IMS Awareness Training

Cloud Direct is an ISO27001 (for information security) and ISO20000 (for IT service management) accredited organisation and as such must be able to demonstrate measures have been taken to meet these strict international standards. As part of our ISO compliancy, we are audited every year by an external auditor.

We combine our ISO27001 and ISO20000 management processes and policies into a single system, called the Integrated Management System (IMS).

This training aims to introduce you to the Cloud Direct Integrated Management System (IMS) and explain your responsibilities as a Cloud Direct employee.

 

*Parts of this course link to SharePoint and ServiceNow. You may be prompted to login to access these materials*

 

Suggested time: 45 minutes

Integrated Management System (IMS)

Integrated Management System (IMS)

What is the IMS?

The Integrated Management System (IMS) is a collection of processes, forms, policies and records that help us meet the requirements of ISO27001 and ISO20000.

Where is the IMS held?

The IMS can be found in the Process Library in SharePoint. Click here to view the Process Library and take a look.

Who are your IMS representatives?

James Tyson (ISO Project Manager) is responsible for the day to day management of the IMS. David Wigley (Chief Operating Officer) is accountable for Cloud Direct's adherance to the IMS and both ISO27001 and ISO20000.

Remember that it is everyones responsibility to follow the documented procedures and policies within the IMS.

Key documents and systems

  • The IMS Overview provides an overview of the whole IMS including your roles and responsibilities, and how individual business procedures relate to each other. The IMS Overview is a large document but don't worry - you don't have to remember it all! Just remember that our key processes can be found here.
  • The Continual Service Improvement Plan (CSIP)* is a centralised system for recording and tracking actions relating to non-conformances, improvement opportunities, customer complaints and other records.
  • The Internal Computing Policy outlines how we manage our IT resources and outlines your responsibilities when using company systems and equipment.
  • The Staff Handbook is a comprehensive document that is referenced by your employment contract and provides a range of HR related information.


* You must login to ServiceNow to view the CSIP and you can only view CSIP records that you have (i) created yourself or (ii) have been assigned to you. If you do not have a login, please continue.

Have you read the key documents?

  • Yes, I have read the IMS Overview, found the CSIP in ServiceNow, read the Internal Computing Policy and read the Staff Handbook.
  • No, I haven't read these documents yet.

Information Security

What is ISO27001?

ISO27001 is the recognised international standard for Information Security Management. 

The standard sets out guidance for good security practices for all types of organisations and allows us to publicly demonstrate to our customers that we manage their sensitive information appropriately.

By implementing good security we hope to make the service we offer our customers as risk free as possible.

All Cloud Direct employees have access to sensitive company and customer information and as such we must have controls in place to manage this.

Classification of information

To avoid the potential for customer or company information being communicated to unauthorised parties, all company and customer information is classified using the one of the four categories below.

  • Customer Protected Data: this is confidential, encrypted data that is monitored and supported by Cloud Direct, but not directly handled by employees. A good example of this would be any customer data that is protected by a backup product such as LiveVault, Ahsay and Backup Exec.
  • Customer Live Data: this is customer data that may reside on customer systems to which Cloud Direct (or suppliers and partners) have occasional access as part of delivering a service. An example of this would be customer emails and files on a hosted server.
  • Confidential Information: this includes all information that is deemed unsuitable for public circulation, including but not limited to customer information in ServiceNow, business plans, employee records and financial records.
  • Non-confidential Information: this includes all publicly available information. A good example would be the Cloud Direct website.


If you are ever unsure whether information should be classed as confidential or not, assume that it is confidential and treat it as such.

You can view a copy of the Information Control Policy here.

Have you read the Information Control Policy?

  • Yes, I have read the policy.
  • No, I haven't read the policy.

Where is information stored?

Cloud Direct uses several hosted and local systems for data storage. Company data is always stored in line with the information category.

Confidential Information

  • Locally, on your PC.
  • SharePoint.
  • OneDrive.

Customer Live Data

  • ServiceNow.
  • SharePoint.
  • Hosted desktop/server solutions.

Customer Protected Data

  • LiveVault.
  • Attix5.
  • Ahsay.
  • Backup Exec.
  • NetBackup.

Assessing and managing information security

Risk based approach

Cloud Direct uses a risk based approach to information security. This means we:

  1. Identify information assets.
  2. Carry out risk assessments on information assets.
  3. Mitigate and resolve identified risks.
  4. Regularly review information assets and associated risks.


