Cyber Security (Electronic Information And Communications Systems) Policy

Policy statement

  1. Our electronic communications systems and equipment are intended to promote effective communication and working practices within the ComponentSource Group, and are critical to the success of our business. Cyber crimes and data theft can negatively impact our reputation and business development and leave data such as financial information, sensitive commercial documents, employee data and customer information unprotected. This policy outlines the standards we require users of these systems to observe, the circumstances in which we will monitor use of these systems and the action we will take in respect of breaches of these standards.
  2. We expect all of our electronic and computer facilities to be used in an effective and professional manner and encourage all employees to develop the skills necessary to do so. These facilities are provided by the Company at its own expense for its own business purposes to assist its employees in carrying out their duties effectively. It is the responsibility of each employee to ensure that this technology is used for proper business purposes and in a manner that does not compromise the Company or its employees in any way.
  3. This policy applies to the use of Company technology whilst at work, including remote working, and also when using Company technology from outside work eg when dialling in from home, using a Company laptop when away on business and when using smartphones or personal digital assistants (PDAs). This policy document is to be read in conjunction with the Disciplinary Rules and the Disciplinary Procedure. If you have any questions about the application of this policy, please contact either the CIO or the CFO.
  4. Misuse of the Internet or email can expose both you and the Company to legal or financial liability. For example, you may enter into unintended contracts, breach copyright or licensing arrangements, incur liability for defamation or harassment or introduce viruses into the system. This policy is designed to safeguard both you and the Company from such liabilities. It is important that you read it carefully and ensure that any use of the Internet or email is in accordance with its terms.
  5. This policy applies to your personal use of email or the Internet where you identify yourself as associated with ComponentSource. We may modify this policy from time to time to take account of changes in technology, law and best practice
  6. The CIO is responsible for the monitoring and implementation of this policy. If you have any questions about the content of this policy or other comments you should contact the CIO.
  7. This policy does not form part of any employee's contract of employment and it may be amended at any time.

Who is covered by the policy?

  1. This policy covers all individuals working at all levels, including senior Managers, officers, Directors, employees, consultants, contractors, trainees, homeworkers, part-time and fixed- term employees, casual and agency staff (collectively referred to as employees in this policy).
  2. Third parties who have access to our electronic communication systems and equipment are also required to comply with this policy.

The scope and purpose of the policy

  1. The purpose of this policy is to protect ComponentSource data and infrastructure, outline the protocols and guidelines that govern our cyber security measures, define the rules for Company and personal use and the disciplinary consequences of non-compliance.
  2. This policy deals mainly with the use (and misuse) of computer equipment (directly, or via remote access), e-mail, the internet (including excessive personal use of Internet searching and use of social media, except in connection with authorised ComponentSource PR activities), telephones, smartphones, USB sticks, personal digital assistants (PDAs) and voicemail, but it applies equally to the use of fax machines, copiers, scanners, CCTV, and electronic key fobs and cards.
  3. All employees are expected to comply with this policy at all times to protect our electronic communications systems and equipment from unauthorised access and harm. Breach of this policy may be dealt with under our Disciplinary Procedure and, in serious cases, may be treated as gross misconduct leading to summary dismissal.

Personnel responsible for implementation of the policy

  1. The ComponentSource board of directors (the board) has overall responsibility for the effective operation of this policy, but has delegated day-to-day responsibility for its operation to the CIO. Responsibility for monitoring and reviewing the operation of this policy and making any recommendations for change to minimise risks to our operations also lies with The CIO.
  2. The IT Department will deal with requests for permission or assistance under any provisions of this policy, subject to their primary tasks of maintaining our core systems, and may specify certain standards of equipment or procedures to ensure security and compatibility.
  3. All Managers have a specific responsibility to operate within the boundaries of this policy, ensure that all employees understand the standards of behaviour expected of them and to take action when behaviour falls below its requirements.
  4. All employees are responsible for the success of this policy and should ensure that they take the time to read and understand it. Any misuse of our electronic communications systems or equipment should be reported to the CIO or to the CFO. Questions regarding the content or application of this policy should be directed to the CIO.

