- Introduction
This policy document (“Policy”) sets out the measures to be taken by all employees of Thames & Hudson (the “Company”) to protect the Company’s computer systems, devices, infrastructure, computing environment and any and all other relevant equipment (collectively, “IT Systems”) from damage and threats whether internal, external, deliberate, or accidental.
All employees must comply with this Policy at all times when using the IT Systems. Any deliberate or negligent breaches of this Policy will be handled under the Company’s disciplinary procedures.
2. Key Principles
2.1 All IT Systems are to be protected against unauthorised access.
2.2 All IT Systems are to be used only in compliance with relevant Company policies.
2.3 All employees of the Company and any third parties authorised to use the IT Systems must ensure that they are familiar with this Policy and must adhere to and comply with it at all times.
2.4 All line managers must ensure that all employees under their control and direction must adhere to and comply with this Policy at all times as required under paragraph 2.3.
2.5 All data stored on IT Systems are to be managed securely in compliance with all relevant parts of the Data Protection Legislation. “Data Protection Legislation” means all applicable data protection and privacy laws including, but not limited to, the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (the “UK GDPR”), as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 as amended, and any successor legislation.
2.6 All data stored on IT Systems shall be available only to those employees with a legitimate need for access.
2.7 All data stored on IT Systems shall be protected against unauthorised access and/or processing.
2.8 All data stored on IT Systems shall be protected against loss and/or corruption.
2.9 All IT Systems are to be installed, maintained, serviced, repaired, and upgraded the “IT Department” or by such third party/parties as the IT Department may from time to time authorise.
2.10 The responsibility for the security and integrity of all IT Systems and the data stored thereon (including, but not limited to, the security, integrity, and confidentiality of that data) lies with the IT Department unless expressly stated otherwise.
2.11 All breaches of security pertaining to the IT Systems or any data stored thereon shall be reported and subsequently investigated by the IT Department. Any breach which is either known or suspected to involve personal data shall be reported to the Data Protection Officer, Paul Bryson
2.12 All employees must report any and all security concerns relating to the IT Systems or to the data stored thereon immediately to the IT Department.
3. IT Department Responsibilities
3.1 The Head of IT & Compliance, Paul Bryson, shall be responsible for the following:
a) ensuring that all IT Systems are assessed and deemed suitable for compliance with the Company’s security requirements.
b) ensuring that IT security standards within Thames & Hudson are effectively implemented and regularly reviewed, working in consultation with the Company’s senior management and reporting the outcome of such reviews to the Company’s senior management.
c) ensuring that all employees are kept aware of the requirements of this Policy and of all related legislation, regulations, and other relevant rules whether now or in the future in force including, but not limited to, the Data Protection Legislation and the Computer Misuse Act 1990.
3.2 The IT Department shall be responsible for the following:
a) assisting all employees in understanding and complying with this Policy;
b) providing all employees with appropriate support and training in IT security matters and the use of IT Systems;
c) ensuring that all employees are granted levels of access to IT Systems that are appropriate for each employee, taking into account their job role, responsibilities, and any special security requirements.
d) receiving and handling all reports relating to IT security matters and taking appropriate action in response including, in the event that any reports relate to personal data, informing the Data Protection Officer.
e) taking proactive action, where possible, to establish and implement IT security procedures and raise employee awareness.
f) assisting the Head of IT & Compliance in monitoring all IT security within the Company and taking all necessary action to implement this Policy and any changes made to this Policy in the future; and
g) ensuring that regular backups are taken of all data stored within the IT Systems at intervals no less than each day and that such backups are stored at a suitable location offsite, in the Azure cloud. All backups should be encrypted.
4. Employees’ Responsibilities
4.1 All employees must comply with this Policy at all times when using the IT Systems.
4.2 All employees must use the IT Systems only within the bounds of UK law and must not use the IT Systems for any purpose or activity which is likely to contravene any UK law whether now or in the future in force.
4.3 Employees must immediately inform the IT Department (and, where such concerns relate to personal data, the Data Protection Officer) of any and all security concerns relating to the IT Systems.
4.4 Employees must immediately inform the IT Department of any other technical problems (including, but not limited to, hardware failures and software errors) which may occur on the IT Systems.
4.5 Any and all deliberate or negligent breaches of this Policy by employees will be handled as appropriate under the Company’s disciplinary procedures. Examples of breaches include, but are not limited to, accessing websites which contain Illegal, pornographic, sexist, racist or otherwise offensive material.
