DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2
DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2
Pulsar Group Information Security Policy | Classifcation: PUBLIC |
Contents
Contents
Policy Statement
Purpose
Policy Objectives
Policy Scope
Products
People
Premises
Data Centre Operations
Policy Statements
Risk Assessment
Management, Monitoring and Review
Legislative Compliance
Supplier Security
Asset Management
Acceptable Use
Access Control
Information Classifcation and Handling
Human Security
Information Security Training
Device Security
Secure Development
Information Security Incidents
Business Continuity
ISMS Responsibilities
Employees, Contractors and Third-Party Users
Executive Management
Senior Management
Control Owners
Asset Owners
Information Security Offcer (Governance, Risk, Compliance)
Information Security Offcer (Technical)
Risk Management
Risk Assessment
Audit
Legal Compliance
Obligations
Intellectual Property
Information Lifecycle
Data Protection
Supplier Security
New Supplier
Supplier Management
© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/2
DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2
Pulsar Group Information Security Policy | Classifcation: PUBLIC |
Asset Management
Asset Management
Acceptable Use
Devices
Maintenance
Sensitivity Labels
Data Loss
Access Management
Access Rights
Authentication
Offce Security
Workspace
Reporting
Human Security
Security Team
Management Support
Staff Vetting
Employment Contracts
Staff Training
Engineering Security
Technical Compliance
Technical Documentation
Vulnerability Management
Backup & Restore
Activity Logs
Encryption
Change Control
Engineering Security: Development
SDLC: Analysis & Design
SDLC: Development
SDLC: Testing
SDLC: Deployment
SDLC: Maintenance & Disposal
Engineering Security: Infrastructure
Data Transfer
Network Security
Infrastructure Security
Monitoring
Incident Management
External Contacts
Incident Management: Preparation
Incident Management: Assess
Incident Management: Response
Incident Management: Review
Document Version Control
© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/3
DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2
Pulsar Group Information Security Policy | Classifcation: PUBLIC |
Information Security Policy
Policy Statement
Pulsar Group Plc (formerly Access Intelligence) and its subsidiaries (including its subsidiaries operating the Isentia, Pulsar and Vuelio brands globally) (Group, Company or Pulsar Group) are committed to information security, data protection & privacy standards in all of its business activities.
Purpose
The purpose of this policy is to direct the design, implementation and management of an effective Information Security Program, which ensures that Pulsar Group's information assets are appropriately identifed, recorded, and afforded suitable protection at all times. This document sets forth certain principles regarding the responsible use of information by Pulsar Group and outlines the roles and responsibilities of personnel to protect the confdentiality, integrity, and availability of information assets and data.
Policy Objectives
-
Mitigate Risks of Cybersecurity Threats and Data Breaches: Identify, assess, and mitigate risks associated with cybersecurity threats and potential data breaches by conducting regular risk assessments, vulnerability scans, and penetration testing.
Develop and implement incident response plans to effectively respond to and contain security incidents, minimising the impact on clients and our organisation. - Ensure Confdentiality, Integrity, and Availability of Client Data: Implement and maintain robust security measures to ensure the confdentiality, integrity, and availability of client data processed by us. This includes implementing encryption protocols, access controls, and regular data backups to mitigate the risk of unauthorised access, data loss, or service disruptions.
- Compliance with Legal, Regulatory and Standard Requirements: Ensure compliance with relevant requirements related to information security, privacy, and data protection, such as ISO 27001:2022 and GDPR. Stay abreast of changes in legislation and standards, and update policies, procedures, and controls accordingly to maintain compliance and avoid legal consequences.
Policy Scope
This Policy shall apply to the following:
© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/4
DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2
Pulsar Group Information Security Policy | Classifcation: PUBLIC |
- All Team Member(s), including, all of Pulsar Group's offcers, employees (whether full time, part time or casual and including executives and managers) and contractors (including consultants, advisers, agents, interns and free agents).
- All information assets, either owned by Pulsar Group or entrusted to Pulsar Group by a client under an agreement which specifcally details Pulsar Group's responsibility for that data. Including:
Products
- Pulsar
- Isentia Platform (Media Portal)
- Vuelio (UK)
- Vuelio (Australia)
- ResponseSource
People
- All Pulsar Group (Pulsar/Isentia/Vuelio) Team Members with access to business information.
