Information Security Policy

1. Introduction
Purpose
This Information Security Policy is a guide for Lascar Electronics employees to establish guidelines and best practices for the protection of confidential, sensitive or proprietary information from unauthorized access, use, disclosure, alteration or destruction. Information is an asset, and must be protected appropriately.

Definition
Information Security is the processes designed to protect data by mitigating risks.

Scope
This Information Security Policy applies to all Lascar Electronics employees regardless of employment agreement, position, or location. It also applies to any contractors and third-party service providers who have access to the Company’s information and information systems.

Lascar Electronics shall comply with all relevant laws, regulations, and industry standards regarding information security where we do business.

2. Responsibility
The Company will ensure that all employees will be trained on their responsibilities and obligations regarding information security.

In accordance with General Data Protection Regulation, Lascar Electronics is a Data Controller (DC) and will ensure that there is a Data Protection Officer (DPO) appointed at all times. This position should be adequately resourced, report to Company Directors, and not carry out any other tasks that could result in a conflict of interest. They are also the first point of contact for individuals whose data is processed and for the Information Commissioner’s Office (ICO).

Management
Lascar Electronics Directors, Managers and Supervisors are tasked with implementing and overseeing policies and procedures that reduce the risk of data breaches and ensuring that there is sufficient planning to respond to incidents. Appropriate training should be provided to employees, depending on their roles and tasks.

The IT Manager is responsible for:

  • Keeping the Company servers, workstations and devices, software and other key infrastructure updated with the latest security patches and updates.
  • Ensuring there is no unauthorized access to systems.
  • Ensuring all staff are appropriately trained to use Company systems securely.

Employees
All employees are required to:

  • Adhere to all Company policies and procedures and the guidelines within the employee handbook relating to data handling, email and internet usage, device management and social networks.
  • Protect passwords and access credentials – create strong passwords, change them regularly, never share them, don’t use the same password across multiple accounts and if you access Company emails and/or
  • documents on your personal mobile device make sure this device is sufficiently protected.
  • Report security incidents – be vigilant for suspicious activity (phishing emails, malware infections, suspicious logins) and report it to the IT department immediately.
  • Protect physical documents – physical documents containing sensitive information should be properly secured and disposed of appropriately when no longer needed.
  • Avoid high-risk actions – don’t use public WiFi networks, don’t download software from untrusted sources that could compromise the security of the Company’s information, think carefully before using removable
  • media (e.g. USB drive) and remember to remove it from the host device.

3. General Data Protection Regulation (GDPR)
The Data Protection Act 2018 is the UK’s implementation of the GDPR regulation that protects personal data belonging to EU citizens or residents. Lascar Electronics has a separate Privacy Policy which details how the Company respects the privacy of individuals and is committed to protecting personal data.

4. Export Control
The export of certain goods and technology is regulated by the Export Control Organization (ECO). The ECO controls these assets to promote global security and to protect national security. If producing any controlled goods, Lascar Electronics requires one Director, one Manager, one Operator and the Compliance Officer to be trained by the Department for International Trade and for trained individuals to have refresher courses every three years.

5. Access Control
Lascar Electronics will provide all employees and other users with the information they need to carry out their responsibilities effectively and efficiently. Access to information and information systems shall be granted following the principles of least privilege and need-to-know.

Physical Access Control
Lascar Electronics employees who require access to confidential and sensitive information for their job role will be trained on the safe handling of all information and taught the procedures which govern how data is used, stored, shared and organized within the Company.

Personal and confidential data must be retained in locked storage when not in use and keys should not be left in the barrels of filing cabinets and doors.

Digital Access Control
User accounts must be created with strong passwords, and access will be revoked upon termination of employment or contract.

Users should not share their login credentials with others or allow others to use their accounts. No generic or group logins will be permitted.

External communication systems shall have Multi-Factor Authentication (MFA) and authorization mechanisms in place to ensure that only authorized users can access information.

Remote users shall be subject to authorization by the IT Manager. No uncontrolled external access shall be permitted to any network device of network system.

6. Data Protection
Confidential, sensitive, or proprietary information shall be protected from unauthorized access, use, disclosure, alteration, or destruction. Lascar Electronics data usually includes names or numbers. Examples include employee details, product names, prices, costs, tax codes, registration marks, coding and dates.

Information shall be classified based on its sensitivity and appropriate controls implemented to protect it.

Digital information shall be regularly backed up to prevent data loss in case of hardware failure or disaster. Third parties hosting digital data, e.g. Cloud Services, will be required to meet strict requirements and certification.

7. Monitoring
Information systems shall be monitored for unauthorized access, use, or disclosure. Logs shall be regularly reviewed and analyzed to detect and respond to security incidents.

Vulnerability risk assessments shall be periodically performed to identify and mitigate potential security risks.

8. Security Incidents
Incidents can have a huge impact on a Company in terms of cost, productivity and reputation. All security incidents should be reported to the IT department immediately so that the incident and be contained and remediated as quickly as possible. Incident response plans should be in place for predictable security breaches. These plans should be periodically tested to ensure their effectiveness. In accordance with GDPR regulations, Lascar Electronics will report a notifiable breach to the ICO without undue delay and inform data subjects of any personal data breach within 72 hours of the incident.

9. Non-Compliance & Disciplinary Actions
Violations of this policy could result in serious consequences for Lascar Electronics and cause personal distress to individuals. Any breach will be thoroughly investigated and could result in disciplinary action against the offender as outlined in the Company employee handbook.

Version 1.0