Cyber Security and Information Security Policy

Cyber Security and Information Security Policy

Last Reviewed: 1 April 2025
Next Review Due: 1 April 2026
Owner: Information Security Officer, Collaboration Works Limited (CWorks)

1. Policy Statement

CWorks is committed to protecting the confidentiality, integrity, and availability of all digital assets, systems, and data within its control. As an AI systems integrator, we recognise the critical importance of cyber security in maintaining client trust, complying with legal obligations, and ensuring business continuity.

We are actively working towards Cyber Essentials certification and aligning our practices with ISO 27001 principles to demonstrate our commitment to industry-recognised security standards.

2. Scope

This policy applies to:

  • All CWorks employees, contractors, and third-party collaborators.
  • All information systems owned, managed, or accessed by CWorks.
  • All data, including client, personal, confidential, and project-specific information.

3. Roles and Responsibilities

Leadership and Management:

  • Ensure cyber security risks are assessed and addressed.
  • Allocate sufficient resources for maintaining secure systems.
  • Oversee the implementation of this policy and review it annually.

All Personnel:

  • Follow secure working practices and report any security incidents immediately.
  • Complete cyber security awareness training annually.
  • Use only authorised systems and software for business operations.

Information Security Officer:

  • Monitor threats, vulnerabilities, and compliance requirements.
  • Coordinate regular audits and incident response drills.
  • Lead implementation of Cyber Essentials and ISO-aligned controls.

4. Key Security Practices

Access Control

  • Use of strong, unique passwords and multi-factor authentication (MFA) across all systems.
  • Role-based access permissions — minimum access by default.
  • Immediate deactivation of access upon termination of employment or contract.

Data Security

  • All sensitive or personal data is encrypted at rest and in transit.
  • Regular data backups stored securely in compliance with UK GDPR.
  • Client data access is strictly limited to authorised project team members.

Device and Endpoint Management

  • Company devices are protected with antivirus, encryption, and remote wipe capability.
  • Personal devices used for work must adhere to our BYOD (Bring Your Own Device) policy and be approved by IT management.

Secure Software Development & AI Integration

  • All AI solutions are developed with security-first principles, including secure API integration, input validation, and rate limiting.
  • Open-source libraries and third-party models are vetted before use.
  • Client integrations are sandboxed and undergo pre-deployment testing.

5. Incident Response

  • CWorks maintains a formal Incident Response Plan (IRP).
  • All security breaches, attempted intrusions, or suspicious behaviour must be reported immediately to the Information Security Officer.
  • Incidents are logged, investigated, and reviewed with corrective actions tracked.

6. Third-Party and Cloud Security

  • All cloud providers and third-party processors must demonstrate compliance with appropriate security frameworks (e.g., ISO 27001, SOC 2).
  • Data processing agreements (DPAs) are maintained for all vendors handling personal or confidential data.

7. Compliance and Risk Management

  • CWorks complies with the UK GDPR, the Data Protection Act 2018, and relevant cyber security regulations.
  • Annual risk assessments are conducted to evaluate emerging threats and update our security posture accordingly.
  • Cyber Essentials certification is currently in progress and scheduled for completion by Q4 2025.

8. Training and Awareness

  • All staff receive regular cyber security awareness training covering phishing, social engineering, safe data handling, and incident response.
  • Targeted training is provided to developers and engineers on secure coding and system design.

9. Review and Improvement

This policy is reviewed annually or upon significant change to our IT systems, services, or threat landscape. It forms part of CWorks’ broader Information Governance Framework.

Contact:
Collaboration Works Limited
Information Security Officer
security@cworks365.com

 

Scroll to Top