Equipment security and passwords

  1. Employees are responsible for the security of the equipment allocated to or used by them, and must not allow it to be used by anyone other than in accordance with this policy.
  2. When given access to the e-mail system or to the internet, employees are responsible for the security of their terminals. If leaving a terminal unattended or on leaving the office they should ensure that they lock their terminal or log off to prevent unauthorised users accessing the system in their absence.
  3. Desktop PCs and cabling for telephones or computer equipment should not be moved or tampered with without first consulting the IT Department.
  4. Passwords are unique to each user and must be changed regularly to ensure confidentiality. Passwords must be kept confidential and must not be made available to anyone else. Good practice requires choosing passwords with a minimum 8 characters and a combination of upper and lower case letters, numbers, and (ideally) symbols. Passwords should be remembered and not written down, but if they must be written somewhere that document must be kept confidential and destroyed when no longer required. For the avoidance of doubt, on the termination of your employment (for any reason) you must provide details of your passwords to the Chief Information Officer or to the Financial Director and return any equipment, key fobs or cards.
  5. If you have been issued with a laptop or smartphone you must ensure that it is kept secure at all times, especially when travelling. Passwords must be used to secure access to data kept on such equipment to ensure that confidential data is protected in the event of loss or theft. You should also be aware of the possibility that when using equipment away from ComponentSource premises, documents may be read by third parties, for example, passengers on public transport, and you must take all necessary steps to avoid this.

Systems and data security

  1. You must not delete, destroy or modify existing systems, programs, information or data which could have the effect of harming our business or exposing it to risk.
  2. You must not download or install software from external sources without authorisation from the CIO. This includes software programs, instant messaging programs, screensavers, photos, video clips and music files. Incoming files and data will be virus- checked by the IT Department before they can be downloaded. And you must not access any of the following or similar from the network: online radio, audio and video streaming, instant messaging and webmail (such as Hotmail, WhatsApp or Yahoo) or social networking sites (such as Facebook, Instagram, YouTube, X).
  3. Confidential data includes, but is not limited to:
    • Unreleased financial information
    • Customer, supplier, partner and shareholder information
    • Employee information
    • Customer lists, sales leads and related data
    • Passwords
    • Contracts
    • Legal and business records

    The transferring of data, whether internally or to external recipients, carries additional security risks. Employees must therefore:

    1. Refrain from transferring confidential information to unauthorized employees or to outside parties;
    2. Only transfer confidential data over the ComponentSource network;
    3. Ensure all necessary authorizations for data transfer have been obtained;
    4. Verify that any recipient outside the Company itself has appropriate security measures in place;
    5. Comply with the ComponentSource Data Protection Policy;
    6. Immediately alert the Chief Information Officer to any actual or suspected privacy breaches, hacking attempts, malicious software and/or scams.
  4. No device or equipment should be attached to our systems without the prior approval of the IT Department. This includes any USB flash drive, MP3 or similar device, PDA or telephone. It also includes use of the USB port, infra-red connection port or any other port. Similarly, employees should not seek to access ComponentSource systems and accounts from devices owned by others, or lend their own Company devices to anyone else without the prior approval of the CIO.
  5. We monitor all e-mails passing through our system for viruses. Employees must exercise caution when opening e-mails from unknown external sources or where, for any reason, an e- mail appears suspicious (for example, if its name ends in .exe or .ran). The IT Department should be informed immediately if a suspected virus is received. We reserve the right to block access to attachments to e-mails for the purpose of effective use of the system and for compliance with this policy. We also reserve the right not to transmit any e-mail message.
  6. You should not attempt to gain access to restricted areas of the network, or to any password- protected information, unless specifically authorised.
  7. Employees using laptops or wi-fi enabled equipment must be particularly vigilant about its use outside the office and take any precautions required by the IT Department from time to time against importing viruses or compromising the security of the system. The system contains information which is confidential to our business and/or which is subject to data protection legislation. Such information must be treated with extreme care and in accordance with our Data Protection Policy.