Information assets

An information asset can be anything from a data centre to a piece of paper. An information asset is anything that contains information critical to the business and information security within the business. The IMS team are responsible for recording, managing and reviewing changes to information assets. Some examples of information assets include:

  • Contracts.
  • PCs and laptops.
  • Mobile phones. 
  • Employees (yes, you!).


Confidentiality, Integrity and Availability

It is Cloud Direct's responsibility to manage and ensure the confidentiality, integrity and availability (CIA) of all information assets. A breach of CIA would represent a failure to keep our customers, or our internal data, secure. If you suspect or know of a breach of CIA you must report this to the IMS team immediately.

Confidentiality

Confidentiality concerns the privacy of data and ensuring measures are in place to prevent unauthorised access to sensitive data. We classify data into four categories which are then subjected to different controls. We control access to confidential data by using strong passwords and encryption.

Integrity

Integrity involves maintaining the consistency, accuracy and trustworthiness of data over its life cycle. Controls must be in place to ensure that data is not changed or altered unless authorised to do so. We control the integrity of data by backing up critical business systems and ensuring redundancy is in place.

Availability

Availability is ensuring that data is available when it is required, whether by a customer or by a Cloud Direct employee. We control availability of data by maintaining hardware, providing sufficient bandwidth and having comprehensive disaster recovery plans in place for key systems and data stores.


In short, we need to ensure data is kept private, it is not altered without authorisation and that when the customer wants their data, they can get it.

What are the three things we need to consider when protecting an information asset?

Tick all answers that apply

  • Cost
  • Availability
  • Integrity
  • Number of employees with access
  • Impact on customer
  • Confidentiality

Your information security responsibilities

As employees, we all have a responsibility to do our part in maintaining good information security practices. 


Office Visitors

  • All visitors that are not Cloud Direct employees must be signed in on arrival to the office. You must also ensure that they sign out upon leaving.
  • You must escort the visitors at all times.
  • If the visitors requires Internet access, wireless guest networks are available. If the visitor has any issues connecting, contact the Internal IT team. 


Security Incidents

  • It is the responsibility of all employees to report any observed security incidents or suspected security weaknesses.
  • Security incidents are events such as:
    • Abuse (Internet, email, viruses, malicious activity).
    • Access (unauthorised access to locations, systems or information).
    • Loss or theft (electronic or paper media, laptops and mobile phones).
    • Non-compliance with company policies, guidelines and operating procedures.
  • You can report security incidents in ServiceNow. We will cover this in another section.
  • Make sure you read and understand the Security Incident Management Procedure.

You can read the Security Incident Management Procedure here.

Passwords

Employees are expected to follow good password practice as specified in the Internal Computing Policy. Passwords must:

  • Be a minimum of 10 characters.
  • Contain characters from three of the following categories:
    • Uppercase letters.
    • Lowercase letters.
    • Numbers.
    • Symbols.
  • Not reuse passwords. Systems such as Office365 will not allow you to use your last 24 passwords!
  • Not be cyclic (hello1, hello2 etc).

You should never write down your password or let anyone else use your password, even another employee. Any password misuse or breach of the above points must be reported as a non-conformance in ServiceNow.


Emails

All employees are expected to use good judgement when managing their company email account. Be aware of the following points:

  • Do not open email attachments that could potentially be damaging to your PC. Any suspicious emails should be reported to the Internal IT team immediately. If you do open an attachment that you shouldn't have, report it to the Interal IT team immediately.
  • Email is not a secure means of communication. Always work on the assumption that email may be read by other people and not just the intended recipient. Any improper statements or breaches of confidentiality could result in personal or company liability.
  • Nothing should be written in any system that you would not be prepared to say to a customers face.
  • The staff handbook contains further details on how Internet, email and social media use could be damaging to Cloud Direct.


Yammer

Cloud Direct employees are given access to an internal social networking site, Yammer. Employees are expected to adhere to the Acceptable Use Policy as stated in the internal computing policy. The primary points of which are:

  • Only submit posts on your own behalf.
  • Do not post any information that would pose a security risk.
  • Report any incidents of information security risks.
  • Do not use offensive language.
  • Do not use the site to conduct illegal or immoral activities.


Virus Protection

All company hardware is issued with an anti-virus program already installed. The anti-virus will detect and remove any potential threats to your PC. The software will automatically update and run a scheduled scan each day. 

  • Do not disable, alter or in any way impede the function of the anti-virus software.
  • Not all problems are the result of a virus however you should report any suspected viruses to the Internal IT team immediately.


Your Workspace

  • Keep your work area tidy, so that you know exactly what information is on your desk.
  • Lock documents and notepads in drawers at the end of each day.
  • Ensure all surfaces (including the floor) which are not designed for document storage are kept clear.
  • Clear your desk at the end of each day.
  • Lock your screen if you are leaving your desk.
  • Make sure there is an automated, password protected screen saver on your PC.