Premises
- Pulsar Group Headquarters, London, United Kingdom
Data Centre Operations
- Amazon Web Services, EU West 1 region (Pulsar)
- Amazon Web Services, EU West 2 region (Pulsar DR)
- Amazon Web Services, Sydney region (Isentia Platform)
- Amazon Web Services, Sydney region alternate Availability Zone (Isentia Platform DR)
- Microsoft Azure, UK South region (Vuelio)
- Microsoft Azure, UK West region (Vuelio DR)
- Microsoft Azure, Australia East region (Vuelio Australia)
- Microsoft Azure, Australia West region (Vuelio DR Australia)
- Pulsant, South London DC (Response Source)
Policy Statements
Pulsar Group shall be committed to the protection of the information assets and supporting assets as defned within the Scope of this Policy. Pulsar Group has created its Information Security Management System (ISMS) in accordance with the international Information Security
© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/5
DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2
Pulsar Group Information Security Policy | Classifcation: PUBLIC |
Management Systems standard ISO/IEC 27001. All Security Control Policies are described in the Appendix.
After reviewing the needs and expectations of interested parties, the scope of the ISMS was defned to support these requirements. To effectively manage and deliver its ISMS, Pulsar Group shall:
Risk Assessment
Perform regular risk assessments on all information assets, and their supporting assets, as detailed within Pulsar Group's Risk Management Policy and using the control objectives and controls as documented within Annex A of ISO/IEC 27001:2022. The documented results of risk assessments shall be reviewed to understand the level of risk to information and supporting assets, and appropriate controls applied as appropriate to address any unacceptable risks that have been identifed. A Statement of Applicability (SoA) shall be produced to record which controls have been selected and the reasons for their selection, and the justifcation for any controls not selected.
Management, Monitoring and Review
Continually monitor, review and improve the Pulsar Group ISMS, in accordance with the Management Review controls, by undertaking regular reviews, internal audits (in accordance with the Internal Audit requirements and other related activities, and taking prompt corrective actions and implementing improvement opportunities in response to the fndings of these activities.
Legislative Compliance
Ensure consistently that its Information Security Management System shall support full compliance with the requirements with applicable global legislation, e.g. GDPR.
Supplier Security
Ensure that suffcient security controls and agreements are in place to protect Pulsar Group's assets that are accessible by suppliers, in accordance with the Supplier Security Management Policy. The policy shall describe what requirements must be adhered to when engaging third parties, the standard terms that should be included in supplier agreements and how Pulsar Group will monitor compliance.
Asset Management
Defne and maintain a comprehensive Inventory of Assets, including all information assets and supporting assets as defned within the scope of this Policy. The Inventory of Assets shall detail a named owner for each asset, who shall fully understand their responsibilities for the
© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/6
DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2
Pulsar Group Information Security Policy | Classifcation: PUBLIC |
protection of the asset in accordance with the documented Pulsar Group Asset Management Policy.
Acceptable Use
Ensure that all personnel, contractors and third-party users comply with the Acceptable Use Policy which describes how information assets and their supporting assets should be used in an acceptable manner and in accordance with all ISMS related policies and processes. This policy shall describe the acceptable methods of use of information processing systems, networks (including, for example, the internet and telephone systems) and other resources within the scope of this policy.
Access Control
Ensure that all information assets, and their supporting assets, are protected with strong passwords in accordance with the password management requirements and to ensure their confdentiality, integrity and availability is maintained. Access to information assets and supporting assets shall be in accordance with Pulsar Group's Access Control Policy and be restricted to the minimum required to undertake authorised business activities, and Pulsar Group has adopted the principle that "access is forbidden unless it has been specifcally and formally pre-authorised".
Information Classifcation and Handling
Ensure that all information assets shall be classifed and handled in accordance with Information Classifcation and Handling Guidelines, which details how information assets of different sensitivities shall be managed, handled, processed, encrypted, stored and transmitted. Information is retained in accordance with Data Retention Policy.
Human Security
Minimise risk in the workforce by implementing security controls pre-employment in accordance with the Human Security controls for Team Member screening and by including Information Security responsibilities into job descriptions.
Information Security Training
Develop a regular training and education programme, in accordance with the Information Security Training Policy, which shall be mandatory for all Pulsar Group's Team Members, which details their individual responsibilities to fully comply with the requirements of the ISMS policies, processes and work instructions defned within the scope of this policy.
© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/7
DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2
Pulsar Group Information Security Policy | Classifcation: PUBLIC |
Device Security
Reduce risk of information leakage by only working on devices provided and managed by the organisation or for specifc processes. When unattended, devices must be locked, and no information should be displayed on the workstation as per Clear Desk and Screen controls.
Secure Development
Minimise risks during development by improving security controls for people and technology, in accordance with the controls for Data Encryption, Information Transfer, Secure Development
- Infrastructure and Change Management Policy, so that the security of Pulsar Group's information assets is not compromised, even in an ever-changing cloud environment.
