1  Introduction

The confidentiality, integrity and availability of information, in all its forms, are critical to the on-going functioning and good governance of Mediahawk. Failure to adequately secure information increases the risk of financial and reputational losses from which it may be difficult for Mediahawk to recover.


This information security policy outlines Mediahawk’s approach to information security management. It provides the guiding principles and responsibilities necessary to safeguard the security of the information systems. Supporting policies, codes of practice, procedures and guidelines provide further details.


Mediahawk is committed to a robust implementation of Information Security Management throughout all processes. It aims to ensure the appropriate confidentiality, integrity and availability of its data. The principles defined in this policy will be applied to all physical and electronic information assets for which the Mediahawk is responsible.


Mediahawk is specifically committed to preserving the confidentiality, integrity and availability of documentation and data supplied by, generated by and held on behalf of third parties pursuant to the carrying out of work agreed by contract.


2  Objectives

The objectives of this policy are to:

1. Provide a framework for establishing suitable levels of information security for all Mediahawk information systems (including but not limited to all computers, mobile devices, networking equipment, software and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.


                a. This explicitly includes any formal Information Security Management Systems managed by Mediahawk or a 3rd Party provider.

                b. Continuous improvement of any ISMS will be undertaken


2. Make certain that users are aware of and comply with all current and relevant UK legislation.

3. Provide a safe and secure information systems working environment for staff and any other authorised users.

4. Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle, including satisfying the information security requirements of third party data providers.

5. Protect Mediahawk from liability or damage through the misuse of its IT facilities.


3  Scope

This policy is applicable to, and will be communicated to, all staff and third parties who interact with information held by Mediahawk and the information systems used to store and process it.


This includes, but is not limited to, any systems or data attached to the Mediahawk Network or telephone networks, systems managed by Mediahawk, mobile devices used to connect to Mediahawk networks or hold Mediahawk data, data over which Mediahawk holds the intellectual property rights, data over which Mediahawk is the data controller or data processor, communications sent to or from Mediahawk.


4  Definitions


Mediahawk Data, for the purposes of this policy, is data owned, processed or held by Mediahawk, whether primary or secondary, irrespective of storage location. It is used interchangeably with the term ‘information’


5  Policy

5.1 Information security principles

The following information security principles provide overarching governance for the security and management of information at Mediahawk.

1. Information will be assessed as to whether it is classified as Personal Data according to UK GDPR and EU GDPR 2018 and will be treated in accordance with relevant legislative, regulatory and contractual requirements and Mediahawk policies.


2. Staff with particular responsibilities for information (see Section 6. Responsibilities) must ensure Personal Data is handled in accordance with its relevant Data Protection laws and must abide by any contractual requirements, policies, procedures or systems for meeting those responsibilities.


3. All users covered by the scope of this policy (see Section 1.2. Scope) must handle information appropriately and in accordance with Data Protection Laws.


4. Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.

            a. On this basis, access to information will be on the basis of least privilege and need to know.


5. Information will be protected against unauthorised access and processed in accordance with Data Protection Laws.


6. Breaches of this policy must be reported (see Sections 5.4. Compliance and 5.5. Incident Handling).


7. Information security provision and the policies that guide it will be regularly reviewed, including through the use of annual internal audits and penetration testing. 

5.2 Legal & Regulatory Obligations

Mediahawk has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory and contractual requirements.


Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarised below.

5.3 Suppliers

All Mediahawk suppliers will abide by Mediahawk Information Security Policy. This includes:

  • when accessing or processing Mediahawk assets, whether on site or remotely
  • when subcontracting to other suppliers.

5.4 Compliance, Policy Awareness and Disciplinary Procedures

Any security breach of Mediahawk’s information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems.


The loss or breach of confidentiality of personal data is an infringement of the UK GDPR and Data Protection Act 2018 and contravenes Mediahawk’s Data Protection Policy, and may result in criminal or civil action against Mediahawk.


The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against Mediahawk. Therefore, it is crucial that all users of Mediahawk’s information systems adhere to the Information Security Policy and its supporting policies.


All current staff and other authorised users will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines.


Any security breach will be handled in accordance with all Mediahawk’s policies, including the Conditions of Use of IT Facilities at Mediahawk and the appropriate disciplinary policies.

5.5 Incident Handling

If a member of Mediahawk is aware of an Information Security incident, then they must report it to the DPO Colin Hudson immediately. 

5.6 Supporting Policies, Codes of Practice, Procedures and Guidelines

Supporting policies have been developed to strengthen and reinforce this policy statement. These, along with associated codes of practice, procedures and guidelines are published together and are available for viewing on Mediahawk Intranet.


All staff and any third parties authorised to access Mediahawk’s network or computing facilities are required to familiarise themselves with these supporting documents and to adhere to them in the working environment.

5.7 Review and Development

This policy, and its subsidiaries, shall be reviewed by the Information Security team and DPO and updated regularly to ensure that they remain appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations.


Additional regulations may be created to cover specific areas.


6 Responsibilities

Members of Mediahawk:

All members of Mediahawk, Mediahawk associates, agency staff working for Mediahawk, third parties and collaborators on Mediahawk’s projects will be users of Mediahawk information. This carries with it the responsibility to abide by this policy and its principles and relevant legislation, supporting policies, procedures and guidance. No individual should be able to access information to which they do not have a legitimate access right. 


Notwithstanding systems in place to prevent this, no individual should knowingly contravene this policy, nor allow others to do so. To report policy contraventions, please see Section 5.5: Incident Handling

 

Data Owners / Guardians:

Many members of Mediahawk will have specific or overarching responsibilities for preserving the confidentiality, integrity and availability of information. These include:


Heads of Departments - Responsible for the information systems (e.g. HR/ Registry/ Finance) both manual and electronic that support Mediahawk’s work. 


Departmental Managers / Line managers - Responsible for specific area of Mediahawk work, including all the supporting information and documentation that may include working documents/ contracts/ staff information.


Tech / Development Department - Responsible for ensuring that the provision of Mediahawk’s IT infrastructure is consistent with the demands of this policy and current good practice.