Have you read the Security Incident Management Procedure?

  • Yes, I have read the procedure.
  • No, I haven't read the procedure.

What are your information security responsibilities when receiving a visitor to the office?

Tick all answers that apply.

  • Ensure that visitors sign in and sign out
  • Offer to take their coat
  • Connect them to the guest WiFi rather than the standard WiFi network
  • Take them out for lunch
  • Escort the visitor at all times

Which of the following would be a good example of a secure password?

Devices (company issued and personal)

Company owned devices

Security of information on laptops is a particular concern. Laptops are regularly lost, stolen or damaged. If you have a laptop you should do the following:

  • Ensure that critical information is backed up. If you need assistance setting up a backup please speak to the Internal IT team. 
  • Do not store historic data on the laptop.
  • Do not leave your laptop unattended when outside the office (including in your car).
  • Ensure the laptop is encrypted. If you need assistance with encryption please speak to the Internal IT team.
  • Use a password protected screen saver.


Personal devices

Employees and contractors frequently perform employment related tasks which require connecting to Cloud Direct's systems, networks and email. In order to ensure that Cloud Direct systems and information is not at risk, employees are expected to follow the BYOD (Bring Your Own Device) policy. The primary points of which are:

  • Employees must request that the personally owned device be approved for use within Cloud Direct. This can be done in the form of a BYOD request in ServiceNow. Instructions for submitting a BYOD request can be found here*.
  • All employee owned devices must have the ability to, and have enabled, a password or pin code locking function.
  • Employees must report any security incidents such as loss or theft of a device, malware attack or any unauthorised access to the IMS team.
  • Employees may not download or store confidential information without authorisation from management. If information is downloaded, it must be removed once no longer required.


* You must be signed in to ServiceNow to view the article.

If using a personal device, what must you consider?

Tick all answers that apply.

  • The device must have a password or pin code
  • The device should not be used to store company data
  • If the device is lost or stolen, it should be reported

Your personal information

  • Your personal information is held within paper-based files and electronic files.
  • Your personal information is only available to you, your line manager, senior management and the HR team. Your personal information is only accessed on a 'need-to-know' basis.
  • In no other case should a holder of personal information pass such information to anyone else either inside or outside the company without the consent of the individual concerned. This includes:
    • Private telephone numbers. 
    • Private email addresses.
    • Addresses.
    • CV's, references, DBS etc
  • You can access your personal information held by Cloud Direct by viewing the HR Library in SharePoint (use the menu on the left to find your information). Please speak to the HR team if you have any questions regarding your personal information held by Cloud Direct.


Data protection

Data Protection Act (1998)

This Act applies to any information about customer, employees and suppliers. This information must be kept secure and up to date.

The Act has two main themes.

  1. It states that anyone who processes personal information must comply with eight principles, which make sure that information is:
    1. Fairly and lawfully processed.
    2. Processed for legitimate purposes. 
    3. Adequate, relevant and not excessive.
    4. Accurate and up to date.
    5. Not kept for longer than necessary.
    6. Processed in line with your rights.
    7. Secure.
    8. Not transferred to other countries without adequate protection.
  2. Secondly, the Act provides individuals with important rights, including the right to find out what personal information is held on electronic and paper records.


General Data Protection Regulation (GDPR)

The GDPR comes into effect in May 2018. The GDPR applies to all businesses that process or control data belonging to individuals and businesses based in the European Union. 

Compliancy against GDPR is currently being progressed and more details will follow.

IT Service Management

What is ISO20000?

ISO20000 is the international standard for IT Service Management.

The standard helps organisations ensure an integrated approach in providing an IT service to a customer. The standard covers everything from sales, to provisioning, through to support.

ISO20000 is closely aligned to ITIL and shares many of its key concepts and components.

Key elements of ISO20000

Some of the key elements of ISO20000 are shared with ITIL. It is important that you are aware of the policies and procedures that impact your area of work. Click the links to view the corresponding policy where one exists.


A full list of IMS policies and procedures can be found in the Process Library in SharePoint.

Have you read the policies and procedures that are applicable to your job role?

  • Yes, I have read the policies and procedures that are applicable to my role.
  • No, I haven't read the policies yet.

Disaster recovery

In order for Cloud Direct to guarantee levels of services to customers, we have a range of robust Disaster Recovery (DR) plans as part of our Business Continuity Plan (BCP).

