September 2019

Information Security > Employee Guide

• Rule added to forbid credential sharing and obligation to change and report compromised credentials;

• References updated to tools (e.g. 1password);

• Links updated in Further reading.

Information Security > Security Awareness Program

• Aligned policy to our current practices (e.g. added dev talk on OWASP vulnerability).

Information Security > Access Control

• Added quarterly access review for Rapptr and AWS Production environment access.

Information Security > Security Incident Response Policy

• Corrected typos.

Information Security > Vulnerability Management Policy:

• New vulnerability Management Policy

Information Security > Information Security Framework:

• Replaced Data Protection Act with GDPR

• Added summary of GDPR

• Added reference to NIST Cyber Security Framework

Risk Management > Risk Management Framework

• Added a risk appetite statement.

Risk Management > Data Classification Standard

• Simplified descriptions of data classification ratings;

• Reviewed list of existing data classification ratings;

• Removed references to systems not used anymore;

• Simplified rules on data transmission and storage;

• Removed references to Data Protection Act;

• Added reference to InfoSecLead.

Business Continuity > Business Continuity Framework

• Removed references to commissioning OPREL

• Changed responsibility for maintaining BCMS from CTO to Information Security Lead;

• Merged awareness and communication paragraphs;

• Added headings for incident detection, Crisis Management activation and management of staff contact details;

• Removed paragraphs which repeated each other;

• Simplified paragraph on Framework review and improvements.