Information Security Policy

Company Name: Adsum Group

Effective Date: 01 Nov 2024

1. Purpose

This Information Security Policy outlines Adsum Group Ltd's commitment to securing its information systems and data against unauthorised access, disclosure, alteration, and destruction. Our approach to information security aligns with recognized standards, specifically the NIST Cybersecurity Framework (NIST CSF) and the SANS Critical Security Controls (SANS CSC), ensuring robust protection for company and client data.

2. Scope

This policy applies to all employees, contractors, partners, and any third parties who have access to Adsum Group's information systems and data.

3. Security Objectives

Our security objectives focus on protecting confidentiality, integrity, and availability (CIA) of all information systems, in alignment with our risk profile and the expectations of our clients and stakeholders.

4. Standards and Frameworks

While we have not pursued formal ISO 27001 certification, our security practices are closely aligned with the following frameworks:

  • NIST Cybersecurity Framework (NIST CSF): The framework emphasises the Identify, Protect, Detect, Respond, and Recover model to enhance cybersecurity resilience.

  • SANS Critical Security Controls (SANS CSC): A prioritised list of security practices to defend against cyber threats effectively.

These frameworks provide a cost-effective and scalable approach to meet our security needs.

5. Key Security Policies and Controls
5.1 Access Control

  • Principle of Least Privilege: Access to systems and data is granted based on job requirements.

  • Multi-Factor Authentication (MFA): MFA is required for access to sensitive systems.

  • User Access Reviews: Periodic reviews ensure appropriate access rights and remove unnecessary access.

5.2 Asset Management

  • Asset Inventory: All hardware, software, and information assets are inventoried, and the inventory is regularly updated.

  • Device Hardening: Devices are configured following security best practices to minimise vulnerabilities.

5.3 Data Protection

  • Data Classification and Handling: Data is classified by sensitivity, with handling guidelines to ensure secure management.

  • Data Encryption: Encryption is used to protect sensitive data in transit and at rest.

5.4 Network Security

  • Intrusion Detection: Online systems are monitored for suspicious activity with any irregular access identified and notified immediately.

5.5 Endpoint Protection

  • Antivirus and Anti-Malware: All systems are protected with antivirus software, configured for automatic updates.

  • Patch Management: Regular software updates and patch management are enforced to mitigate vulnerabilities.

5.6 Security Awareness and Training

  • Employee Training: All employees undergo security awareness training upon hire and at regular intervals.

  • Phishing Simulations: Regular phishing tests and simulations are conducted to reinforce employee vigilance.

5.7 Physical Security

  • Secure Facilities: Physical access to office premises and IT systems is restricted to authorised personnel only.

  • Access Logs and Surveillance: Surveillance and logging mechanisms are in place to monitor access to secure areas.

5.8 Risk Management and Continuous Improvement

  • Risk Assessments: Periodic risk assessments identify and mitigate security threats.

  • Vulnerability Scanning: Regular vulnerability scanning helps detect and address potential weaknesses.

5.9 Backup and Recovery

  • Data Backup: Regular data backups are performed, and backup integrity is tested periodically.

6. Governance and Review

This policy is reviewed at least annually or when significant changes to our business or technology occur. The review is conducted by Adsum Group's designated security officer or team, and the findings are presented to senior management for approval and adjustment as necessary.


© 2025 Ben Chandler Coaching

Terms & Conditions

Privacy Policy

hello@benchandlercoaching.co.uk

Contact Me