Information Security Policy

Purpose and scope

This policy establishes the standards and procedures used by ASK Research Partners Ltd. for securely storing, accessing, and managing information. It ensures that all data is protected in compliance with the UK GDPR and other applicable data protection laws. This policy applies to all employees, contractors, and authorised users who access or manage information on behalf of ASK Research Partners Ltd. It covers all personal and organisational data, files, and documents stored, created and analysed by our managers, staff and associates.

Data Classification

All data must be categorised as follows:

  • Public: Information intended for open access with no sensitivity.
  • Internal: Data meant for internal use that should not be shared publicly.
  • Confidential: Sensitive data, including personal, financial, or legal content, requiring strict access control.

Access Management

  • All accounts must use strong, unique passwords and Multi-Factor Authentication (MFA).
  • Access must be limited to authorised users and reviewed bi-annually.
  • Credentials must not be shared under any circumstances.

Data Encryption and Security

  • Data must be encrypted in transit and at rest using industry-standard protocols (e.g., TLS and AES-256).
  • Built-in security features, such as personal vaults and ransomware protection, should remain enabled.
  • Users are prohibited from disabling or circumventing any security settings.

Data Handling and Device Control

  • Confidential data must not be copied to or stored on removable media (e.g., USB drives, CDs).
  • Any use of removable media (if authorised) must use encryption compliant with FIPS 140-2.
  • Data must not be printed unless explicitly authorised. Printed material must be secured and logged.
  • Devices must be encrypted (e.g., Device Encryption / BitLocker with AES-256) and protected by secure login credentials.
  • Only ASK managed and compliant devices may access confidential data.

Data Residency

Where applicable, data must be stored in compliance with data residency requirements. For UK-based users, storage must reside within the UK to align with sovereignty regulations.

File Sharing and Collaboration

  • Files must only be shared using secure methods that support access controls, such as password protection, link expiration, or read-only permissions.
  • Public or anonymous sharing should be avoided unless explicitly authorised.
  • Access to shared files should be reviewed regularly and revoked when no longer necessary.

Device and Endpoint Security

  • All devices used for accessing cloud data must be protected with antivirus software, full disk encryption, and strong or biometric authentication.
  • In the event of a lost or stolen device, access must be revoked and the incident reported immediately.
  • Remote wipe functionality should be enabled on all mobile devices used for work purposes.

Data Backup and Retention

Built-in version history and file recovery tools should be used to restore lost or corrupted files. Data should be periodically reviewed and deleted in accordance with the organisation’s retention policy. External backups are not required unless dictated by compliance or operational needs.

Incident Response and Reporting

A security incident includes any event that may compromise the confidentiality, integrity, or availability of data — for example:

  • A lost or stolen device
  • Unauthorized access to data or systems
  • Accidental sharing of confidential information
  • Suspicious emails or malware infections

All staff must report suspected incidents immediately to the designated Data Security Officer.

Once an incident is reported, staff must take the following steps:

  1. Contain the issue
  • Disconnect the affected device or account (e.g., turn off Wi-Fi or log out remotely).
  • Suspend access for the affected user if needed.
  • Assess the impact
  • What kind of data was involved?
  • How many people or systems are affected?
  • Notify others if necessary
  • Inform your data protection contact, IT provider, or insurer.
  • If personal data was involved, notifying the ICO within 72 hours should be considered.
  • Recover
  • Restore data using backups or recovery tools.
  • Reset passwords or security settings as needed.
  • Document the incident
  • What happened?
  • What actions were taken?
  • What will be done to prevent recurrence?
  • Learn lessons from the incident

After the incident, hold a short internal review to:

  • Update this policy if needed
  • Improve staff awareness or training
  • Fix any identified weaknesses

Secure Communication and Data Transmission

  • Electronic transmission of data must occur only via Microsoft 365 services.
  • Any email communications involving confidential data must only be sent over encrypted networks
  • Files must be shared using OneDrive or SharePoint with:
    • Password-protected, expiring links
    • View-only permissions where applicable
    • Access limited to authorised recipients
  • Personal email accounts and third-party messaging tools must not be used to transmit confidential data.

Secure Information Storage and Disposal

  • All data must be stored within secure, UK-based Microsoft Azure or Microsoft 365 platforms.
  • Data at rest must be encrypted using AES-256 encryption. Printed data must be stored in locked cabinets and accessed only by authorised personnel. Hard copy documents must be shredded using cross-cut shredders or disposed of through certified data disposal services.
  • A data retention schedule must be followed, and data must be deleted securely when no longer required.

Compliance and Review

This policy is subject to annual review or update upon changes in technology, business operations, or legal requirements.

Compliance with this policy is mandatory. All users are expected to read, understand, and adhere to the policy as a condition of access.

Violations may result in disciplinary action, revocation of access, or contractual consequences.
This policy supports compliance with UK GDPR, ISO/IEC 27001, Cyber Essentials Plus, and DfE data protection standards.

Acknowledgment

By using the designated data storage and collaboration platform, all users agree to comply with the practices outlined in this Information Security Policy.

Last reviewed 01/05/2025

ASK Research Partners

Offices in:
Brighton & Suffolk

About us Services
Contact Us 01273 806466