IT Security Policy

Rambert Grades has an obligation to its staff and customers to clearly define requirements for the use of its information technology (IT) facilities and its information systems (IS). This is so that users of IT/IS facilities do not unintentionally place themselves, or Rambert Grades, at risk of prosecution, by carrying out computer related activities outside the law. 

1.  Purpose and Scope

Information plays a major role in supporting the organisations administrative activities. The purpose of The Policy is to provide a framework for protecting: 

  • Rambert Grades IT/IS infrastructure; 

  • key data and information; 

  • those who have access to or who administer IT/IS facilities; 

  • individuals who process or handle key data and information. 

The Policy is designed to provide protection from internal and external security threats, whether deliberate or accidental by: 

  • defining Rambert Grades’ policy for the protection of the Confidentiality, Integrity and Availability of its' key data and information; 

  • establishing responsibilities for information security; 

2. Objective

Confidentiality - knowing that key data and information can be accessed only by those authorised to do so 

  • Integrity - knowing that key data and information is accurate and up-to-date, and has not been deliberately or inadvertently modified from a previously approved version 

  • Availability - knowing that the key data and information can always be accessed 

Rambert Grades is committed to protect both its customers (Candidates and Teachers), its staff (employees, Creative Team and Examiners) and its key data and information and to deploy controls that minimise the impact of any Security Incidents. 

3. Applicability 

The Policy applies to the following categories, referred to hereafter as 'subjects'. 

  • all full-time, part-time and temporary staff employed by, or working for or on behalf of Rambert Grades 

  • contractors and consultants working for or on behalf of Rambert Grades  

  • all other individuals and groups who have been granted access to the companies systems and/or key data and information 

The Head of Operations is ultimately responsible for ensuring that The Policy is implemented and it is the personal responsibility of each person to whom The Policy applies to adhere with its requirements

4.  Organisational Security 

Ownership and Maintenance of the Policy  

The policy will be updated and reviewed by the Head of Operations, who will report to the CEO. 

5. Security of Third Party Access 

Access to Rambert Grades’ information processing facilities by third parties will only be permitted to the subcontracted IT Support Provider. In agreeing to a contract of employment, the IT Provider will agree to adhere to the terms of this policy and its related documentation. 

6.  Assets 

Inventories of information assets, including hardware, software will be maintained by the designated staff member and overseen by the Head of Operations  

7.  Personnel security 

Controls will be deployed to reduce the risks of human error, theft, fraud, nuisance or malicious misuse of facilities. 

8. Personnel Screening Policy 

Steps will be taken to minimise the likelihood of personnel, who pose a security risk, being employed in posts involving key data and information, such as those concerned with financial or personnel related data. This will usually be determined through the appointment process, including references and through an enhanced DBS Check. 

9.  Confidentiality Undertaking 

All members of staff are reminded of their obligation to protect confidential information in accordance with Rambert Grades standard terms and conditions of employment.

10.  Reporting Security Incidents  

All actual and suspected security incidents are to be reported to the Head of Operations.  

11. Physical and environmental security 

Controls will be implemented as appropriate to prevent unauthorised access to, interference with, or damage to, information assets.  

12.  Physical Security 

Computer systems and networks will be protected by suitable physical and technical security controls  

File servers and machines that hold or process high criticality, high sensitivity or high availability data will be located in physically secured areas. 

Access to facilities that hold or process high criticality, high sensitivity or high availability data will be controlled. 

13.  Communications and operations management 

Documented Operating Procedures 

Sensitive documentation will be held securely and access restricted to staff on a need to know basis. 

Segregation of Duties 

Access to critical systems and key data and information will only be granted on a need to know basis. 

Permanent and full access to live operating environments will be restricted to staff on role-based requirements. 

Controls against Malicious Software  

Controls will be implemented to check for malicious or fraudulent code being introduced to critical systems. This will be provided by the external IT Support Company 

Virus Protection  

Appropriate software will be installed and managed to prevent the introduction and transmission of computer viruses both within and from outside Rambert Grades. This will be the responsibility of the external IT support provider. 

Housekeeping 

Data Storage  

Data on critical systems will be backed up on a daily basis. This service will be provided by the external IT support provider.  The provider will be required to present Rambert Grades with a copy of their back up procedures and also clarify arrangements for reinstalling back-ups in the event of server loss. 

Network Management 

Controls will be implemented to achieve, maintain and control access to computer networks, including wireless LANs.  The SSID for the wireless network must remain hidden and staff should be made aware that the network information must not be shared. 

Control and access to the Network is granted to the external IT provider, however, that provider must agree to provide written confirmation of their in-house security protocols to prevent unlawful access to the Rambert Grades Network.  

Disposal of Equipment 

Removable magnetic and optical media containing key data will be reused or disposed of through controlled and secure means when no longer required. 

Procedures will be made to ensure the secure disposal of disk drives and disk packs containing key data when these become defunct or unserviceable. 

Redundant computer equipment will be disposed of in accordance with the Waste Electrical and Electronic Equipment (WEEE) Regulations and through secure and auditable means. 

Exchanges of Information and Software 

Software Usage and Control  

Software will be used, managed and controlled in accordance with legislative requirements. 

All major software upgrades will be appropriately controlled and tested through a managed process before live implementation.  Where appropriate, this will be undertaken by the External IT Support provider 

Access control 

Access to key data and information will be appropriately controlled.  

User Responsibilities 

Subjects who use Rambert Grades’ computer systems and/or networks must do so in accordance with the acceptable usage policy 

Requirements for Systems Access 


Remote Access  

Controls will be implemented to manage and control remote access to key data 

Privilege Management  

The allocation and use of system privileges on each computer platform shall be restricted and controlled by the Rambert Grades IT Support, upon confirmations from the CEO. 

Passwords 

The allocation and management of passwords shall be controlled by the Rambert Grades IT Support.  Users are required to follow good security practices in the selection, use and management of their passwords and to keep them confidential  

Unattended User Equipment  

Users of IT facilities are responsible for safeguarding key data by ensuring that desktop machines are not left logged-on when unattended, and that portable equipment in their custody is not exposed to opportunistic theft.  

Password protected automatic log-out mechanisms are to be used on office-based systems to prevent individual accounts being used by persons other than the account holders. 

Monitoring System Access and Use 

Access to and use of critical systems will be monitored for staff. Reviewing the information will be the responsibility of the Head of Operations working with the External IT provider and Rambert Grades IT Support. 

Business continuity management 

Controls will be implemented to counteract disruptions to Rambert Grades’ information processing facilities and to protect critical systems from the effects of major failures and disruption. 

Data Storage 

Key data will be held on a network resource so that it is backed up through a routine managed process. Where this is not possible, provision must be made for regular and frequent backups to be taken. At Rambert Grades, back-ups are contacted out to the External IT support provider, who will ensure procedures are in place to restore systems in the event of a system failure. 

Backup Media 

A controlled and fully auditable process for the handling, transportation, storage and retrieval of backup media containing key data will be implemented by the External IT support provider 

Compliance 

Controls will be implemented to avoid contravention of legislation, regulatory and contractual obligations and security policy.  

Review of Security Policy  

The Policy will be subjected to review annually and in the event of any major changes in circumstances, to ensure those controls remain effective. 

Compliance with Security Policy  

Compliance with The Policy is mandatory. Failure to comply with policy requirements, will be viewed as a breach of security. Any such event may be the subject of investigation and possible further action in accordance with Rambert Grades’ procedures. 

 

Version Number: 2 

Date Created: March 2020 

Date Reviewed: November 2023 

Next review date: June 2024