Cyber Security Policy

Our Commitment

We are committed to:

1. Protection — Defending our systems and data against cyber threats
2. Prevention — Implementing controls to prevent common attacks
3. Awareness — Ensuring everyone understands their security responsibilities
4. Resilience — Maintaining the ability to respond to and recover from incidents
5. Compliance — Meeting legal, regulatory, and contractual security requirements
6. Continuous Improvement — Regularly reviewing and strengthening our security posture

Cyber Essentials Framework

Our security controls are based on the five technical controls of the Cyber Essentials scheme:

These controls protect against the most common cyber attacks and form the foundation of our security programme.

Scope

This policy covers:

• All company-owned IT equipment (computers, laptops, tablets, phones)
• All company networks and internet connections
• All software and applications used for business purposes
• All data stored, processed, or transmitted by the company
• Cloud services and software-as-a-service applications
• Personal devices used for work (BYOD)
• Remote and home working

Roles and Responsibilities

Managing Director

• Overall accountability for cyber security
• Ensuring adequate resources for security
• Championing security culture

IT Manager / IT Service Provider

• Implementing technical security controls
• Managing security systems and tools
• Monitoring for security threats
• Responding to security incidents
• Maintaining security documentation
• Reporting on security status

Data Protection Lead

• Ensuring security measures protect personal data
• Coordinating breach response for data breaches
• Liaising with the ICO on data security matters

Managers

• Ensuring team compliance with this policy
• Authorising access for team members
• Reporting security concerns
• Supporting security awareness

All Employees

• Following this policy and security procedures
• Protecting their accounts and devices
• Reporting security incidents and concerns
• Completing security training
• Remaining vigilant against threats

Control 1: Firewalls

Firewalls protect our network by controlling incoming and outgoing traffic.

Boundary Firewalls

Requirements:

• All connections to the internet pass through a firewall
• Firewall is configured to block unauthorised access
• Default deny rule for inbound connections
• Only necessary services are allowed through
• Firewall rules are documented and reviewed regularly

Our Controls:

Software Firewalls

Requirements:

• All computers and devices have a software firewall enabled
• Personal firewalls are configured to block unauthorised connections
• Users cannot disable the firewall

Our Controls:

Home and Remote Working

Requirements:

• Remote workers are protected by firewalls
• Home router firewalls should be enabled
• VPN connections used for accessing company network

Our Controls:

Control 2: Secure Configuration

Systems are configured securely to reduce vulnerabilities.

Secure Configuration Principles

Requirements:

• Remove or disable unnecessary software and services
• Change default passwords
• Disable unnecessary user accounts
• Configure systems to prevent unauthorised changes

Our Controls:

Password Policy

Requirements:

• Strong passwords required for all accounts
• Passwords protected from brute force attacks
• Multi-factor authentication where available

Our Password Standards:

Multi-Factor Authentication (MFA):

MFA is required for:

• Remote access to company network (VPN)
• Cloud services (email, file storage, applications)
• Administrator accounts
• Any internet-facing services

Password Protection:

Device Configuration

Computers and Laptops:

Mobile Devices:

Servers:

Removable Media

Control 3: User Access Control

Access to systems and data is controlled and managed.

Access Control Principles

Requirements:

• Users only have access they need (least privilege)
• User accounts are unique and not shared
• Administrator accounts are controlled and limited
• Access is removed when no longer needed

Our Controls:

User Account Management

Account Creation:

• Accounts created only with manager authorisation
• Access request documented and approved
• Minimum access granted initially
• Additional access requested as needed

Account Review:

Account Removal:

• Leavers reported to IT immediately
• Access disabled on last working day
• Accounts deleted after 30 days
• Data retained as per retention policy

Privileged Access

Administrator Accounts:

Local Administrator:

Remote Access

Control 4: Malware Protection

We protect against viruses, ransomware, and other malicious software.

Anti-Malware Software

Requirements:

• Anti-malware software installed on all devices
• Software configured to scan automatically
• Definitions updated regularly
• Users cannot disable protection

Our Controls:

Malware Prevention

Email Protection:

Web Protection:

Application Control:

Responding to Malware

If malware is detected or suspected:

1. Disconnect — Disconnect the device from the network (unplug cable, disable Wi-Fi)
2. Report — Report immediately to IT
3. Do not use — Do not continue using the device
4. Do not spread — Do not connect USB devices or send files
5. Preserve evidence — Do not attempt to fix or clean

Control 5: Security Update Management

Systems are kept up to date to protect against known vulnerabilities.