5. Software Security Measures
5.1 All software in use on the IT Systems (including, but not limited to, operating systems, individual software applications, and firmware) will be kept up-to-date and any and all relevant software updates, patches, fixes, and other intermediate releases will be applied at the sole discretion of the IT Department. This provision does not extend to upgrading software to new ‘major releases’ (e.g. from version 1.0 to version 2.0), only to updates within a particular major release (e.g. from version 1.0 to version 1.0.1 etc.). Unless a software update is available free of charge it will be classed as a major release, falling within the remit of new software procurement and outside the scope of this provision.
5.2 Where any security flaw is identified in any software that flaw will be either fixed immediately or the software may be withdrawn from the IT Systems until such time as the security flaw can be effectively remedied.
5.3 No employees may install any software of their own, whether that software is supplied on physical media or whether it is downloaded, without the approval of the Head of IT & Compliance. Any software belonging to Employees must be approved by the Head of IT & Compliance and may only be installed where that installation poses no security risk to the IT Systems and where the installation would not breach any licence agreements to which that software may be subject.
5.4 All software will be installed onto the IT Systems by the IT Department unless an individual Employee is given written permission to do so by the Head of IT & Compliance. Such written permission must clearly state which software may be installed and onto which computer(s) or device(s) it may be installed.
6. Anti-Virus Security Measures
6.1 Most IT Systems (including all computers and servers) will be protected with suitable anti-virus, firewall, and other suitable internet security software. All such software will be kept up to date with the latest software updates and definitions.
6.2 All IT Systems protected by anti-virus software will be subject to a full system scan at least every 24 hours.
6.3 All physical media (e.g. USB memory sticks or disks of any kind) used by employees for transferring files must be virus-scanned before any files may be transferred.
6.4 Employees shall be permitted to transfer files using cloud storage systems Head of IT & Compliance. All files downloaded from any cloud storage system are scanned for viruses during the download process.
6.5 Any files being sent to third parties outside the Company, whether by email, on physical media, or by other means (e.g. shared cloud storage) must be scanned for viruses before being sent or as part of the sending process, as appropriate. All email attachments, files from employee computers or servers are scanned automatically upon sending.
6.6 Where any virus is detected by an employee this must be reported immediately to the IT Department (this rule shall apply even where the anti-virus software automatically fixes the problem). The IT Department shall promptly take any and all necessary action to remedy the problem. In limited circumstances, this may involve the temporary removal of the affected computer or device.
6.7 Where any employee deliberately introduces any malicious software or virus to the IT Systems this will constitute a criminal offence under the Computer Misuse Act 1990 and will be handled as appropriate under the Company’s disciplinary procedures.
7. Hardware Security Measures
7.1 Wherever practical, IT Systems will be located in rooms which may be securely locked when not in use or, in appropriate cases, at all times whether in use or not (with authorised employees being granted access by means of a key, smart card, door code or similar). Where access to such locations is restricted, Employees must not allow any unauthorised access to such locations for any reason. Laptops left in the office overnight must be stored and locked in lockers provided.
7.2 All IT Systems not intended for normal use by employees (including, but not limited to, servers, networking equipment, and network infrastructure) shall be located, wherever possible and practical, in secured, climate-controlled rooms and/or in locked cabinets which may be accessed only by designated members of the IT Department.
7.3 No employees shall have access to any IT Systems not intended for normal use by employees (including such devices mentioned above) without the express permission of the Head of IT & Compliance. Under normal circumstances, whenever a problem with such IT Systems is identified by an employee, that problem must be reported to the IT Department. Under no circumstances should an employee attempt to rectify any such problems without the express permission (and, in most cases, instruction and/or supervision) of the Head of IT & Compliance.
7.4 All non-mobile devices (including, but not limited to, desktop computers, workstations, and monitors) shall, wherever possible and practical, be physically secured in place with a suitable locking mechanism. Where the design of the hardware allows, computer cases shall be locked to prevent tampering with or theft of internal components.
7.5 All mobile devices (including, but not limited to, laptops, tablets, and smartphones) provided by the Company should always be transported securely and handled with care. In circumstances where such mobile devices are to be left unattended, they should be placed inside a lockable case or other suitable container. Employees should make all reasonable efforts to avoid such mobile devices from being left unattended at any location. If any such mobile device is to be left in a vehicle it must be stored out of sight and, where possible, in a locked compartment.
7.6 The IT Department shall maintain a complete asset register of all IT Systems. All IT Systems shall be labelled, and the corresponding data shall be kept on the asset register.