E-mail etiquette and content

  1. E-mail is a vital business tool, but an informal means of communication, and should be used with great care and discipline. You should always consider if e-mail is the appropriate means for a particular communication and correspondence sent by e-mail should be written as professionally as a letter or fax. Our standard disclaimer should always be included. Hard copies of any e-mails containing contractual terms or amendments, or containing dispute- related correspondence (in or out) should be kept on the appropriate file.
  2. E-mail, just like any other form of communication, should reflect the highest professional standards at all times. You should keep messages brief and to the point, ensure that an appropriate heading is inserted in the subject field and that the spelling and grammar are carefully checked before sending. You should also double check the recipient before pressing the send button – not only can it be embarrassing if a message is sent to the wrong person, it can also result in the unintentional disclosure of confidential information about the Company.
  3. You should ensure that you access your e-mails at least once every working day, stay in touch by remote access when travelling and use an out of office response when away from the office for more than a day. You should endeavour to respond to e-mails marked "high priority" within one working day.
  4. You must not send abusive, obscene, discriminatory, racist, harassing, derogatory or defamatory e-mails. If you feel that you have been harassed or bullied, or are offended by material received from a colleague via e-mail you should inform your line Manager or the CFO.
  5. E-mails leave a retrievable record and you should always take care with the content of e-mail messages. You must assume that e-mail messages may be read by others and not include anything which would offend or embarrass any reader, or yourself, if it found its way into the public domain.
  6. E-mail messages may be disclosed in legal proceedings in the same way as paper documents. Incorrect or improper statements can give rise to claims for discrimination, harassment, defamation, breach of confidentiality or breach of contract. Deletion from a user's inbox or archives does not mean that an e-mail cannot be recovered for the purposes of disclosure and all e-mail messages should be treated as potentially retrievable, either from the main server or using specialist software.
  7. In general, you should not:
    • send or forward private e-mails at work which you would not want a third party to read;
    • send or forward chain mail, junk mail, cartoons, jokes or gossip;
    • contribute to system congestion by sending trivial messages or unnecessarily copying or forwarding e-mails to those who do not have a real need to receive them;
    • sell or advertise using our communication systems or broadcast messages about lost property, sponsorship or charitable appeals without the approval of the CFO;
    • agree to terms, enter into contractual commitments or make representations by e- mail unless you have, or you have obtained, the appropriate authority. A name typed at the end of an e-mail is a signature in the same way as a name written at the end of a letter;
    • download or e-mail text, music and other content on the internet subject to copyright protection, unless it is clear that the owner of such works allows this;
    • send messages from another employee's computer or under an assumed name or via a virtual private network (VPN) unless specifically authorised; or
    • use e-mails or the internet or any other means of external communication which are known not to be secure to send highly confidential or sensitive or personal content.

    You should never assume that internal or external messages are necessarily private and confidential, even if marked as such. The Internet is not a secure means of communication and third parties may be able to access or alter messages that have been sent or received. So do not send any information in an email which you would not be happy being publicly available. The confidentiality of internal communications can only be ensured if they are sent by internal post or delivered personally by hand or included in a password protected online document.

  8. If you receive a wrongly-delivered e-mail you should return it to the sender at the first opportunity and not retain, copy or disclose it in any way, except that if the e-mail contains inappropriate material (as described above) you should report this to the CIO.

Use of the internet

  1. When a website is visited, devices such as cookies, tags or web beacons may be employed to enable the site owner to identify and monitor visitors. If the website is of a kind described in paragraph 10.11.2 below, such a marker could be a source of embarrassment to the visitor and us, especially if inappropriate material has been accessed, downloaded, stored or forwarded from the website. Such actions may also, in certain circumstances, amount to a criminal offence if, for example, the material is pornographic in nature. This is further considered under Inappropriate use of equipment and systems below.
  2. You should therefore not access any web page or any files (whether documents, images or other) downloaded from the internet which could, in any way, be regarded as illegal, offensive, in bad taste or immoral. While content may be legal in the UK, it may be in sufficient bad taste to fall within this prohibition. As a general rule, if any person (whether intended to view the page or not) might be offended by the contents of a page, or if the fact that our software has accessed the page or file might be a source of embarrassment if made public, then viewing it will be a breach of this policy.
  3. You must not under any circumstances use ComponentSource systems to participate in any internet chat room, post messages on any internet message board or set up or log text or information on a blog or wiki, even in your own time. Exceptionally, specific permissions may be granted to relevant employees to access and post on social media in connection with and solely for the purposes of promoting ComponentSource and its business.

Personal use of systems

  1. We permit the incidental use of internet, e-mail and telephone systems subject to certain conditions set out below. Personal use is a privilege and not a right. It must be neither abused nor overused and we reserve the right to withdraw our permission at any time.
  2. The following conditions must be met for personal usage to continue:
    1. use must be minimal and take place substantially out of normal working hours (that is, during lunch hours, before 9 am or after 5.30 pm), except in cases of emergency;
    2. personal e-mails must be labelled "personal" in the subject header;
    3. use must not interfere with business or office commitments;
    4. use must not commit us to any marginal costs; and
    5. use must comply with our policies including the Equal Opportunities Policy, Anti- Harassment and Anti-Bullying Policy, Data Protection Policy and Disciplinary Procedure, E-mail etiquette and content (see above).
  3. You should be aware that personal use of our systems may be monitored (see below) and, where breaches of this policy are found, action may be taken under our Disciplinary Procedure. We reserve the right to restrict or prevent access to certain telephone numbers or internet sites if we consider personal use to be excessive.
  4. You are not entitled to arrange for any personal mail to be addressed to you at ComponentSource. We have no way of knowing that particular mail may not relate to the Company’s business and all mail which comes in is opened as a matter of course. This applies even to mail which is marked ‘personal’ and/or ‘private and confidential’.
  5. Mobile telephones: If you are provided with a mobile or car telephone, this is to be used principally for business telephone calls only. If the telephone is used for private telephone calls, we reserve the right to require you to reimburse the cost of these calls. You should take care of the telephone and ensure it is secure at all times. In the event that it is stolen you should notify your line Manager or the Financial Director immediately. In the absence of both of them you should take all reasonable steps to ensure that the telephone is disconnected by the service provider. The mobile telephone and any accessories should be returned immediately if this is requested by your line Manager or on the termination of your employment.