Patch Management

Requirements:

• All software is licensed and supported
• Security updates applied promptly
• Unsupported software removed or isolated

Patching Timescales:

Our Controls:

Supported Software

Requirements:

• Only use supported operating systems and software
• Plan for end-of-life before support ends
• Remove or isolate unsupported systems

Supported Versions:

End-of-Life Planning:

• Inventory of software and support dates maintained
• Upgrade plans in place before end-of-life
• Business case for exceptions documented
• Unsupported systems isolated and monitored

Vulnerability Management

Additional Security Controls

Beyond Cyber Essentials, we implement additional controls.

Email Security

Data Protection

Network Security

Physical Security

Backup and Recovery

Acceptable Use

All users must use systems and data responsibly.

Permitted Use

Company systems are provided for business use. Limited personal use is permitted if it:

• Does not interfere with work
• Does not consume excessive resources
• Does not breach this or other policies
• Does not create legal or security risks

Prohibited Activities

The following are prohibited:

Internet Use

Email Use

Social Media

Personal Devices (BYOD)

Personal devices may only be used for work if:

• Approved by IT in advance
• Security requirements are met (PIN, encryption, remote wipe)
• Antivirus/security software installed
• Operating system is current and updated
• Work data kept separate from personal data
• Device can be wiped if lost or stolen
• Access can be revoked

Security Awareness

Everyone must understand and manage cyber security risks.

Training Programme

Training Content

Training covers:

• Recognising phishing and social engineering
• Password security and MFA
• Safe internet and email use
• Protecting sensitive data
• Mobile device security
• Remote working security
• Reporting incidents
• This policy and procedures

Phishing Simulations

We conduct regular phishing simulations to:

• Test awareness and vigilance
• Identify training needs
• Measure improvement over time
• Reinforce secure behaviours

Users who fail simulations receive additional training.

Security Communications

We reinforce security awareness through:

• Regular security tips and reminders
• Alerts about current threats
• Lessons learned from incidents
• Security awareness campaigns

Incident Response

We have procedures to detect, respond to, and recover from security incidents.

What is a Security Incident?

A security incident is any event that threatens the confidentiality, integrity, or availability of our information or systems.

Examples:

Reporting Incidents

All security incidents must be reported immediately.

Report to:

IT Helpdesk Phone: [Phone number] Email: it@allservices4u.co.uk

Out of hours: Phone: [Emergency number]

If a data breach: Also notify: dataprotection@allservices4u.co.uk

What to Report

When reporting, provide:

• What happened
• When you noticed it
• What systems or data are affected
• What actions you have taken
• Your contact details

Incident Response Process

Step 1: Identification

• Detect and report the incident
• Initial assessment of type and severity

Step 2: Containment

• Stop the incident spreading
• Isolate affected systems
• Preserve evidence

Step 3: Eradication

• Remove the threat
• Close vulnerabilities
• Verify systems are clean

Step 4: Recovery

• Restore systems and data
• Return to normal operations
• Monitor for recurrence

Step 5: Lessons Learned

• Investigate root cause
• Document lessons learned
• Implement improvements
• Update procedures

Incident Severity

Escalation

Third-Party Security

We manage security risks from third parties.

Supplier Security Assessment

Before engaging suppliers with access to our systems or data:

• Security questionnaire completed
• Security policies reviewed
• Certifications verified (Cyber Essentials, ISO 27001)
• Risks assessed and accepted

Contractual Requirements

Contracts with suppliers include:

• Security requirements
• Confidentiality obligations
• Data protection requirements
• Incident notification requirements
• Audit rights
• Termination provisions

Ongoing Management

• Supplier security reviewed periodically
• Access reviewed and removed when no longer needed
• Incidents reported and investigated
• Certification renewal monitored

Cloud Services

Before using cloud services:

• Security assessment completed
• Data protection impact assessment (if personal data)
• Terms of service reviewed
• MFA enabled
• Access controls configured
• Data location confirmed

Remote and Home Working

Additional security requirements apply when working remotely.

