1.1 Policy Overview
Redcone Recruitment Limited recognises the critical importance of protecting its information systems and data from cyber threats. As a provider of traffic management services and recruitment/supply of labour, the company relies on its digital infrastructure to manage operations, handle sensitive data, and communicate with clients and employees. This Cyber Security Policy outlines the company’s commitment to safeguarding its digital assets and provides guidelines to ensure the security, integrity, and confidentiality of data across all systems.

The policy has been established to minimise risks to business continuity, prevent unauthorised access, and ensure compliance with relevant legal and regulatory requirements. Redcone Recruitment Limited views cyber security as a shared responsibility for all employees, contractors, and stakeholders.

1.2 Purpose of the Policy
The purpose of this policy is to:

• Protect Redcone Recruitment Limited’s information systems from cyber threats, including malware, data breaches, phishing attacks, and unauthorised access.
• Ensure that all employees, contractors, and third-party partners understand their responsibilities in maintaining the security of company systems and data.
• Outline the procedures for preventing, detecting, and responding to cyber security incidents.
• Maintain compliance with relevant legal frameworks, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
• Safeguard the confidentiality, integrity, and availability of company data, client information, and employee records.

1.3 Legal and Regulatory Framework
This policy complies with the following UK laws and regulations:

• UK GDPR: Governs the protection of personal data and requires appropriate technical and organisational measures to prevent unauthorised access.
• Data Protection Act 2018: Sets out UK-specific data protection requirements.
• Computer Misuse Act 1990: Defines criminal offences related to unauthorised access and interference with computer systems.
• Network and Information Systems (NIS) Regulations 2018: Mandates cyber security requirements for essential services.

2: Scope

2.1 Applicability
This policy applies to all employees, contractors, temporary workers, and third parties who have access to Redcone Recruitment Limited’s information systems, networks, and data. It covers all digital assets, including computers, mobile devices, network infrastructure, cloud services, software, and data storage systems.

2.2 Key Cyber Threats Covered

• Malware and Ransomware: Malicious software designed to disrupt, damage, or gain unauthorised access to systems.
• Phishing: Fraudulent attempts to obtain sensitive information, such as passwords or financial details, by disguising as a trustworthy entity in electronic communications.
• Insider Threats: Risks posed by employees or contractors who misuse their access to data and systems.
• Data Breaches: The unauthorised access, disclosure, or loss of sensitive or personal data.
• Denial of Service (DoS) Attacks: Attempts to make a network or system unavailable to its intended users by overwhelming it with traffic.
• Unauthorised Access: Attempts to gain unauthorised access to systems or data, either physically or remotely.

3: Policy Details

3.1 Cyber Security Governance
Redcone Recruitment Limited is committed to fostering a strong cyber security culture throughout the organisation. The company will establish a robust governance structure for overseeing cyber security initiatives, including:

• Appointing a Cyber Security Officer (CSO): The CSO will oversee the implementation and enforcement of this policy, monitor cyber threats, and coordinate the response to security incidents.
• Cyber Security Training: All employees will receive training on cyber security best practices, awareness of phishing attacks, password management, and reporting suspicious activity. Training will be provided during induction and refreshed regularly.
• Regular Security Audits: The company will conduct regular internal and external security audits to ensure compliance with this policy and identify potential vulnerabilities.

3.2 Access Control

3.2.1 User Authentication

• Password Policy: All users must create strong, unique passwords that meet the company’s security requirements (e.g., a minimum of eight characters, including letters, numbers, and special characters). Passwords must be changed regularly, and multi-factor authentication (MFA) will be used for accessing sensitive systems and data.
• Account Management: Access to systems and data will be based on the principle of least privilege, meaning users will only have access to the data and systems required for their specific roles. User accounts will be regularly reviewed to ensure that access permissions are up to date.
• Account Lockout: Accounts will be locked after a specified number of failed login attempts to prevent brute force attacks. Users must contact the IT department to unlock their accounts and verify their identity.

3.2.2 Remote Access

• Virtual Private Network (VPN): Remote access to company systems and data will only be permitted through a secure VPN to ensure data is encrypted and protected from interception.
• Secure Devices: Employees and contractors must use company-approved devices with up-to-date security software when accessing company systems remotely. Personal devices may only be used with prior approval from the IT department and must meet security requirements.

3.3 Data Security

3.3.1 Data Classification
All company data will be classified according to its sensitivity, and appropriate security measures will be applied to each category:

• Confidential: Personal data, financial information, or sensitive business records. Access will be restricted, and encryption will be applied both at rest and in transit.
• Internal: Data intended for use within Redcone Recruitment Limited. Moderate security measures will be in place to protect this information.
• Public: Data that is available to the general public. This data will require the lowest level of security.

3.3.2 Data Encryption

• Encryption of Sensitive Data: All sensitive data, including personal data and confidential business information, will be encrypted at rest and in transit to prevent unauthorised access in the event of a security breach.
• Email Encryption: Sensitive data transmitted via email will be encrypted, and employees must use secure communication channels when sharing confidential information.

3.3.3 Data Retention and Disposal

• Data Retention Policy: Data will be retained only for as long as it is necessary for business purposes or as required by law. The company will ensure compliance with the UK GDPR’s data minimisation and storage limitation principles.
• Secure Disposal: When data is no longer required, it will be securely deleted or destroyed in a manner that ensures it cannot be recovered (e.g., shredding physical documents or wiping digital storage devices).