Monitoring of use of systems

  1. Our systems enable us to monitor telephone, e-mail, voicemail, internet and other communications. For business reasons, and in order to carry out legal obligations in our role as an employer, use of our systems including the telephone and computer systems, and any personal use of them, is able to be continually monitored. Monitoring is only carried out to the extent permitted or as required by law and as necessary and justifiable for business purposes.
  2. CCTV systems monitor the exteriors of our buildings 24 hours a day. This data is recorded.
  3. We reserve the right to retrieve the contents of messages or check searches which have been made on the internet for the following purposes (this list is not exhaustive):
    • to monitor whether the use of the e-mail system or the internet is legitimate and in accordance with our policies;
    • to find lost messages or to retrieve messages lost due to computer failure;
    • to assist in the investigation of wrongful acts, or
    • to comply with any legal obligation.

Inappropriate use of equipment and systems

  1. Access is granted to the internet, telephones and other electronic systems for legitimate business purposes only. Incidental personal use is permissible provided it is in full compliance with our rules, policies and procedures (including this policy, the Equal Opportunities Policy, Anti-Harassment and Anti-Bullying Policy, Data Protection Policy and Disciplinary Procedure).
  2. Misuse or excessive use or abuse of our telephone or e-mail system, or inappropriate use of the internet in breach of this policy will be dealt with under our Disciplinary Procedure. Misuse of the internet can, in certain circumstances, constitute a criminal offence. In particular, misuse of the e-mail system or inappropriate use of the internet by participating in online gambling or chain letters or by creating, viewing, accessing, transmitting or downloading any of the following material will amount to gross misconduct (this list is not exhaustive):
    • pornographic material (that is, writing, pictures, films and video clips of a sexually explicit or arousing nature);
    • offensive, obscene, or criminal material or material which is liable to cause embarrassment to us or to our customers;
    • a false and defamatory statement about any person or organisation;
    • material which is discriminatory, offensive, derogatory or may cause embarrassment to others;
    • confidential information about us or any of our employees or customers (which you do not have authority to access);
    • any other statement which is likely to create any liability (whether criminal or civil, and whether for you or us); or
    • material in breach of copyright.
  3. Any such action will be treated very seriously and is likely to result in summary dismissal.
  4. Where evidence of misuse is found we may undertake a more detailed investigation in accordance with our Disciplinary Procedure, involving the examination and disclosure of monitoring records to those nominated to undertake the investigation and any witnesses or Managers involved in the Disciplinary Procedure. If necessary such information may be handed to the police in connection with a criminal investigation.

Monitoring and review of this policy

  1. The CIO, in conjunction with the CFO, is responsible for reviewing this policy periodically to ensure that it meets legal requirements and reflects best practice.
  2. The CFO has responsibility for ensuring that any person who may be involved with administration or investigations carried out under this policy has or receives appropriate training and/or instruction to enable them to carry out these duties.
  3. Employees are invited to comment on this policy and suggest ways in which it might be improved by contacting either the CIO or the CFO.

Disaster Recovery Plan

The CIO is responsible for creating, implementing and maintaining an adequate Disaster Recovery Plan for the Company’s business, namely the ability to restore access and functionality to the Company’s IT infrastructure after a disaster event, whether natural or caused by human action or error, to ensure that critical business functions are operational as soon as possible after a disruptive event occurs.

Cybersecurity is an increasingly common area where disaster recovery is critical to handling threats.

Maintenance requires the proper replication and backing up of data and IT infrastructure to specific restore points in order to regain functionality and control over systems that become infected, breached, or rendered inoperable for any reason.

The CIO periodically conducts disaster recovery tests to help identify any weaknesses or gaps in the Company’s Disaster Recovery Plan and to ensure that the strategic processes in place will effectively restore critical systems and data in the event of an incident, enabling the Company to regain control over its IT systems.

CSCSP 11/2024