Cyber Security Policy

Adopted by the board: January 2024
Current Review: November 2024
Next review: November 2025

Purpose

Herefordshire Community Foundation (HCF) recognises that information is one of the most important assets it needs to manage.

Specifically, HCF must maintain confidentiality, protecting information resources from unauthorised individuals and organisations, whilst allowing employees to carry out their work unhindered and ensuring the data is complete and correct.

The more technology is relied upon to collect, store and manage information, the more vulnerable HCF becomes to severe security breaches. Human errors, hacker attacks and system malfunctions could cause great financial damage and may jeopardise the Foundation’s reputation.

As a result, Herefordshire Community Foundation (HCF) has created this policy to help outline the security measures put in place to ensure information remains secure and protected.

The purpose of this policy is to:

  • Protect HCF’s data and infrastructure
  • Outline protocols and guidelines that govern cyber security measures
  • Define the rules for charity and personal use
  • List HCF’s disciplinary process for policy violations

This policy should be read in conjunction with HCF’s Use of Computer, Email and Internet Policy, Confidentiality Policy and GDPR Policy.

Scope

This policy applies to all systems, people and processes that constitute HCF’s information systems, including Trustees, committee members, employees, suppliers, panel members, fund holders and other third parties who have access to HCF’s systems.

All aspects of this policy apply to employees when homeworking.

HCF currently contracts Hereford Computer Services (HCS) as its IT partner.

Note:

When contracting a new supplier, particularly a new IT partner, ensure that all relevant due diligence is carried out to include:

  • The supplier has adequate insurance cover in place
  • The supplier has an up-to-date GDPR Policy and all obligations are fulfilled

Confidential Data

HCF defines confidential data as:

  • Unpublished financial information
  • Employees’ and Trustees’ personal information
  • Information on grant applications, applicants and beneficiaries
  • Information on Donors, Fund Holders and Fund Agreements

All employees are obliged to protect this data. This policy gives guidance on how to avoid security breaches.

To ensure security of all charity-issued devices and information, HCF employees are required to:

Device Security

To ensure security of all charity-issued devices and information, HCF employees are required to:

  • Keep all devices password protected
  • Turn off their screens and lock their devices when leaving their desks
  • Report stolen or damaged equipment to the CEO as soon as possible
  • Ensure antivirus software is kept up to date
  • Ensure security updates are installed as soon as they are available
  • Always use secure and private networks
  • Refrain from downloading suspicious, unauthorised or illegal software on HCF equipment
  • Avoid accessing suspicious websites

HCF recognises that employees may be required to use personal devices to access charity systems and requests that the above security measures are implemented.

Email Security

Emails often host phishing attacks, scams or malicious software such as worms and bugs. To avoid virus infection or data theft, HCF requires all employees to:

  • Verify the legitimacy of each email, including email address and sender name
  • Avoid opening suspicious emails, attachments and clicking on links when the content is not adequately explained
  • Avoid clickbait titles and links
  • Look for any significant grammatical errors and inconsistencies

If an employee isn’t sure that an email they have received is safe:

  • If the sender is known, contact them by telephone to confirm the email is legitimate
  • If it is from an unknown source, check with colleagues whether the sender is known to them. If not, delete the email immediately. If the sender is legitimate, they are likely to make contact using a different method

An HCF email address must be used for work purposes only. It is acceptable to use HCF equipment to access personal email accounts during the working day during breaks.

Employees may use personal devices to access work emails, however it is a requirement that these are password protected.

If an employee suspects a scam, hacking or phishing attempt, a virus infection or data theft, they must inform the CEO immediately. The CEO will then advise HCS.

If an incident has occurred, it must be reported to the National Anti-Fraud Network (NAFN).

https://reporting.actionfraud.police.uk/login#

Password Protection

Devices and Applications

  • All devices and applications used by HCF must have passwords and wherever possible, two-factor authentication applied
  • Passwords must be strong, containing a minimum of eight characters and including capital and lower-case letters, numbers and symbols

Documents

  • All documents containing confidential, sensitive and personal information, including names of grant applicants, must be password protected
  • Passwords must only be exchanged with an authorised source
  • Passwords must be exchanged in a separate email to that containing the document
  • Passwords will be changed annually, and a record of previous passwords held separately

If an employee or Trustee knows or suspects that a password or account has been compromised, they must change the password immediately and inform the CEO.

Data Breaches

All data breaches must be reported to the CEO immediately.

In accordance with GDPR regulations, serious breaches must be reported to the ICO within 3 days of the breach. Should this be required, the CEO will liaise with the Data Protection Officer as per the GDPR Policy.

User Access

HCF wishes to operate in the most transparent manner possible. All files are held on Microsoft SharePoint and are accessible to all staff. It has an agreed folder access policy for staff with only certain Finance, Payroll and HR information not accessible to all staff.

The Board of Trustees has access to a separate OneDrive account, where all information relating to Governance is held.

Upon leaving HCF’s employment, ex-employees will have access to all systems removed. It is the responsibility of the Finance Office to liaise with HCS to ensure this is undertaken on the last day of employment.

All HCF equipment must be returned to the Finance Officer when it is no longer required or when an employee leaves the organisation. If equipment is found to be defective or end of life, it will be transferred to HCS for secure disposal to ensure all HCF’s information is completely removed.

Network Security

All HCF’s systems are cloud based with the exception of the finance software, Sage 50 Accounts, which is held on the Finance Officer’s hard drive. Sage is available via remote access to the Finance Officer’s laptop. Sage is backed up daily by the Finance Officer and the back-up is stored in a cloud-based file within SharePoint.

The configuration of the network is undertaken by HCS, who is responsible for deploying security and antivirus software and updates. To reduce the risk of viruses and malware, software should only be installed on HCF devices with approval of the CEO and undertaken by HCS.

HCS Security setup

  • ESET Endpoint Security is installed on all HCF devices and updated in real time
  • All HCF information within SharePoint is backed up using Microsoft UK cloud servers
  • Remote monitoring to ensure system updates are working, antivirus and firewalls are active, and alerts of any hardware errors
  • All accounts are multifactor authenticated for secure access to all data and emails
  • All HCF information is stored by HCS on a secure server with encryption and password protection for file access

Training

During induction, all new members of staff are required to undergo a National Cyber Security Centre online introduction to Cyber Security.

All employees are also required to take online training through Hiscox Risk Academy, provided by HCF’s insurance provider, to be updated to an annual basis.

Disciplinary Action

HCF expects all its employees to always follow this policy and those who cause security breaches may face disciplinary action.

Deliberate and serious breach of this policy may lead to HCF taking disciplinary measures in accordance with its disciplinary policy and procedure.  HCF defines IT as, but not limited to, hardware and drives, cloud storage, applications and email systems. Misuse of these facilities can have a negative impact upon employees’ and Trustees’ productivity and the reputation of the Foundation.

All HCF’s phone, web-based, locally hosted systems and email related resources are provided for business purposes. HCF therefore maintains the right to monitor all internet and local network traffic, together with the email systems. The specific content of any transactions will not be monitored unless there is a suspicion of improper use.

Examples of deliberate or serious breaches of this policy and examples of misuse are, but not limited to:

  • Knowingly disclosing login information to an unauthorised third party
  • Inappropriate disclosure of personal data
  • Knowingly installing software on HCF devices that hasn’t been approved by HCS or the CEO which leads to a breach
  • Allowing the use of HCF devices by unauthorised third parties
  • Storing data on insecure media such as removable media that leads to a breach

Review

This policy is a working document and will be updated when required by legislation or technical amendments, to ensure it reflects best practice by HCF, or will be reviewed annually whichever is the soonest.