3.4 Network and Infrastructure Security

3.4.1 Firewall and Intrusion Detection Systems (IDS)

• Firewall Protection: All company networks will be protected by firewalls configured to prevent unauthorised access and monitor traffic for suspicious activity.
• Intrusion Detection: The company will use Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to monitor network traffic for potential threats, such as malware or hacking attempts.

3.4.2 Software Updates and Patching

• Regular Updates: All software, operating systems, and firmware will be regularly updated to ensure that security vulnerabilities are patched. Automatic updates will be enabled where possible.
• Patch Management: The IT department will manage a centralised patch management system to track and implement security updates across all devices and systems.

3.4.3 Anti-Malware Protection

• Anti-Virus Software: All company devices will be equipped with up-to-date anti-virus and anti-malware software. Regular scans will be conducted to detect and remove malicious software.
• Quarantine Procedures: In the event of a malware detection, the infected device will be isolated from the network until it is cleaned and verified to be secure.

4: Incident Response

4.1 Incident Reporting
All employees and contractors must report any suspected or actual cyber security incidents immediately to the IT department or CSO. Incidents include, but are not limited to:

• Suspicious emails or phishing attempts.
• Unauthorised access to systems or data.
• Loss or theft of company devices.
• Detection of malware or ransomware.

4.2 Incident Management and Containment
Upon detection of a cyber security incident, Redcone Recruitment Limited will take the following steps:

• Immediate Containment: Isolate the affected systems or devices to prevent further damage or data loss. This may involve disconnecting devices from the network or shutting down compromised systems.
• Initial Assessment: The IT department or CSO will assess the severity of the incident, determine the nature of the breach, and identify the data or systems impacted.
• Notification: If personal data is compromised, the DPO will determine whether the incident must be reported to the Information Commissioner’s Office (ICO) within the 72-hour reporting window under the UK GDPR. Affected individuals will also be notified, where applicable.

4.3 Investigation and Recovery

• Forensic Investigation: A full investigation will be conducted to identify the cause of the incident, the extent of the damage, and whether any data was compromised. External cyber security experts may be engaged if necessary.
• Restoration: Once the incident has been contained, the IT department will work to restore affected systems from backups and ensure that no malicious code remains in the network.
• Post-Incident Review: After recovery, a post-incident review will be conducted to identify lessons learned and to implement measures to prevent future incidents. A formal incident report will be documented.

5: Third-Party and Supply Chain Security

5.1 Third-Party Risk Management
Redcone Recruitment Limited will ensure that all third-party vendors, suppliers, and contractors with access to company data or systems comply with the company’s cyber security standards. This will include:

• Due Diligence: Conducting a thorough assessment of the third-party’s cyber security controls before engagement.
• Contractual Obligations: Requiring third parties to sign agreements that outline their responsibilities for maintaining the security of company data and systems. This may include adherence to ISO 27001 (Information Security Management) or equivalent standards.
• Monitoring and Audits: Redcone Recruitment Limited reserves the right to audit third-party security practices and require them to remediate any deficiencies identified.

6: Responsibilities

6.1 Employee Responsibilities
All employees are required to:

• Comply with the company’s cyber security policies and procedures.
• Report any suspicious activity, security incidents, or breaches immediately to the IT department or CSO.
• Participate in cyber security training sessions and adhere to best practices, including the use of strong passwords and secure communication channels.

6.2 Management Responsibilities
Managers and senior leaders are responsible for:

• Ensuring that their teams understand and comply with the Cyber Security Policy.
• Supporting the CSO and IT department in enforcing security controls.
• Promoting a culture of cyber security awareness within the organisation.

6.3 Cyber Security Officer (CSO) Responsibilities
The CSO is responsible for:

• Overseeing the implementation and enforcement of this Cyber Security Policy.
• Conducting risk assessments and security audits to identify vulnerabilities.
• Coordinating the response to cyber security incidents and managing recovery efforts.
• Keeping the company informed of emerging cyber threats and best practices.

7: Monitoring and Review

7.1 Continuous Monitoring
Redcone Recruitment Limited will continuously monitor its network, systems, and devices for signs of cyber threats. The IT department will use automated monitoring tools, such as intrusion detection systems, to detect anomalies and suspicious activities in real-time.

7.2 Regular Audits
The company will conduct regular internal and external security audits to evaluate the effectiveness of its cyber security controls. Audits will assess compliance with this policy, as well as the overall security posture of the organisation.

7.3 Policy Review
This Cyber Security Policy will be reviewed annually or in response to significant changes in the company’s operations, technology landscape, or regulatory requirements. Updates to the policy will be communicated to all employees, contractors, and relevant stakeholders.

8: Conclusion

Redcone Recruitment Limited is committed to maintaining a secure digital environment and protecting its information systems from cyber threats. By following this Cyber Security Policy, the company aims to minimise the risk of cyber security incidents, safeguard sensitive data, and ensure business continuity. All employees, contractors, and third-party partners are expected to actively contribute to maintaining the security of the company’s information systems by adhering to the procedures and guidelines outlined in this policy.