Information Security Policy

The Board of Directors and management of D4 located at Home House 10 Church Street Isleworth TW7 6DA, which Operates in the Public/Private Sector and is a creative Agency and Live events Business are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout their organisation. 

It is the core objective of D4  to ensure that:

Information should be made available with minimal disruption to staff as required by D4  business processes;

The Confidentiality, integrity and availability of this information will be maintained;

Confidentiality, integrity and availability of information not limited to research, third parties, personal and electronic communications data will be assured;

Legislative/Contractual requirements will be met;

D4  will adopt Business Continuity processes to counteract interruptions to D4 business activities and to protect critical business processes from the effects of major failures or disasters;

All breaches of information security, actual or suspected, will be reported in accordance with D4 Technology best practice guidelines document;

Appropriate control will be maintained and D4  information assets are protected against unauthorised access, which can include physical, technical, procedural and environmental measures.

All D4  employees and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in D4  policies and procedures, as relevant for their job function.

The D4 IS will be reviewed annually and will always be the subject of continual improvement and maturity of controls.

In addition, the D4  IS Policy will provide management direction to D4  Users and demonstrate management’s active involvement in supporting the policies and procedures that will be required to protect D4  information assets (as defined in the D4 ISO 27001 IS Scope).

In order to preserve its competitive edge, cash-flow, profitability, legal, and contractual obligations and commercial image. Information and information security requirements will continue to be aligned with D4’s goals and the IS is intended to be an enabling mechanism for information sharing, for electronic operations, and for reducing information-related risks to acceptable levels.

D4’s  current risk management framework along with interested parties provides the context for identifying, assessing, evaluating and controlling information-related risks through the establishment and maintenance of an IS. The Risk Assessment, Statement of Applicability and Risk Treatment Plan identify how information-related risks are controlled. The Information Security Manager is responsible for the management and maintenance of the risk treatment plan. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks.

In particular, business continuity and contingency plans, data backup procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy. Control objectives for each of these areas are contained in the Manual and are supported by specific documented policies and procedures.

D4 aims to achieve specific, defined information security objectives, which are developed in accordance with the business objectives, the context of the organisation, the results of risk assessments and the risk treatment plan.

All Employees/Independent Professionals of D4 and certain external parties identified in the IS are expected to comply with this policy and with the IS, that implements this policy. All Employees/Independent professional’s and certain external parties will receive appropriate training. The consequences of breaching the information security policy are set out in the Organization’s disciplinary policy and in contracts and agreements with third parties.

The IS is subject to continuous, systematic review and improvement.

D4 has established the Information Governance Group , chaired by the Information Security Manager Senior members from each department and other senior management to support the IS framework and to periodically review the security policy and to contribute to its continual improvement.

D4 is committed to achieving and maintaining certification of its IS to ISO27001:2013.

This policy will be reviewed to respond to any changes in the risk assessment or risk treatment plan at least annually.

In this policy, ‘information security’ is defined as: Preserving This means that management, all full time or part time Employees/Independent Professional’s, sub-contractors, project consultants and any external parties have, and will be made aware of, their responsibilities (which are defined in their job descriptions or contracts) to preserve information security, to report security breaches (in line with the policy and procedures identified in Section 16 of the IS Manual) and to act in accordance with the requirements of the IS. All Employees/Independent Professional’s will receive information security awareness training. Confidentiality This involves ensuring that information is only accessible to those authorised to access it and therefore to preventing both deliberate and accidental unauthorised access to D4’s  information and its systems including its network, website. Integrity This involves safeguarding the accuracy and completeness of information and processing methods, and therefore requires preventing deliberate or accidental, partial or complete, destruction or unauthorised modification, of either physical assets or electronic data. D4 must comply with all relevant data-related legislation in those jurisdictions within which it operates. The company shall obey all matters relating to the data protection act and will keep backup copies of all data that it processes. Availability This means that information and associated assets should be accessible to authorised users when required and therefore physically secure. The MASADC Infrastructure must be resilient and D4 must be able to detect and mitigate any incidents or breaches of the system (such as viruses and other malware) that threaten the continued availability of assets, systems and information. There must be appropriate business continuity plans Physical assets The physical assets of D4 including, but not limited to, computer hardware, data cabling, telephone systems and smartphones.  Information assets The information assets include information printed or written on paper, transmitted by post or shown in films, or spoken in conversation, as well as information stored electronically on servers, websites, PCs, laptops, mobile phones and PDAs, as well as on CD ROMs, USB sticks, and any other digital or magnetic media, and information transmitted electronically by any means such as FTP. In this context, ‘data’ also includes the sets of instructions that tell the system(s) how to manipulate information (i.e. the software: operating systems, applications, utilities, etc).