Information Security Incidents
Provide a mechanism for the swift identifcation, reporting, investigation and closure of information security incidents to Pulsar Group, in accordance with the Information Security Incident Management controls, and to fully analyse reported incidents to identify the root cause of issues and take advantage of any improvement opportunities which may have been identifed.
Business Continuity
Ensure that information security is a key consideration within the Business Continuity Management Policy so that the security of Pulsar Group's information assets is not compromised even when faced with a wide variety of unplanned business interruptions.
ISMS Responsibilities
All individuals specifed within the scope of this Information Security Policy shall have individual responsibility for complying with every aspect of this policy. The requirement to comply with Pulsar Group policies is included within the Terms and Conditions of Employment and is noted within each individual user's job description. Any failure to adhere to the requirements of this policy shall result in disciplinary action being taken.
Team Members (Employees, Contractors and Third-Party Users)
Within Pulsar Group, all information security responsibilities are defned and allocated in accordance with the ISMS. All Team Members shall understand their role in ensuring the security of information assets (and their supporting assets) by complying with information security awareness training, including:
- Creating unique, complex passwords for each user account
- Completing all assigned Information Security training
- Reviewing applicable security control documentation relevant to their role
© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/8
DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2
Pulsar Group Information Security Policy | Classifcation: PUBLIC |
- Considering the sensitivity of the information that they are processing and correctly classifying the document i.e., password protecting email attachments and/or choosing the appropriate information classifcation label when sharing documents.
- Reporting suspected and confrmed information security events to the Security Team
There are additional responsibilities defned in order that the ISMS shall operate effciently and in accordance with the requirements of ISO/IEC 27001. These are detailed below:
Executive Management
The Chief Financial Offcer (CFO) and Executive Management shall be responsible for the following activities within the Pulsar Group ISMS:
- Setting and reviewing Pulsar Group's Information Security Objectives
- Delegating appropriate resources necessary to manage and operate the ISMS effectively
- Agreeing the level of acceptable risk within the Risk Assessment Methodology
- Approving any decisions not to address any unacceptable residual risks, where identifed
- Having ultimate responsibility for actions related to information security incidents breaches
- Overseeing any disciplinary action resulting from information security incidents/breaches
- Playing an active role during Pulsar Group's Risk Assessment exercises and defning risk mitigation strategies.
- Reviewing any reports of the Information Security Program implementation status or assessments
- Approving Pulsar Group's information security policies and any changes to the policies and ensuring that the overall information security posture is aligned to business requirements and risks.
Senior Management
Senior Managers within Pulsar Group shall be responsible for:
- Ensuring that their team members are aware of and remain compliant with all information security policies, processes and work instructions, and they receive relevant training for their role
- The provision of a user training and awareness programme for applicable third-party users
- Supporting reviews, internal audits and risk assessments within their area of responsibility
© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/9
DocuSign Envelope ID: 9A89DE11-7705-47A0-85EF-E06C3DA4FEA2
Pulsar Group Information Security Policy | Classifcation: PUBLIC |
- Specifcally, the Head of HR for each region shall be responsible for:
- Organising background verifcation checks for all employment candidates
- Include information security compliance requirements in employment contracts
- Ensuring all Team Members comply with information security awareness training
Control Owners
Security Control Owners shall be responsible for:
- The way in which their assigned control(s) are selected, implemented and operated
- Understanding which asset(s) are reliant upon each of their assigned controls
- Contributing feedback to asset owners on the operation of each control, to assist them in undertaking accurate risk assessments of their asset(s)
- Helping in the investigation, resolution and closure of any information security incident which does or does not indicate the failure of a control.
Asset Owners
As per the Asset Management Policy, designated Asset Owners shall be responsible for:
- Assessing the value of their asset(s) to the Company
- Undertaking detailed risk assessments on their asset(s), including the identifcation of controls and assessing their effectiveness as per the Risk Management Policy
- Addressing any unacceptable risks
- Helping in the investigation, resolution and closure of any information security incident which directly or indirectly affects the security of their asset(s).
- Reviewing and authorising the levels of access to their asset(s) which are granted to others
- Contributing to the Acceptable Use monitoring, specifcally for the user of their asset(s)
Information Security Offcer (Governance, Risk, Compliance)
The Information Security Manager shall have functional GRC responsibility for the Pulsar Group ISMS, and shall be responsible for the daily operational tasks of the ISMS, including:
- Ensuring an appropriate structure of ISMS policies, processes and work instructions are created and maintained for all ISMS activities
© 2024 Pulsar Group. All rights reserved. Trust Centre: https://www.pulsargroup.com/trustcentre/10
Attachments
- Original Link
- Original Document
- Permalink
Disclaimer
Pulsar Group plc published this content on 13 May 2024 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 29 May 2024 17:00:33 UTC.