phishing and social engineering
• Password security and MFA
• Safe internet and email use
• Protecting sensitive data
• Mobile device security
• Remote working security
• Reporting incidents
• This policy and procedures

Phishing Simulations

We conduct regular phishing simulations to:

• Test awareness and vigilance
• Identify training needs
• Measure improvement over time
• Reinforce secure behaviours

Users who fail simulations receive additional training.

Security Communications

We reinforce security awareness through:

• Regular security tips and reminders
• Alerts about current threats
• Lessons learned from incidents
• Security awareness campaigns

Incident Response

We have procedures to detect, respond to, and recover from security incidents.

What is a Security Incident?

A security incident is any event that threatens the confidentiality, integrity, or availability of our information or systems.

Examples:

Type	Examples
Malware	Virus infection, ransomware, spyware
Unauthorised access	Hacking, stolen credentials, insider threat
Data breach	Data stolen, lost, or disclosed inappropriately
Phishing	Successful phishing attack, credential theft
Denial of service	System or network unavailable due to attack
Physical	Stolen or lost devices, unauthorised access to premises
Social engineering	Manipulation to disclose information

Reporting Incidents

All security incidents must be reported immediately.

Report to:

IT Helpdesk Phone: [Phone number] Email: it@allservices4u.co.uk

Out of hours: Phone: [Emergency number]

If a data breach: Also notify: dataprotection@allservices4u.co.uk

What to Report

When reporting, provide:

• What happened
• When you noticed it
• What systems or data are affected
• What actions you have taken
• Your contact details

Incident Response Process

Step 1: Identification

• Detect and report the incident
• Initial assessment of type and severity

Step 2: Containment

• Stop the incident spreading
• Isolate affected systems
• Preserve evidence

Step 3: Eradication

• Remove the threat
• Close vulnerabilities
• Verify systems are clean

Step 4: Recovery

• Restore systems and data
• Return to normal operations
• Monitor for recurrence

Step 5: Lessons Learned

• Investigate root cause
• Document lessons learned
• Implement improvements
• Update procedures

Incident Severity

Severity	Description	Response Time
Critical	Major impact on business, data breach, ransomware	Immediate (within 1 hour)
High	Significant impact, spreading malware, system compromise	Within 4 hours
Medium	Limited impact, contained incident	Within 24 hours
Low	Minimal impact, near miss	Within 72 hours

Escalation

Severity	Escalate To
Critical	Managing Director, Data Protection Lead, external support
High	IT Manager, relevant Director
Medium	IT Manager
Low	IT team

Third-Party Security

We manage security risks from third parties.

Supplier Security Assessment

Before engaging suppliers with access to our systems or data:

• Security questionnaire completed
• Security policies reviewed
• Certifications verified (Cyber Essentials, ISO 27001)
• Risks assessed and accepted

Contractual Requirements

Contracts with suppliers include:

• Security requirements
• Confidentiality obligations
• Data protection requirements
• Incident notification requirements
• Audit rights
• Termination provisions

Ongoing Management

• Supplier security reviewed periodically
• Access reviewed and removed when no longer needed
• Incidents reported and investigated
• Certification renewal monitored

Cloud Services

Before using cloud services:

• Security assessment completed
• Data protection impact assessment (if personal data)
• Terms of service reviewed
• MFA enabled
• Access controls configured
• Data location confirmed

Remote and Home Working

Additional security requirements apply when working remotely.

Secure Environment

• Work in a private area where possible
• Do not let others view your screen
• Lock your device when leaving it unattended
• Secure paper documents and destroy securely

Secure Connection

• Use VPN for accessing company network
• Do not use public Wi-Fi for sensitive work
• Ensure home Wi-Fi is secured (WPA2/WPA3, strong password)
• Keep router firmware updated

Device Security

• Use company devices or approved personal devices
• Keep devices updated and patched
• Enable device encryption
• Enable automatic screen lock
• Install and update antivirus

Data Security

• Do not store sensitive data locally unless necessary
• Use company cloud storage, not personal accounts
• Do not email sensitive data to personal accounts
• Encrypt sensitive files
• Securely delete data when no longer needed

Video Conferencing

• Use approved platforms only
• Password-protect meetings
• Use waiting rooms for external meetings
• Do not share meeting links publicly
• Be aware of your background and screen sharing

Monitoring

We monitor our systems and networks for security purposes.