Secure Environment

• Work in a private area where possible
• Do not let others view your screen
• Lock your device when leaving it unattended
• Secure paper documents and destroy securely

Secure Connection

• Use VPN for accessing company network
• Do not use public Wi-Fi for sensitive work
• Ensure home Wi-Fi is secured (WPA2/WPA3, strong password)
• Keep router firmware updated

Device Security

• Use company devices or approved personal devices
• Keep devices updated and patched
• Enable device encryption
• Enable automatic screen lock
• Install and update antivirus

Data Security

• Do not store sensitive data locally unless necessary
• Use company cloud storage, not personal accounts
• Do not email sensitive data to personal accounts
• Encrypt sensitive files
• Securely delete data when no longer needed

Video Conferencing

• Use approved platforms only
• Password-protect meetings
• Use waiting rooms for external meetings
• Do not share meeting links publicly
• Be aware of your background and screen sharing

Monitoring

We monitor our systems and networks for security purposes.

What We Monitor

• Network traffic and firewall logs
• Email and web filtering
• Antivirus and security alerts
• System and application logs
• User access and activity
• Security tool alerts

Purpose of Monitoring

Monitoring is conducted to:

• Detect security threats and incidents
• Investigate security incidents
• Ensure compliance with policies
• Protect company systems and data
• Meet legal and regulatory requirements

Privacy

• Monitoring is conducted in accordance with data protection law
• Employees are informed that monitoring takes place
• Monitoring is proportionate and necessary
• Personal privacy is respected where possible
• Monitoring data is accessed only by authorised personnel

Compliance and Audit

We verify our security controls are effective.

Cyber Essentials Certification

We maintain Cyber Essentials certification:

Security Audits

Compliance Monitoring

• Patching compliance monitored monthly
• Antivirus status monitored continuously
• Access reviews conducted quarterly
• Security training completion tracked
• Policy acknowledgement tracked

Non-Compliance

Non-compliance with this policy may result in:

• Access restrictions
• Additional training
• Disciplinary action
• Termination of employment
• Legal action

Business Continuity

We maintain the ability to continue operations during and after security incidents.

Backup Strategy

Backup Security

• Backups encrypted
• Backups stored offsite/cloud
• Offline or immutable copies for ransomware protection
• Regular restore testing
• Access to backups restricted

Disaster Recovery

• Disaster recovery plan documented
• Recovery time objectives defined
• Recovery procedures tested annually
• Alternative work arrangements available
• Communication plans in place

Policy Review

This policy is reviewed annually and updated to reflect:

• Changes in threats and risks
• Changes in technology
• Lessons learned from incidents
• Audit and assessment findings
• Regulatory and certification requirements

Related Policies

This policy should be read in conjunction with:

• Data Protection Policy
• Privacy Policy
• Acceptable Use Policy
• Password Policy
• Remote Working Policy
• Incident Response Procedure
• Business Continuity Plan
• Clear Desk and Clear Screen Policy

Approval

This Cyber Security Policy has been approved by the Managing Director.

Review Date: [Date + 1 year]

Contact

IT Helpdesk Email: it@allservices4u.co.uk Phone: [Phone number]

Report Security Incidents Phone: [Phone number] (24-hour) Email: security@allservices4u.co.uk

Data Protection Lead Email: dataprotection@allservices4u.co.uk

Quick Reference

The Five Cyber Essentials Controls

1. Firewalls — Protect network boundaries
2. Secure Configuration — Configure systems securely
3. User Access Control — Control who accesses what
4. Malware Protection — Defend against malicious software
5. Security Update Management — Keep systems patched

Your Security Responsibilities

✓ Use strong, unique passwords
✓ Enable multi-factor authentication
✓ Lock your device when unattended
✓ Report suspicious emails — don’t click
✓ Keep software updated
✓ Report security incidents immediately
✓ Complete security training
✓ Follow this policy

Report Security Incidents

Phone: [Phone number] Email: security@allservices4u.co.uk

When in doubt, report it!

Password Requirements

• Minimum 12 characters
• Mix of upper, lower, numbers, symbols
• Unique for each account
• Never share passwords
• Use password manager

All Services 4U is committed to protecting our information and systems from cyber threats. Everyone has a responsibility for security.