Information Security Policy

1. Introduction and Purpose

This Information Security Policy establishes ClearMinds' framework for protecting the confidentiality, integrity, and availability of information and information systems.

As a provider of mental health services processing sensitive personal data, information security is critical to:

• Protecting service users' confidentiality and privacy
• Maintaining trust with corporate clients and partners
• Complying with UK GDPR and Data Protection Act 2018
• Ensuring business continuity and service reliability
• Safeguarding our reputation and competitive position

2. Scope

This policy applies to:

• All information assets (paper and electronic)
• All information systems, networks, and devices
• All staff, contractors, consultants, and third parties with access to our systems
• All locations where ClearMinds information is processed or stored
• All processing activities, whether on-premises or cloud-based

3. Information Security Principles

3.1 Confidentiality

Information is protected from unauthorized disclosure. Only authorized individuals can access information appropriate to their role.

3.2 Integrity

Information is accurate, complete, and protected from unauthorized modification. Changes are properly authorized and logged.

3.3 Availability

Information and systems are available when needed by authorized users. We maintain appropriate backup and recovery procedures.

4. Roles and Responsibilities

Role	Security Responsibilities
Board of Directors	Ultimate accountability for information security, approve policy, ensure adequate resources
Chief Technology Officer	Policy owner, oversee security strategy, manage IT security team, report to board
Data Protection Officer	Ensure security meets GDPR requirements, advise on security measures, investigate breaches
IT Security Team	Implement security controls, monitor threats, respond to incidents, conduct assessments
All Managers	Ensure team compliance, manage access rights, report security incidents
All Staff	Follow security procedures, protect passwords, report incidents, complete training

5. Access Control

5.1 User Access Management

Principle: Least privilege - users only have access to information and systems necessary for their role.

Access Control Procedures:

• Registration: Formal process for granting access
• Authorization: Manager approval required for all access
• Regular Reviews: Quarterly review of all user access rights
• Immediate Revocation: Access removed immediately upon termination

5.2 User Responsibilities

• Keep user IDs and passwords confidential
• Never share credentials with anyone
• Use strong, unique passwords (minimum 12 characters)
• Enable multi-factor authentication (MFA) where available
• Lock screens when leaving workstation unattended
• Report lost or compromised credentials immediately

5.3 Password Requirements

• Minimum 12 characters
• Mix of uppercase, lowercase, numbers, and symbols
• Changed every 90 days (where not using MFA)
• Cannot reuse previous 5 passwords
• Use password manager for secure storage
• Never write down or store in plain text

5.4 Multi-Factor Authentication (MFA)

MFA is mandatory for:

• All remote access
• All administrative accounts
• Access to systems containing special category data
• Email access
• Cloud services

6. Physical and Environmental Security

6.1 Secure Areas

• Physical access controls to offices and data centers
• Visitor logging and escort procedures
• CCTV monitoring of entry points
• Secure storage for sensitive documents

6.2 Equipment Security

• All laptops and mobile devices encrypted
• Cable locks for desktop equipment
• Secure disposal of equipment (certified data destruction)
• Asset register maintained

6.3 Clear Desk Policy

• No sensitive documents left on desks overnight
• Documents locked away when not in use
• Confidential waste bins used for sensitive documents
• Screens locked when leaving desk

7. Communications and Operations Security

7.1 Network Security

• Firewalls: All network perimeters protected
• Network Segmentation: Separate networks for different security zones
• Wireless Security: WPA3 encryption, separate guest network
• VPN: Required for remote access
• Intrusion Detection: 24/7 monitoring for suspicious activity

7.2 Malware Protection

• Anti-virus and anti-malware on all endpoints
• Automatic daily updates
• Email filtering for malicious attachments
• Web filtering to block malicious sites
• Regular scanning schedules

7.3 Backup and Recovery

• Frequency: Daily automated backups
• Scope: All critical systems and data
• Storage: Encrypted, geographically separate location
• Testing: Monthly restore tests
• Retention: 30 daily, 12 monthly backups

7.4 Patch Management

• Critical security patches applied within 48 hours
• Other updates applied within 30 days
• Testing procedures for major updates
• Automated patch deployment where possible

8. Cryptography

8.1 Encryption Standards

• Data in Transit: TLS 1.3 or higher
• Data at Rest: AES-256 encryption
• Email: TLS for email transmission, S/MIME or PGP for sensitive content
• Mobile Devices: Full disk encryption mandatory
• Removable Media: Encrypted USB drives only

8.2 Key Management

• Secure generation and storage of encryption keys
• Regular key rotation
• Separation of duties for key management
• Secure key destruction procedures

9. System Development and Maintenance

9.1 Secure Development

• Security requirements defined for all new systems
• Security testing before deployment
• Code review procedures
• Secure coding standards
• Change management procedures

9.2 Security Testing

• Vulnerability Scanning: Weekly automated scans
• Penetration Testing: Annual external testing
• Application Security Testing: For all new applications
• Remediation: Critical vulnerabilities fixed within 7 days

10. Supplier Relationships

10.1 Third-Party Security

All suppliers and service providers must:

• Complete security assessment before engagement
• Sign Data Processing Agreements (DPAs)
• Demonstrate adequate security controls
• Provide evidence of security certifications (e.g., ISO 27001, Cyber Essentials)
• Undergo annual security reviews
• Report security incidents within 24 hours

