ISMS policy

GENERAL DATA PROTECTION REGULATIONS 2016

INFORMATION SECURITY MANAGEMENT SYSTEM – INTERNAL POLICY
1. Introduction
AirFair Compensation Limited (airFair) has a responsibility to protect all client, corporate, employee and all other information in accordance with the General Data Protection Regulation (GDPR) 2016. In addition, we are required to monitor all information being transferred by employees to the public and all other organisations. Any transferal of data will be done in accordance with this policy.
2. Scope
This policy applies to all staff who will be made aware through induction training, general refresher training and through documentation. No employee is exempt from this policy.

3. Data security:

3.1. It is airFair’s policy to comply with all laws regulating computers and data protection. It is therefore important that all employees minimise exposure to risk through careless practices regarding the use of data or inappropriate, or illegal use of software.

3.2. Save in relation to reasonable e-mail and Internet usage (as set out further below) you are not permitted to use airFair’s computer facilities for personal use and computers should only be used by you to perform your job function.

3.3. You should always keep your personal password confidential. When changing your password, you should adopt a password which does not use personal data. You should change your password regularly and you must never share or divulge your personal password to any unauthorised person.

3.4. You are only authorised to use systems and have access to information which is relevant to your job. You should neither seek information nor use systems outside of this criterion.

3.5. It is illegal to make copies of our software. Software issued by airFair for your use is licensed to airFair and is protected by copyright law. You must not make or distribute software that has been copied.

3.6. You must not install any software on airFair’s computers without first obtaining permission to do so. You need to be aware of the risk to airFair’s computers of any computer virus and will immediately raise any issue which may relate to a computer virus with the IT Manager.

3.7. You must not download any ‘copyright’ material onto any device that is supported by airFair’s IT network. This shall include downloading ‘copyright’ material onto your personal mobile phone where access to airFair’s Wi-Fi has been granted.

3.8. You are not authorised to download, onto any device that is supported by airFair’s network, any software for which airFair’s does not have a valid license. You must not download any such software without first obtaining the permission of the IT Manager.

3.9. airFair (via either the Operations Manager or the IT Manager) reserves the right, in its sole discretion, to allow you to access airFair’s Wi-Fi for your own personal use. Should you be granted such access, then you shall not share the relevant passwords or login details with other members of staff. You shall observe and comply with all the rules, procedures and policies adopted by airFair, from time to time, in relation to working time and usage of airFair’s computer system (including, but not limited to, the downloading of software or copyright material, the accessing of inappropriate websites and excessive internet usage during working hours). Accessing and using airFair’s Wi-Fi shall be restricted to only authorised and designated breaks.

3.10. All laptops with company data will have full disk encryption enabled using appropriate OS software.

3.11. Only authorised staff will be allowed to use USB Mass Storage Devices within airFair, this will be determined by the IT department, backed up with suitable job justification. Staff will be advised to always perform an Anti-Virus scan on the device after is has been plugged into the machine and where possible the USB device should be encrypted if transporting any company data.

3.12. You will always comply with any further rules, procedures or policies adopted by airFair’s in relation to the usage of its computer system.

4. Internet and E-mail Usage:

4.1. airFair’s computer system contains e-mail and Internet access facilities which are intended to promote effective communication within airFair and with clients and contacts relating to its business. Both systems should therefore be used for that purpose.

4.2. Personal messages may be sent via e-mail, but these must respect the primary purpose of the e-mail system. This means that the e-mail system should not be used for a purpose detrimental to your job responsibilities, for spreading gossip, or for personal gain or in breach of any of airFair’s standard employment policies on issues such as l harassment. Personal messages sent via e-mail should not be excessive and must be of a reasonable quantity.

4.3. Messages sent on the e-mail system (including personal messages) are to be written in accordance with the standards of any other form of written communication, and the content and language used in the message must be consistent with airFair’s best practice. All employees should therefore refrain from including bad language and/or references to inappropriate or offensive content within any message sent on the e-mail system. Messages should be concise and directed to those individuals with a need to know. General messages to a wide group should only be used where necessary. Confidential information should not be sent externally by e-mail without express authority and unless the messages can be lawfully encrypted.

4.4. Personal usage of the Internet facility is also permitted, but such usage must be reasonable, limited to break times and limited to the accessing of appropriate sites. The downloading or accessing of pornographic or other unsuitable sites (i.e gambling sites) is viewed very seriously by airFair and can lead to disciplinary action and will be viewed by airFair as constituting gross misconduct.