Disaster recovery plans are a set of procedures designed to recover and protect key systems and information assets. Each DR plan contains actions to be taken before, during and after a disaster. A disaster could be natural, environmental or as a result of human-action.

Cloud Direct has a range of DR plans including:

  • Loss of key systems (such as ServiceNow).
  • Loss of Internet connectivity.
  • Loss of office.
  • Loss of key employees.

DR plans are tested on a regular basis and you will be informed if your involvement is required or you will be impacted by the DR test.

In the event of a DR situation you may be required to work from home. In this situation you should refer to the DR101 document which provides instructions on how to access key systems and continue working when outside of the office.

Are you happy that you could work outside of the office in the event of a disaster?

  • Yes, I am happy that I could work from home or an alternative location.
  • No, I am not sure how to work as normal when outside the office.

Business continuity planning

Business Continuity Planning (BCP) is closely linked with disaster recovery and risk management and aims to ensure that Cloud Direct continues to operate in the event of a disaster.

As a business, we differentiate between critical and non-critical functions. These functions are then given two values:

  • Recovery Point Objective (RPO): the acceptable amount of data that will not be recoverable.
  • Recovery Time Objective (RTO): the acceptable amount of time to restore the function.

BCP aims to return the business to normal working levels as quickly as possible. In the event of a DR plan being invoked, the BCP Controller will issue instructions to department heads and employees.

The primary BCP Controller for Cloud Direct is David Wigley.

Access management

Access to all company systems is controlled by access management. This means that if you require access to any systems you must submit an access request. 

All employees have a basic level of systems access granted when they join Cloud Direct including:

  • Office365 for access to email, SharePoint and Yammer.
  • ServiceNow access.

If you require access to additional systems, including vendor portals, you must submit an access request. Access requests are then approved by your Line Manager before you are granted access. Failure to submit an access request would result in a non-conformance, which must be reported to the IMS team.

If someone asks you to grant them access to a system you must ensure they have an approved access request before doing so.

You can review how to submit an access request here*.


* You must be signed in to ServiceNow to view the article.

Do you know how to raise an access request?

  • Yes, I know how to raise an access request and understand why I must do so.
  • No, I am not sure how to raise an access request.

Your IMS Responsibilities

Non-conformances

A non-conformance means that something went wrong - a problem has occurred and needs to be addressed. Non-conformances are addressed with corrective and preventative actions.

You may find a non-conformance in a service, product, a process or from a supplier. A non-conformance can be identified through customer complaints, internal audits, external audits or during normal business operations. 

It is important that you report any non-conformances immediately to the IMS team. You can raise a non-conformance to the IMS team by submitting a CSIP record in ServiceNow, as detailed here*.

Some examples of previous non-conformances include:

  • A virus being detected on a company machine.
  • An access request not being submitted.
  • A customer complaint that required escalation to management.
  • A tender document being sent out to a prospective customer without being marked as confidential.


It is essential that you report any non-conformances immediately. If you are unsure if something should be logged as a non-conformance, speak to your Line Manager or a member of the IMS team who will be able to clarify.

If you are not currently using ServiceNow, you can log a non-conformance by emailing [email protected]


* You must be signed in to ServiceNow to view the article.

Do you understand what a non-conformance is and how to report it?

  • Yes, I understand what a non-conformance is and how to report it.
  • No, I am unsure what a non-conformance is and how I would report one.

IMS knowledge

Whilst the external auditor primary concern is to review business processes they may also want to talk to employees. The auditor is able to talk to any employee as part of their audit process.

The auditor will not expect you to recite policies and procedures but will expect you to be able to:

  • Know how to access and navigate the IMS in SharePoint. We call this the Process Library.
  • Know which processes apply to your business activities. 
  • Be aware of basic information security requirements and your responsibilities towards them.
  • Be able to locate and understand the IMS Overview document.
  • Know how to report a non-conformance, security incident, or other IMS related event.
  • Know how to find your employee records. You can find these in your HR folder in SharePoint (use the menu on the left).

Do you know how to access the Process Library in SharePoint?

  • Yes, I know where the Process Library is and how to access it.
  • No, I am not sure where the Process Library is or how I can find it.

Do you know how to access your employee records?

  • Yes, I know where my employee records are stored and how I can access them.
  • No, I am not sure where my employee records are kept or how I can access them.

Are you aware of the policies and procedures that apply to your job role?

  • Yes, I am aware of which policies and procedures apply to my role and I understand them.
  • No, I am unsure which policies and procedures apply to my role.

Questions, comments and improvements

If you have any questions, comments or suggestions for improvements to the IMS, please let the IMS team know by emailing [email protected]