10.2 Cloud Service Providers

Additional requirements for cloud providers:

• Data location in UK/EEA
• Evidence of encryption at rest and in transit
• Regular security audits (SOC 2, ISO 27001)
• Data backup and recovery procedures
• Right to audit

11. Information Security Incident Management

11.1 Incident Categories

• Category 1 (Critical): Data breach, ransomware, major system compromise
• Category 2 (High): Successful phishing, malware infection, unauthorized access
• Category 3 (Medium): Failed intrusion attempts, policy violations
• Category 4 (Low): Suspicious activity, minor policy breaches

11.2 Reporting Procedures

All security incidents must be reported immediately:

• IT Security Team: it-security@clearmindseap.com | [PHONE]
• Data Protection Officer: dpo@clearmindseap.com | [PHONE]
• Emergency (24/7): [EMERGENCY NUMBER]

11.3 Response Procedures

For every incident:

• Contain: Immediate action to prevent escalation
• Assess: Determine scope and impact
• Notify: Inform relevant parties (DPO, management, ICO if required)
• Investigate: Root cause analysis
• Remediate: Fix vulnerabilities
• Learn: Post-incident review and improvements

12. Business Continuity

12.1 Business Continuity Plan

• Documented procedures for critical functions
• Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) defined
• Alternative working arrangements identified
• Communication plans for staff and clients

12.2 Disaster Recovery

• Backup systems and data centers
• Documented recovery procedures
• Regular testing (at least annually)
• Staff training on disaster recovery roles

13. Compliance and Assurance

13.1 Security Audits

• Internal Audits: Quarterly reviews of security controls
• External Audits: Annual independent security assessment
• Penetration Testing: Annual testing by certified testers
• Vulnerability Assessments: Weekly automated scanning

13.2 Security Certifications

ClearMinds maintains or is working towards:

• Cyber Essentials / Cyber Essentials Plus
• ISO 27001 Information Security Management
• NHS Digital Data Security and Protection Toolkit (if applicable)

13.3 Compliance Requirements

• UK GDPR and Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• Computer Misuse Act 1990
• Professional standards for healthcare providers
• Contractual obligations to corporate clients

14. Training and Awareness

14.1 Mandatory Training

All staff must complete:

• Induction Security Training: Before accessing systems
• Annual Refresher Training: Every 12 months
• Phishing Awareness: Quarterly simulations
• Role-Specific Training: For IT staff and administrators

14.2 Training Topics

• Information security policies and procedures
• Password security and MFA
• Recognizing phishing and social engineering
• Secure handling of sensitive data
• Mobile device security
• Incident reporting procedures
• Data protection and GDPR

15. Acceptable Use

15.1 System Use Policy

Company systems must only be used for:

• Legitimate business purposes
• Activities authorized by management
• Compliance with all company policies

15.2 Prohibited Activities

• Unauthorized access to systems or data
• Sharing credentials with others
• Installing unauthorized software
• Connecting unauthorized devices
• Downloading or distributing malware
• Accessing inappropriate content
• Using company systems for personal business
• Circumventing security controls

15.3 Email and Internet Use

• Professional and appropriate use only
• Never share sensitive data via unencrypted email
• Be cautious of phishing attempts
• Report suspicious emails
• Limit personal use

15.4 Mobile Devices

• Only approved devices for company data
• Must be encrypted and password-protected
• Install company mobile device management (MDM)
• Report lost or stolen devices immediately
• Keep operating system and apps updated
• Don't use public Wi-Fi without VPN

16. Remote Working Security

16.1 Remote Access Requirements

• Use company-approved VPN for all remote access
• Multi-factor authentication required
• Encrypt all devices used for remote work
• Secure home network (strong Wi-Fi password)
• Never use public computers for work

16.2 Home Working Best Practices

• Private workspace away from family/visitors
• Lock screen when leaving workspace
• Ensure privacy during video calls
• Secure storage for documents
• Shred sensitive documents

17. Data Disposal and Destruction

17.1 Electronic Data

• Secure deletion software for hard drives
• Physical destruction for end-of-life equipment
• Certificate of destruction obtained
• Never donate or sell equipment without proper wiping

17.2 Physical Documents

• Cross-cut shredding for all confidential documents
• Confidential waste bins
• Secure disposal service for large volumes
• Never dispose in regular waste

18. Monitoring and Logging

18.1 System Monitoring

• 24/7 security monitoring of critical systems
• Intrusion detection and prevention systems
• Log collection and analysis
• Automated alerting for suspicious activity

18.2 Audit Logging

• User access to sensitive data logged
• Administrative actions logged
• System changes logged
• Logs retained for 2 years
• Regular log reviews

18.3 Staff Monitoring

Staff should be aware that:

• Company systems and networks may be monitored
• Email and internet use may be reviewed
• Monitoring is for security and compliance purposes
• Privacy rights are respected in accordance with law

19. Policy Review and Updates

This policy is reviewed:

• Annually as a minimum
• Following significant security incidents
• When technology or threats change
• When regulatory requirements change

20. Enforcement

Violations of this policy may result in:

• Mandatory retraining
• Restriction or removal of system access
• Disciplinary action up to and including dismissal
• Legal action in serious cases
• Referral to law enforcement where criminal activity suspected