4.5. airFair reserves the right to retrieve the contents of e-mail messages and to examine computers in relation to Internet access for monitoring whether the use of the e-mail and Internet systems is legitimate, to assist in the investigations of wrongful acts or to comply with any legal obligation. Monitoring is only carried out to the extent permitted or as required by law and as necessary and justifiable for business purposes. If you are given access to e-mail and the Internet, you are responsible for the security of your terminal and you must not allow the terminal to be used by an unauthorised person. You should therefore keep your personal password confidential and change it regularly.

4.6. When leaving your PC unattended or on leaving the office you should ensure that your PC is appropriate locked or secured to prevent unauthorised users using your PC in your absence.

4.7. Should you receive an e-mail message which has been wrongly delivered to your e-mail address you should notify the sender of the message by redirecting the message to that person. Further, in the event the e-mail message contains confidential information you must not disclose or use that confidential information. Should you receive an e-mail which contravenes this policy, the e-mail should be brought to the attention of The IT Manager.

4.8. Misuse of the e-mail or Internet system in breach of this policy statement will be deemed as misconduct and will be dealt with within the framework of airFair’s disciplinary procedure. Misuse of the e-mail system by transmission of any material in any of the following categories will constitute gross misconduct:

• defamatory;
• offensive or obscene;
• untrue or malicious;
• racist or otherwise contrary to airFair’s Equal Opportunities Policy
• protected copyright material.

5. Use of own device

The organisation does not permit the use of non-organisational equipment to store confidential data unless approved by operations level management or higher.

Users will be responsible for ensuring that any software used to process and/or store the organisations data is properly licensed and the organisation will require proof of authenticity. All software used for processing and/or storing the organisations data must be compatible with the organisations software, if such software conflicts should occur the user may be required to remove the conflicting software.

Users are responsible for ensuring that regular secure backups of the organisations data are taken to ensure that there is no risk of loss or corruption of critical data, the organisation will require proof of backups, users may request that the IT department take on this role but the organisation reserved the right to charge for this service.

Users will be required to install the organisations approved anti-virus products to ensure the safety of the organisations data and network. Users with their own laptop will be required to enable full disk encryption on the device.

Users with their own device will be advised on best practice when using USB mass storage devices by the IT department. This includes but not limited to, performing an anti-virus scan on the USB device after it has been plugged in, and encrypting the device where possible. Users will also be reminded of the company Computer and Data Protection policy, with regards to Data Loss Prevention.

The IT department reserves the right to undertake audits on staff equipment that accesses the organisations data to ascertain whether this policy is being adhered to.

6. Sensitive Information

The Sensitivity Guidelines below provides details on how to protect information at varying sensitivity levels. Use these guidelines as a reference only, as airFair’s Confidential information in each section may necessitate stringent measures of protection depending upon the circumstances and the nature of the airFair Confidential information in question.

6.1 Minimal Sensitivity
General corporate information; some personnel and technical information
Marking guidelines for information in hardcopy or electronic form.

Note: any of these markings may be used with the additional annotation of “Third Party Confidential”. Marking is at the discretion of the owner or custodian of the information. If marking is desired, the words “airFair Confidential” may be written or designated in a conspicuous place on or in the information in question. Other labels that may be used include “airFair Proprietary” or similar labels at the discretion of your individual business unit or department. Even if no marking is present, airFair information is presumed to be

airFair Confidential” unless expressly determined to be airFair Public information by an airFair employee with authority to do so.

Access: airFair employees, contractors, people with a business need to know.
Distribution within airFair: Approved electronic mail and electronic file transmission methods.
Electronic distribution: No restrictions except that it be sent to only approved recipients.
Storage: Keep from view of unauthorized people; erase whiteboards, do not leave in view on table top. Machines should be administered with security in mind. Protect from loss; electronic information should have individual access controls where possible and appropriate.
Disposal/Destruction: Deposit outdated paper information in shredded on airFair; electronic data should be expunged/cleared. Reliably erase or physically destroy media as per the IT Equipment and Media Disposal Policy.
Penalty for deliberate or inadvertent disclosure: Disciplinary procedure up to and including termination.

6.2 More Sensitive
Business, financial, technical, and most personnel information. Marking guidelines for information in hardcopy or electronic form.

