Information Security Policy

INFORMATION SERVICES GROUP, INC.
Last modified: 12 February 2025
 

1 Policy Control

1.1 Introduction

This policy outlines the Information Security objectives of Information Services Group, Inc, our commitment as an organization to satisfy all applicable Information Security requirements and the ongoing improvement of the Information Security Management System. It also summarizes the key policy documents that are in operation and management of the Information Security Management System.

1.2 Notice of Compliance

Security is the responsibility of everyone affiliated with Information Services Group, Inc referred to as ISG henceforth, or directly accessing ISG systems, ISG data, and data entrusted to ISG by clients or other third parties. The security measures described herein define the basic minimum level of security required for ISG systems and information. Non-compliance with the required security measures and behaviors outlined in this policy could pose significant business and legal risk to ISG, and may create a potential for legal actions that could significantly impact ISG’s operations and damage its business assets and reputation. Such action may include, but is not limited to, reprimand, financial penalties, termination of employment, and/or legal action. Therefore, compliance with this policy and all ISG security-related policies, are mandatory conditions for employment for all ISG people, as well as any third parties (such as outsourcing providers, contractors, alliance partners, clients, etc.) that access ISG systems or data. No one is permitted to bypass the security mechanisms provided by ISG systems or infrastructure for any reason.

1.3 Exception, Migration and Time Frames

All ISG employees, contractors and systems must comply with the statements in this policy with immediate effect.

Where a longer transition is required to achieve compliance, a documentedbusiness justification must be submitted with proposed timelines as a Security Exception to the Information Security Management Team for approval.

Any exceptions to this Policy must be clearly documented and submitted to the Information Security Management team for evaluation and approval. Only exceptions which have been approved are valid.
 

2 Information Security Policy

2.1 Policy

ISG shall endeavor to ensure that the information and the information processing facilities are protected and made secure from all known security threats arising both internally and externally.

ISG shall strive to secure information by:

  • Establishing and maintaining an effective Information Security Management System (ISMS);
  • Performing risk assessment periodically;
  • Implementing information security controls to mitigate the identifiedrisks;
  • Complying with legal, regulatory and contractual information security requirements;
  • Establishing an effective Business Continuity Management Framework;
  • Deploying the most appropriate technology and infrastructure;
  • Creating a security conscious culture;
  • Continually monitoring and improving the effectiveness of the ISMS.
  • Comply with the Information Security Objectives, listed below

2.2 Information Security Objectives:

  • To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations.
  • To implement the necessary security controls for all the identified risks and lower the risk exposure to an acceptable level.
  • To ensure that employees and contractors are aware of and fulfil their information security responsibilities.
  • To protect the organization’s business information and any client or customer information within its custody or safekeeping by safeguarding its confidentiality, integrity and availability.
  • To ensure all information security incidents are recorded and addressed with appropriate Corrective and Preventive actions.
  • To ensure that information security is designed and implemented within the standard operations of information systems.

2.3 Information Security Requirements

ISG, in its requirements for information security, shall include but not limit itself to, the following:

  • Requirements arising from assessment of risks
  • Legal, statutory, regulatory and contractual requirements
  • Any changes in organization or business strategy that may affect Information Security

2.4 Compliance with the Information Security Management System

All ISG employees, contractors and third-parties shall be compliant with the ISMS and any violation shall lead to disciplinary action or service termination with the possibility of legal action being initiated against the individual(s) concerned as applicable by the relevant legislation.

In this section we highlight our policies that are of material relevance for all:

2.4.1 IT Acceptable Use Policy

The IT Acceptable Use Policy is published on the Information Security site on OneX. It outlines detailed instructions on how ISG’s IT equipment and systems are to be used and is to be read and complied with by all ISG personnel, including permanent members of staff, contract, and temporary appointees.

2.4.2 Data Protection and Privacy Policy

The Employee (and Contractor) Data Protection and Privacy policy is published in the “People” Global Policies and Procedures section on OneX. The principal law in the UK concerning privacy and data protection (“PDP”) is the Data Protection Act 2018 (“DPA 2018”). The DPA 2018 implements EC Council Directive 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Similar laws apply in all EU countries.

Breach of the PDP laws may severely impact ISG’s business. The Information Commissioner's Office (“ICO”) is the relevant data protection authority in the UK and it has extensive powers. Similar data protection authorities exist in all other EU countries.

ISG takes compliance with PDP laws very seriously. ISG employees must ensure they are operating in line with our policy and receive annual formal data protection and privacy training and periodic awareness reminders.

2.5 Review of the Information Security Policy

The Information Security Policy shall be reviewed annually and as and when significant changes occur, by the Information Security Committee (ISC) to ensure its continuing relevance and accuracy.

2.6 Management of the ISMS

The ISC shall regularly convene to review the effectiveness of the ISMS implemented within the organization and shall act as the final approving authority for all information security related decisions, ISMS documentation and any subsequent changes made.

The ISC shall allocate information security responsibilities to appropriate personnel.

2.7 Employee Confidentiality Agreements

The ISC shall identify and review the requirements for the protection of information among employees and work with HR (who manage the process) to maintain confidentiality agreements signed by all employees and third party staff.

2.8 Contact with Authorities and Special Interest Groups

ISG shall maintain up-to-date contact details of the relevant civil authorities including but not limited to medical services, police stations, and the fire brigade that are to be contacted during a crisis.

ISG shall also maintain professional associations with special interest groups in the area of information security to be abreast of the information security best practices.

2.9 Independent Review of Information Security

ISG shall ensure that the organization’s approach to managing information security and its implementation are reviewed independently at regular intervals, or when significant changes occur with minimal risk of disruptions to business processes.

2.10 Addressing Security with External Parties

ISG shall cover all relevant security requirements while entering into an agreement with external parties involving accessing, processing, communicating or managing the organization’s information or information processing facilities.

2.11 Third Party Service Delivery Management

ISG shall ensure that the security controls, service definitions and delivery levels mentioned in the agreement with the third party service provider shall be implemented, operated and maintained by the third party.

ISG shall, on a regular basis, monitor the service levels and quality of the third party service provider through means such as review of service reports.

ISG shall manage the changes to the terms of the third party service provider agreements considering the criticality of the business systems or processes involved and re-assessment of risks.

2.12 Continual Improvement

ISG is committed to the continual improvement of Information Security Management System (ISMS) to ensure the confidentiality, integrity, and availability of all sensitive information handled.

To achieve continual improvement, the following are performed [not limited to]:

  1. Regularly Review and Assess Security Risks
  2. Implement Corrective and Preventive Actions as necessary
  3. Monitor Performance and Effectiveness
  4. Ongoing Training and Awareness Programs
  5. Feedback and Collaboration.

ISG ensures that its ISMS remains adaptable, resilient, and aligned with the best practices, thus protecting the interests of clients, stakeholders, and employees.