Cyber Security
Compliant with the requirements of the Cyber Essentials Scheme
ASG Group Cyber Security Policy (Aligned with UK Government Cyber Essentials Scheme)
1. Purpose
The purpose of this policy is to establish a framework for ASG Group to protect its IT systems and data in compliance with the UK Government’s Cyber Essentials Scheme (CES). The Cyber Essentials Scheme provides organisations with essential protection against the most common cyber threats, ensuring a secure environment for business operations.
2. Scope
This policy applies to all employees, contractors, and third-party partners of ASG Group who have access to the organisation's IT infrastructure, systems, and data. It covers all hardware, software, data, networks, and services used in ASG's operations.
3. Objectives
Comply with the UK Government's Cyber Essentials Scheme (CES) guidelines.
Reduce the risk of cyber threats, including but not limited to malware, phishing, and data breaches.
Protect sensitive and confidential information.
Ensure business continuity by safeguarding the integrity and availability of IT systems.
Achieve and maintain Cyber Essentials certification.
4. Key Security Controls
To meet the Cyber Essentials requirements, ASG Group commits to implementing the following controls:
4.1 Firewalls and Internet Gateways
External Firewalls: All internet-facing devices must be protected by an external firewall that is properly configured to block unauthorised access.
Internal Firewalls: Where appropriate, internal firewalls must be used to segment networks and provide additional layers of protection.
Configuration: Firewalls should only allow necessary network traffic, based on business needs. Default settings must be changed, and unnecessary services or ports should be disabled.
4.2 Secure Configuration
Operating System and Software Configuration: All devices must be configured with security in mind. Unnecessary accounts, services, and functionalities must be disabled to reduce attack surfaces.
Patching and Updates: All systems must be kept up to date with the latest security patches and updates. Automatic updates should be enabled wherever possible.
Password Policies: Strong password policies must be enforced for all accounts, requiring complex passwords and regular password changes.
4.3 User Access Control
Access Control Policies: Access to data and systems should be granted based on the principle of least privilege, ensuring that individuals only have access to the information and systems necessary for their role.
User Accounts: Each user must have a unique ID, and shared accounts are prohibited. Administrator access should be restricted to necessary personnel and closely monitored.
Two-Factor Authentication (2FA): Where possible, multi-factor authentication should be implemented for remote access and privileged accounts.
4.4 Malware Protection
Anti-Malware Software: All devices, including laptops, desktops, and mobile devices, must be equipped with anti-malware software that is regularly updated.
Scanning: Regular scans must be performed to detect and prevent malware infections.
Email Protection: Email filtering systems must be in place to reduce the risk of phishing attacks and the spread of malicious content.
4.5 Patch Management
Security Patches: All software used by ASG Group, including operating systems and third-party applications, must be regularly updated to protect against known vulnerabilities.
Automated Patch Management: Where feasible, automated patch management systems should be used to ensure timely updates and reduce the risk of human error.
5. Incident Response
Incident Reporting: Employees must immediately report any suspected security incidents, such as malware infections, unauthorised access, or data breaches, to the IT department or designated cybersecurity personnel.
Incident Investigation: All reported incidents must be investigated promptly, and appropriate steps must be taken to mitigate any damage and prevent future incidents.
Data Breaches: In the event of a data breach, ASG Group will follow its Data Breach Response Plan, including notifying affected parties and regulatory authorities as required by law.
6. Training and Awareness
Cyber Security Awareness: All employees must complete mandatory cybersecurity training to stay informed about the latest threats and best practices.
Regular Updates: Employees should receive regular updates and reminders about cybersecurity policies and emerging threats.
7. Third-Party Compliance
Supplier and Partner Contracts: All third-party suppliers and partners who have access to ASG Group’s systems or data must comply with this policy and the Cyber Essentials requirements.
Due Diligence: ASG Group will conduct regular reviews and assessments of third-party partners to ensure their cybersecurity practices align with the organisation’s standards.
8. Monitoring and Audit
Continuous Monitoring: ASG Group will continuously monitor its IT infrastructure for any suspicious activities or vulnerabilities.
Regular Audits: Internal and external audits will be conducted to assess compliance with this policy and the Cyber Essentials requirements.
9. Review and Maintenance
This policy will be reviewed annually or following any significant changes to the organisation’s IT systems, regulations, or cyber threat landscape. Any updates will be communicated to all employees and relevant stakeholders.
By adhering to the UK Government’s Cyber Essentials Scheme, ASG Group ensures a proactive approach to safeguarding its systems and data, strengthening its overall cyber resilience.
Revised Sept 2024