Note: any of these markings may be used with the additional annotation of “Third Party Confidential”. As the sensitivity level of the information increases, you may, in addition or instead of marking the information ” airFair Confidential” or ” airFair Proprietary”, wish to label the information ” airFair Internal Use Only” or other similar labels at the discretion of your individual business unit or department to denote a more sensitive level of information. However, marking is discretionary always.

Access: airFair employees and non-employees with signed non-disclosure agreements who have a business need to know.
Distribution within airFair: Approved electronic mail and electronic file transmission methods.
Electronic distribution: No restrictions to approved recipients within airFair, but should be password protected/encrypted or sent via a private link to approved recipients outside of airFair premises.
Storage: Individual access controls are highly recommended for electronic information.
Disposal/Destruction: In shredded on airFair premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media as per IT Equipment and Media Disposal Policy.
Penalty for deliberate or inadvertent disclosure: Disciplinary procedure up to and including termination.

6.3 Most Sensitive
Trade secrets & marketing, operational, personnel, financial, source code, & technical information integral to the success of our company.

Marking guidelines for information in hardcopy or electronic form.

Any of the following markings may be used with the additional annotation of “3rd Party Confidential”. To indicate that airFair Confidential information is very sensitive, you should label the information ” airFair Internal: Registered and Restricted”, ” airFair Eyes Only”, ” airFair Confidential” or similar labels at the discretion of your individual business unit or department. Once again, this type of airFair Confidential information need not be marked, but users should be aware that this information is very sensitive and be protected as such.

Access: Only those individuals (airFair employees and non-employees) designated with approved access and signed non-disclosure agreements.
Distribution within airFair: Delivered direct – signature required, envelopes stamped confidential, or approved electronic file transmission methods.
Electronic distribution: No restrictions to approved recipients within airFair, but it is highly recommended that all information be strongly password protected/encrypted.
Storage: Individual access controls are very highly recommended for electronic information. Physical security is generally used, and information should be stored in a physically secured computer.
Disposal/Destruction: Strongly Encouraged: In specially marked disposal bins on airFair premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media as per IT Equipment and Media Disposal Policy.
Penalty for deliberate or inadvertent disclosure: Disciplinary procedure up to and including termination.

7. Virus Protection

All PC and Servers are vulnerable to intrusion by viruses without sufficient protection these devices could become infected and all information on these machines vulnerable to corruption, being stolen and/or deleted. airFair has a responsibility to clients, employees and third parties to protect their data from such a threat as per Data Protection procedures. Compliance with these guidelines will help protect the company from viral and worm contamination and provide the means to minimise disruption and business impact should preventative measures fail.

7.1 Staff Responsibilities
Anyone who believes or suspects that their computer has been infected with a virus is to immediately disconnect it from the network and inform the IT Department as soon as possible.
Virus infected computers are to remain isolated from the network until you are told by a member of the IT Department, that they can be reconnected. The person who was using the computer the time it became or was suspected of becoming infected is to clearly label the computer that it is virus contaminated and must not be reconnected to the network without the authority of the IT Department. Any removable medium that was being used on the computer at the time of the suspected contamination, or immediately prior, is to be handed to the IT Department, for investigation.

7.2 IT Department Responsibilities
The IT Department will deploy, operate and maintain up to date effective anti-virus software on all computer systems that are liable to attack from malicious software. All networked PCs will be updated with the latest applicable virus definition files daily on start up. Only authorised IT Department staff may deploy anti-virus software on to computers. The virus protection of computers that are not networked must also be maintained. Provision of this requirement will be made by IT Department.

7.3 Line Managers Responsibility
It is the responsibility of the Line Manager to ensure this policy is deployed within their area of responsibility.

7.4 Third Party’s Responsibility
All third-party appliances must be checked for viruses before connecting to the company network.

7.5 Operational System
The company will use anti-virus software products to protect desktop computers and servers.
Email traffic will be monitored for signs of virus contamination and quarantined if necessary by the company email provider.

Download our flight delay compensation app

Claim on the go with our easy to use app.

It’s never fun waiting for a delayed flight, but AirFair are here to help you get your claim off the ground. Download our app and if you’re delayed again you can start your claim before you even board the plane.

Don’t forget you can claim back for flights dating back 6 years – download the app to check past flights.

Download our app