What We Monitor

• Network traffic and firewall logs
• Email and web filtering
• Antivirus and security alerts
• System and application logs
• User access and activity
• Security tool alerts

Purpose of Monitoring

Monitoring is conducted to:

• Detect security threats and incidents
• Investigate security incidents
• Ensure compliance with policies
• Protect company systems and data
• Meet legal and regulatory requirements

Privacy

• Monitoring is conducted in accordance with data protection law
• Employees are informed that monitoring takes place
• Monitoring is proportionate and necessary
• Personal privacy is respected where possible
• Monitoring data is accessed only by authorised personnel

Compliance and Audit

We verify our security controls are effective.

Cyber Essentials Certification

We maintain Cyber Essentials certification:

Level	Status	Renewal
Cyber Essentials	[Certified/In progress]	Annual
Cyber Essentials Plus	[Certified/Planned]	Annual

Security Audits

Audit	Frequency
Internal security review	Quarterly
External vulnerability scan	Monthly
Penetration test	Annual
Cyber Essentials assessment	Annual
Policy compliance audit	Annual

Compliance Monitoring

• Patching compliance monitored monthly
• Antivirus status monitored continuously
• Access reviews conducted quarterly
• Security training completion tracked
• Policy acknowledgement tracked

Non-Compliance

Non-compliance with this policy may result in:

• Access restrictions
• Additional training
• Disciplinary action
• Termination of employment
• Legal action

Business Continuity

We maintain the ability to continue operations during and after security incidents.

Backup Strategy

Data Type	Backup Frequency	Retention
Critical business data	Daily	30 days
System configurations	Weekly	90 days
Email	Continuous	1 year
Databases	Daily	30 days

Backup Security

• Backups encrypted
• Backups stored offsite/cloud
• Offline or immutable copies for ransomware protection
• Regular restore testing
• Access to backups restricted

Disaster Recovery

• Disaster recovery plan documented
• Recovery time objectives defined
• Recovery procedures tested annually
• Alternative work arrangements available
• Communication plans in place

Policy Review

This policy is reviewed annually and updated to reflect:

• Changes in threats and risks
• Changes in technology
• Lessons learned from incidents
• Audit and assessment findings
• Regulatory and certification requirements

Related Policies

This policy should be read in conjunction with:

• Data Protection Policy
• Privacy Policy
• Acceptable Use Policy
• Password Policy
• Remote Working Policy
• Incident Response Procedure
• Business Continuity Plan
• Clear Desk and Clear Screen Policy

Approval

This Cyber Security Policy has been approved by the Managing Director.

Review Date: [Date + 1 year]

Contact

IT Helpdesk Email: it@allservices4u.co.uk Phone: [Phone number]

Report Security Incidents Phone: [Phone number] (24-hour) Email: security@allservices4u.co.uk

Data Protection Lead Email: dataprotection@allservices4u.co.uk

Quick Reference

The Five Cyber Essentials Controls

1. Firewalls — Protect network boundaries
2. Secure Configuration — Configure systems securely
3. User Access Control — Control who accesses what
4. Malware Protection — Defend against malicious software
5. Security Update Management — Keep systems patched

Your Security Responsibilities

✓ Use strong, unique passwords
✓ Enable multi-factor authentication
✓ Lock your device when unattended
✓ Report suspicious emails — don’t click
✓ Keep software updated
✓ Report security incidents immediately
✓ Complete security training
✓ Follow this policy

Report Security Incidents

Phone: [Phone number] Email: security@allservices4u.co.uk

When in doubt, report it!

Password Requirements

• Minimum 12 characters
• Mix of upper, lower, numbers, symbols
• Unique for each account
• Never share passwords
• Use password manager

All Services 4U is committed to protecting our information and systems from cyber threats. Everyone has a responsibility for security.