Information Security Policy

The Board of Directors and management of Jones and Palmer Limited located at 87 Carver Street, Birmingham B1 3AL, which is a supplier of corporate communications products to UK listed public companies, are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout the company in order to preserve our own and client’s brand image, cash-flow, profitability, legal, regulatory and contractual compliance. Information and information security requirements will continue to be aligned with Jones and Palmer’s goals and the ISMS is intended to be an enabling mechanism for information sharing, for electronic operations, and for reducing information-related risks to acceptable levels.

Jones and Palmer’s current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an ISMS. Mike Hill is responsible for the management and maintenance of the planning and development of systems towards our ultimate goals. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks.

In particular, business continuity and contingency plans, data backup procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy.

All colleagues with Jones and Palmer are expected to comply with this policy and with the ISMS that implements this policy. All colleagues, and certain external parties, will receive appropriate training. The consequences of breaching the information security policy are set out in the company handbook, disciplinary policy and in contracts and agreements with third parties.
The ISMS is subject to continuous, systematic review and improvement.
Jones and Palmer has established a senior management group chaired by the Managing Director and including other Board Directors with specialist skills to support the ISMS framework and to periodically review the security policy.

Jones and Palmer is pursuing certification of its ISMS to ISO27001.

This policy will be reviewed to respond to any changes in the risk at least annually.

In this policy, ‘information security’ is defined as:

Preserving
This means that management, all full time or part time colleagues, sub-contractors, project consultants and any external parties have, and will be made aware of, their responsibilities to preserve information security, to report security breaches and to act in accordance with the requirements of the ISMS. All colleagues will receive information security awareness training and more specialized colleagues will receive appropriate level information security training.

the availability,
This means that information and associated assets should be accessible to authorised users when required and therefore physically secure. The computer network must be resilient and Jones and Palmer must be able to detect, respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems and information. There must be appropriate business continuity plans.

confidentiality
This involves ensuring that information is only accessible to those authorised to access it and therefore to preventing both deliberate and accidental unauthorised access to Jones and Palmer’s information and its systems. All key systems (those containing personal or project related data) must require a minimum multi-factor authentication for all internal users, and it is strongly recommended for all clients connecting to any network resources. All network files containing project work must also be audited to be able to demonstrate file access and modification.
The same file rules for data access and security will apply for file structures across websites (whether inhouse or in the Microsoft Azure cloud infrastructure), client project information related to printed financial publications or internal process or HR documents.

and integrity
This involves safeguarding the accuracy and completeness of information and processing methods, and therefore requires preventing deliberate or accidental, partial or complete, destruction or unauthorised modification, of either physical assets or electronic data. There must be appropriate and data backup plans and security incident reporting. Jones and Palmer must comply with all relevant data-related legislation in those jurisdictions within which it operates.

of the physical (assets)
The physical assets of Jones and Palmer include, but are not limited to, computer hardware, data cabling, telephone systems, filing systems and physical data files.

and information assets 
The information assets include information printed or written on paper, transmitted by post or online videos, or spoken in conversation, as well as information stored electronically on servers, website(s), extranet(s), intranet(s), workstations and mobile devices, as well as on disks and flash media devices, backup tapes and any other digital or magnetic media, and information transmitted electronically by any means. In this context, ‘data’ also includes the sets of instructions that tell the system(s) how to manipulate information (i.e. the software: operating systems, applications, utilities, etc). 

Of Jones and Palmer 

The ISMS is the Information Security Management System, of which this policy and other supporting and related documentation is a part, and which has been designed in accordance with the specification contained in ISO27001:2013. 

A SECURITY BREACH is any incident or activity that causes, or may cause, a breakdown in the availability, confidentiality or integrity of the physical or electronic information assets of Jones and Palmer. 

Document Owner and Approval 
The IT Manager is the owner of this document and is responsible for ensuring that this policy document is reviewed.  

This information security policy was approved by the Board of Directors on Friday 7th August 2020 and is issued on a version-controlled basis.