Information Security Policy
Purpose
This policy specifies the Exmouth Town Supporters Club (ETSC) priorities for the implementation of Information Security within the supporters club. Information is essential for the day-to-day operations of the supporters club: news; events; club information; fundraising; membership and sponsorship; administrative functions; voluntary and community work. ETSC relies on digital technology to collaborate and store information as well as some limited use of printed documents and records. Failure to adequately protect and secure information (whatever its form) increases the risk of financial and reputational losses from which it could be difficult for the supporters club to recover. Information security is the framework of controls around policy, physical security, technical security, training and organisational culture that help to protect the information that is valuable to the supporters club. This policy is based on the following standards, regulation and legislation:
- General Data Protection Regulation (GDPR) and ICO Guidance
- Data Protection Act 2018
- ISO/IEC 27001 & 2
- Cyber Essentials Scheme
Scope
This policy applies to all people who handle information on behalf of the ETSC as part of their role (committee officers, members, and third parties carrying out a supporters club function). In particular, this policy relates to securing information and working to ensure an appropriate balance of its confidentiality, integrity and availability. Sensitive information that is valuable to the supporters club (whether owned, generated by or entrusted to ETSC) should be protected from theft, misuse, or compromise that could impact:
- An individual’s reasonable expectations of privacy and security
- ETSC’s ability to carry out its functions
- The reputation of ETSC (and Exmouth Town Football Club)
- ETSC’s ability to meet legal, ethical and regulatory requirements.
Information can be written, electronic or verbal and can include: email correspondence; published documents; draft plans and strategy documents; surveys, polls and assessments; data, analysis and findings; committee and membership information systems; disciplinary or grievance proceedings. Whatever the form, valuable and sensitive information should be protected throughout its lifecycle (collecting, storing, using, sharing, retaining and disposing).
Responsibilities
Information security is effective when using layers of security across physical, technical, policy and personnel security. A single control, individual or group cannot be solely responsible for protecting ETSC and its information: All members of ETSC should apply a combination of controls, to maintain and protect the confidentiality, integrity and availability of supporters club information.
- Users – All members of ETSC are directly responsible for protecting ETSC (and our partner’s) information in accordance with this policy. This includes: complying with relevant legislative, regulatory and contractual requirements, applying protection measures to information in line with its sensitivity and value
- Data Owners – All information should have a clearly defined owner. The Data Owner is the senior officer responsible and accountable for the function that creates and uses that information. In general, data owners for ETSC will be nominated committee members.
- System Owners – System Owners are in charge of and responsible for one or more systems. This responsibility includes implementing baseline technical security measures including (but not limited to): physically securing the hardware infrastructure, patching and updating systems, secure configuration; full disk encryption on laptops used to store or process supporters club information; user access controls and password security; backups and restoration; antivirus and malware protection. In general, system owners for ETSC will be nominated committee members. Systems, such as the ETSC website, may be externally hosted with third parties.
Values and Information Usage
ETSC information (owned by or shared with the supporters club) should be stored within supported, managed storage and systems which are resilient and secure.
Where supporters club requirements cannot be fulfilled by using supported, managed storage and systems and local information storage is justified, the Data Owner and System Owner should ensure technical security controls, acceptance of risk responsibility and documentation are in place that meet the Data and System Owner responsibilities of this policy.
All members of ETSC who access, use or manage supporters club information are responsible for reporting data loss and security incidents. Contact us to report loss or compromise of personal data immediately.
All ETSC information should be returned to the supporters club when its members leave or move to another role. This includes informing appropriate committee members of information handover arrangements to ensure the supporters club retains ownership and custody of the information.
All members of ETSC should follow supporters club guidance for end of use secure disposal or preservation of information. See Information about the ETSC Retention Schedule below.
Classification and Protection
The table below summarises the three data classifications which underpin this Information Security Policy. The higher the risk of compromise to information, the more layers of protection are necessary to secure it. Layers will be a combination of physical, technical or procedural security (known as defence in depth) throughout the information’s lifecycle i.e. when collecting, storing, using, extracting, sharing / transferring, retaining or disposing of data. Classifying information focuses effort and resources into protecting the most sensitive and valuable information.
Classification | Public | Internal | Confidential |
Description | Information intended for sharing in the public domain | Information used for day-to-day ETSC functions not for general public. | Any quantity of Personal data (about living people) or information with contractual or business value. |
Impact if Breached | No adverse impact. | Some adverse impact and disruption to services. Possible breach of confidence or statutory duty. | Serious privacy or reputational risk, financial impact, commercial disadvantage or disruption to services Breach of statutory / regulatory duty / risk of fine. |
Mitigation | Information categorised as PUBLIC does not need any special handling requirements. | Access should be appropriate to role and is protected by at least one barrier e.g. username and password for technical security. ID access control or locked office / cupboard for physical security. | Access to CONFIDENTIAL information should be: appropriate to role and subject to authorisation by Data Owner; protected with more than one barrier; encrypted when in transit; shared only with appropriate personnel; securely destroyed at end of use. |
There may be limited circumstances where the Data Owner (or their deputy) has a requirement to store classified information differently, or with increased safeguards.
Awareness
ETSC is committed to supporting and promoting awareness of their information security responsibilities to ensure members of the supporters club can understand the risks and apply appropriate protection to the information they handle as part of their role .
Acceptable Use
All data users, data owners and systems owners are expected to use ETSC data only for the purposes for which it was intended. All ETSC members should comply with the expected behaviours and activities in carrying out a supporters club function. The committee will consider relevant misconduct or disciplinary procedures in the event of misuse.
Information Retention and Secure Disposal
At the end of the retention period information must be securely disposed of to avoid risk of compromise or misuse. Internal or confidential information should be destroyed beyond the ability to recover it (paying due regard to environmental and legislative requirements around waste and hazardous waste processing). Secure disposal arrangements for IT equipment and sensitive paper waste containing ETSC data should be subject to secure procedures to manage the chain of custody.
Retention Schedule
To be completed.
Compliance
Failure to comply with this policy in protecting ETSC information (or that entrusted to us by a third party) puts the supporters club (and, potentially, Exmouth Town FC) at risk of reputational damage, financial penalty, breach of legal, contractual or regulatory requirement. It may also lead to disciplinary action or a misconduct investigation to be carried out by officers of the committee.