Information Security Policy

Effective date: July 1st 2021

Overview

Cloud Orca Limited has a duty and responsibility to protect the information under its custody and control. Being able to access complete and accurate information is vital to Company’s ability to operate efficiently and successfully provide products and services to our customers. Cloud Orca Limited also collects, stores, and uses confidential and personal information on private individuals, employees, partners and suppliers and its own operations.

The company has a duty to safeguard such information when processing it. This Information Security Policy aligns with the information security management systems standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (EC) as more specifically set forth in ISO 27001 and 27002. Implementing this Policy will therefore help Company comply with various aspects of such international data security standards.

Purpose

The purpose of this Policy is to safeguard information belonging to Cloud Orca Limited and its stakeholder (third parties, clients or customers and the general public), within a secure environment.

This Policy informs the company’s employees, contractors, customers, and any other individuals linked with the company, of the principles governing the holding, use and disposal of information.

It is the goal of Cloud Orca Limited that:

• Information will be protected against unauthorised access or misuse.
• Confidentiality of information will be secured.
• Integrity of information will be maintained.
• Availability of information / information systems is maintained for service delivery.
• Business continuity planning processes will be maintained.
• Regulatory, contractual, and legal requirements will be complied with.
• Physical, logical, environmental and communications security will be maintained.
• Infringement of this Policy may result in disciplinary action or criminal prosecution.
• When information is no longer of use, it is disposed of in a suitable manner.
• All information security incidents will be reported to the Director of ICT Systems and investigated through the appropriate management channel.

“Information” relates to:

• Electronic information systems (software, computers, and peripherals) owned by Cloud Orca Limited, whether deployed or accessed on or off the company’s premises (131 Finsbury Pavement, London EC2A 1NT).
• The company’s computer network used either directly or indirectly.
• Hardware, software, and data owned by the company.
• Paper-based materials.
• Electronic recording devices (video, audio, CCTV systems).

The Policy

This Policy establishes the framework for the management of information security within Cloud Orca Limited. The company requires all users to exercise a duty of care in relation to the operation and use of its information systems.

Authorised users of information systems

With the exception of information published for public consumption, all users of Cloud Orca Limited information systems must be formally authorised by appointment as a member of staff. Authorised users will be in possession of a unique user identity, otherwise known as an employee number. Any password associated with a user identity must not be disclosed to any other person/s.

Authorised users will pay due care and attention to protect the company’s information in their personal possession. Confidential, personal, or private information must not be copied or transported without consideration of:

• Permission of the information owner.
• The risks associated with loss or falling into the wrong hands.
• How the information will be secured during transport and at its destination

Acceptable use of information systems

Use of the company’s information systems by authorised users will be lawful, honest, and decent and shall have regard to the rights and sensitivities of other people.

Information System Owners

Cloud Orca Limited will ensure that:

• Systems are adequately protected from unauthorised access.
• Systems are secured against theft and damage to a level that is cost-effective.
• Adequate steps are taken to ensure the availability of the information system, commensurate with its importance (Business Continuity).
• Electronic data can be recovered in the event of loss of the primary source. I.e. failure or loss of a computer system. It is incumbent on all system owners to backup data and to be able to restore data to a level commensurate with its importance (Disaster Recovery).
• Data is maintained with a high degree of accuracy.
• Systems are used for their intended purpose and that procedures are in place to rectify discovered or notified misuse.
• Any electronic access logs are only retained for a justifiable period to ensure compliance with the data protection, investigatory powers, and freedom of information acts.
• Any third parties entrusted with university data understand their responsibilities with respect to maintaining its security.

Policy Breach

Any breach of this data security policy by Cloud Orca Limited employees, contractors or third-party people will be individually investigated, and if deemed suitable, may lead to disciplinary procedures being undertaken by the company. If any customer suspects that this policy has been breached, this should immediately be reported to Cloud Orca Limited leadership (Ed Rowland, CEO, or Tony Di Carlo, COO).

Personal Information

Authorised users of information systems are not given rights of privacy in relation to their use of Cloud Orca Limited’s information systems. Duly authorised officers of the company may access or monitor personal data contained in any Cloud Orca Limited information system (mailboxes, web access logs, file-store, etc.).

Asset Management

All Company assets (data, information, software, computer and communications equipment, service utilities and people) shall be accounted for and have an owner response for their maintenance and protection, managed by Cloud Orca Limited board of directors.

Any loss or harm of company assets will be immediately reported, and necessary action taken to protect both the company and customers data and information.

Office Security

All necessary safeguarding has been implemented to ensure that the Cloud Orca premises (25 Luke Street, Shoreditch, London, EC2A 4DS) is safe and secure, so that any breaches to security can be reduced and where possible mitigated.

Access to the premises is restricted to Cloud Orca Limited employees only, and access is only granted to employees through a secure key card, managed and updated by the building managers. Loss of key cards will be reported to the building management and access immediately blocked, so to avoid a security breach.

Any meetings or guests within the premises are chaperoned by a Cloud Orca Limited employee at all times, and these parties will not have direct access to the office of Cloud Orca Limited, only access to the public space will be granted.

Access Control

Cloud Orca Limited will control Individual Users’ access to Company information. In particular, an Individual User’s access to information and information systems will be set in accordance with Cloud Orca Limited’s business requirements.

Access will be granted to employees, third parties and other individuals according to their business role and only to the extent necessary to permit them to carry out their duties. A procedure is in place within the standard operating procedures (SOP’s) to document and update individuals’ access privileges to company information.

Validity and document management

This policy is valid as of 7th July 2021.

The owner of this document is the Cloud Orca Limited board of directors, who must check and, if necessary, update the document at least once annually.