Document Classification: Internal

Information Security Management System

Standard Operating Procedure

Author
Business ISMS Information Security & Compliance
Process Data Handling Process Owner Manager

Information Security Management

Document No. ISMS-SOP-No.3 Approved By
Forum
Revision No 1 2 3
26/10/18 22/01/19 02/10/19
This document outlines the procedures that should be followed where sensitive or person
identifiable information is being transferred to or from Wilson James. These procedures are in
place to help prevent unauthorised access to information, loss of information, unauthorised
Purpose disclosure of information or breach of legislation
Failure to comply with the requirements set out in this procedure may result in disciplinary
action being taken against you, or, in the case of third parties, might be seen as a breach of
contract.
This procedure is applicable to employees, contractors and temporary staff, as well as third
parties providing relevant services to Wilson James who have access to Wilson James’
Scope
information systems or information.
It further applies to all systems that store, hold, process or transmit critical Wilson James data.
It is the responsibility of the Process Owner to:
- Regularly review content to ensure document is current and up-to-date with current legal
and best practice requirements
Responsibility - Carry out a formal annual review of content to ensure compliance and suitability.
Information Security is the responsibility of every User and with your help and co-operation we
can all contribute to making Wilson James a safe and secure working environment.
Printed copies are uncontrolled
Document
It is the responsibility of the user to ensure that they are using the latest issue of this document
Control
and all referenced forms which are available in the WJ-IMS (Intranet).

IMS-SOP-No.2 Record Control identifies record keeping requirements for all documents used
Record Keeping
within this procedure.

Continuous Please send any process improvement suggestions to the Process Owner who will evaluate and
Improvement implement accordingly.

Associated
ISO27001: 2013
Standards

Revision 3 Document No: ISMS-SOP-No.3 Page 1 of 4

 Document Classification: Internal

Contents
Annual Review Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Document Change Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Maintaining Confidentiality Of Data Received...........................................................................................................4
Only Transferring Data Where Appropriate...............................................................................................................4
Securely Transferring Data.........................................................................................................................................4
Verbal Communication..............................................................................................................................................4
Post............................................................................................................................................................................ 5
Communication by Email...........................................................................................................................................5
Portable Hard Drive....................................................................................................................................................5

Annual Document Review Record

Confirmed that all documents have been reviewed and are current and up to date
Name Signed Date
Reviewed By Author

Approved by Process Owner

Document Change Record

Date Revision No. Page/Step No. Reason for and Details of Change

26/10/18 1 ALL First issue of this ISMS SOP.

Document Classification: Internal added to all pages

22/01/19 2 ALL Author/Process Owner changed to Information Security &
compliance Manager.

02/10/19 3 ALL CIO replaced by ISMF

Revision 3 Document No: ISMS-SOP-No.3 Page 2 of 4

 Document Classification: Internal

Maintaining Confidentiality of Data Received

The term safe haven is a term used to explain either a secure physical location or the agreed set of administrative
arrangements that are in place within Wilson James to ensure confidential company and personal information is
communicated safely and securely.
A. When paper-based information is received it should be stored securely, as soon as practical, for example:
(i) Manual records should be locked in the filing cabinet when not in use
B. Computers should not be left on view or accessible to unauthorised staff:
(i) Be careful where you site your computer screen: ensure any confidential information cannot be accidentally
or deliberately seen by visitors or staff who do not have authorised access.
(ii) Always keep your password confidential and do not write it down. Do not share passwords.
(iii) Password protected screensavers should be used where possible.
(iv) Laptop computers should be locked up when not in use.
C. Ensure that all waste containing confidential information is cross-shredded before disposal.
D. Ensure that confidential conversations are held where they cannot be overhead by members of the public.

Only Transferring Data where Appropriate

The personal information contained in transfers should be limited to those details necessary in order for the
recipient to carry out their role.
Before transferring data, consider whether there are any consent requirements that must be met before the
transfer is made and a record of consent should be maintained where required.

Securely Transferring Data

Consideration needs to be given to the mode of transfer and whether any specific controls are required to
maintain the confidentiality of the data e.g. encryption on electronic transfers.

Verbal Communication
 Be careful about leaving confidential messages on answer-phones. It might not be heard only by the intended
recipient.
 Be careful when taking messages off answer-phones. Ensure that the messages cannot be overheard
inappropriately when being played back.
 When receiving calls requesting information:
a) Verify the identity of the caller, for example, where this is not a known contact, this can be done by taking
the relevant phone number, double checking that it is the correct number for that individual / organisation
and then calling the recipient back
b) Ask for the reason for the request,
c) If in doubt about whether the information can be disclosed, tell the caller you will call them back, and then
consult with the Head of IT.
 Where information is transferred by phone, or face to face, care should be taken to ensure that personal details
are not overheard by other people, including staff who do not have a “need to know”. Where possible, such
discussions should take place in private locations and not in public areas, for example staff room.
 Messages containing confidential / sensitive information should not be left on notice boards that could be
accessed by non-authorised staff.

Revision 3 Document No: ISMS-SOP-No.3 Page 3 of 4

 Document Classification: Internal

Post
 Ensure envelopes are marked “Private & Confidential”
 Double check the full postal address of the recipient.
 Carefully consider the method for sending confidential information based on risk of loss.
 When necessary, ask the recipient to confirm receipt or send “Recorded Delivery”

Communication by email
 Transfer of confidential information by email should be avoided other than where it is encrypted
 The email header should make it clear that the information contains confidential information

Portable Hard Drives and Removable Media

 The greatest risk in using portable electronic devices and removable media is loss resulting in unauthorised
access; many large profile data losses have been a result of human error when transferring large amounts of
data by removable media such as disks containing personal data.
 It is therefore not acceptable to store personal data or other sensitive information on any device unless it is
encrypted to secure against unauthorised access.
 Data must never be stored on an unencrypted portable storage device and that portable media used to transfer
data must be encrypted.
 The “Portable Device policy” limits encryption to laptops and USB memory sticks issued by Wilson James. No
other portable media may be used for the storage of personal or business sensitive information. Therefore,
CDs, DVDs, floppy disks, etc should not be used to transfer data.
 Information held on mobile computing equipment should always be backed up onto the network.
 Staff are reminded that the process of encryption is only in operation when the laptop or USB memory stick is
not in use i.e. powered off. When these devices are in use, if the laptop is left unattended and powered on, the
data remains at risk.
 Carrying data on encrypted laptops / encrypted USB sticks must be:
 Only carried out by staff and contractors who have an identified and agreed business need to do so;
 Physically protected against loss, damage and abuse;
 Password protected, with the password communicated to the recipient by a different means, i.e. not sent with
the media;
 (If it is absolutely necessary to send by post) sent by Royal Mail “Special Delivery” so it can be electronically
tracked;
 There must be a legitimate reason for the transfer
 The device should only hold the minimum data required for the purpose;
 Files should be backed up onto the network before being sent;
 Thought should be given to where the device will be taken and what would happen if it was lost or stolen; a risk
assessment should be carried out to establish appropriate use and identify measures to increase security if
there are concerns.

Revision 3 Document No: ISMS-SOP-No.3 Page 4 of 4