8. Access Security
8.1 Access privileges for all IT Systems shall be determined based on employees’ levels of authority within the Company and the requirements of their job roles. Employees shall not be granted access to any IT Systems or electronic data which are not reasonably required for the fulfilment of their job roles.
8.2 All IT Systems (and in particular mobile devices including, but not limited to, laptops, tablets, and smartphones) shall be protected with a secure password or passcode, or such other form of secure log-in system as the IT Department may deem appropriate and approve. Not all forms of biometric log-in are considered secure. Only those methods approved by the IT Department may be used.
8.3 Unless in a secure personal office printing should be sent to a walk up printer found on each floor and only retrievable via an employee PIN
8.4 All passwords must, where the software, computer, or device allows:
a) be at least 12 characters long.
b) contain a combination of upper, lower-case letters, numbers and symbols.
c) be changed at least every 6 months.
d) be different from the previous password.
e) not be obvious or easily guessed (e.g. birthdays or other memorable dates, memorable names, events, or places etc.); and
8.5 Passwords should be kept secret by each employee. Under no circumstances should an employee share their password with anyone, including the Head of IT & Compliance and the IT Staff. No employee will be legitimately asked for their password by anyone at any time and any such request should be refused. If an employee has reason to believe that another individual has obtained their password, they should change their password immediately.
8.6 If an employee forgets their password, this should be reported to the IT Department. The IT Department will take the necessary steps to restore the employee’s access to the IT Systems which may include the issuing of a temporary password which may be fully or partially known to the member of the IT Staff responsible for resolving the issue. A new password must be set up by the Employee immediately upon the restoration of access to the IT Systems.
8.7 Employees should not write down passwords, and under no circumstances should passwords be left on display for others to see (e.g. by attaching a note to a computer display).
8.8 Password Software e.g. Keeper should used at all times.
8.9 All IT Systems with displays and employee input devices (e.g. mouse, keyboard, touchscreen etc.) shall be protected, where possible, with a password-protected screensaver that will activate after 3 minutes of inactivity.
8.10 Employees may not use any software which may allow outside parties to access the IT Systems without the express consent of the Head of IT & Compliance. Any such software must be reasonably required by the employee for the performance of their job role and must be fully inspected and cleared by the Head of IT & Compliance.
9. Data Storage Security
9.1 All data, and in particular personal data, should be stored securely using passwords and data encryption where possible.
9.2 No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones),
9.3 No company data, and in particular personal data, should be transferred to any computer or device that does not belong to the Company, without prior written approval from the Head of IT & Compliance.
10. Data Protection
10.1 All personal data (as defined in the Data Protection Legislation) collected, held, and processed by the Company will be collected, held, and processed strictly in accordance with the principles of the Data Protection Legislation, the provisions of the Data Protection Legislation and the Company’s Data Protection Policy.
10.2 All employees handling data for and on behalf of the Company shall be subject to, and must comply with, the provisions of the Company’s Data Protection Policy at all times. In particular, the following shall apply:
a) All emails containing personal data must be marked “confidential”.
b) Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted under any circumstances.
c) Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable.
d) Personal data contained in the body of an email, whether sent or received, should be copied directly from the body of that email, and stored securely. The email itself should be deleted.
e) All personal data to be transferred physically, including that on removable electronic media, shall be transferred in a suitable container marked “confidential”.
f) Where any confidential or personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the Employee must lock the computer and screen before leaving it.
10.3 Any questions relating to data protection should be referred to the Data Protection Officer, Paul Bryson.
11. Internet and Email Use
11.1 All Employees shall be subject to, and must comply with, the provisions of the Company’s Communications, Email and Internet Policy when using the IT Systems.
11.2 Where provisions in this Policy require any additional steps to be taken to ensure IT security when using the internet or email over and above the requirements imposed by the Communications, Email and Internet Policy, Employees must take such steps as required.
11.3 The Company reserves the right to monitor employees use of email and internet where it reasonably believes there may be a breach of this Policy, the Data Protection Policy [or of the Communications, Email and Internet Policy].
12. Policy Review
The Company shall aim to review this Policy annually in order to ensure that it remains up-to-date and fit for purpose. All questions, concerns, and other feedback relating to this Policy should be communicated to the Head of IT & Compliance, Paul Bryson.
This Policy has been approved and authorised by:
| Name: | Paul Bryson |
| Position: | Head of IT & Compliance |
| Date: | 01/03/2024 |
