Information Security Policy

1. Introduction

Purpose
This Information Security Policy is a guide for Lascar Electronics employees to establish guidelines and best practices for the protection of confidential, sensitive or proprietary information from unauthorized access, use, disclosure, alteration or destruction. Information is an asset, and must be protected appropriately.

Definition
Information Security is the processes designed to protect data by mitigating risks.

Scope
This Information Security Policy applies to all Lascar Electronics employees regardless of employment agreement, position, or location. It also applies to any contractors and third-party service providers who have access to the Company’s information and information systems.

Lascar Electronics shall comply with all relevant laws, regulations, and industry standards regarding information security where we do business.

2. Responsibility

The Company will ensure that all employees will be trained on their responsibilities and obligations regarding information security.

In accordance with General Data Protection Regulation, Lascar Electronics is a Data Controller (DC) and will ensure that there is a Data Protection Officer (DPO) appointed at all times. This position should be adequately resourced, report to Company Directors, and not carry out any other tasks that could result in a conflict of interest. They are also the first point of contact for individuals whose data is processed and for the Information Commissioner’s Office (ICO).

Management
Lascar Electronics Directors, Managers and Supervisors are tasked with implementing and overseeing policies and procedures that reduce the risk of data breaches and ensuring that there is sufficient planning to respond to incidents. Appropriate training should be provided to employees, depending on their roles and tasks.

The IT Manager is responsible for:

  • Keeping the Company servers, workstations and devices, software and other key infrastructure updated with the latest security patches and updates.
  • Ensuring there is no unauthorized access to systems.
  • Ensuring all staff are appropriately trained to use Company systems securely.

Employees
All employees are required to:

  • Adhere to all Company policies and procedures and the guidelines within the employee handbook relating to data handling, email and internet usage, device management and social networks.
  • Protect passwords and access credentials – create strong passwords, change them regularly, never share them, don’t use the same password across multiple accounts and if you access Company emails and/or
  • documents on your personal mobile device make sure this device is sufficiently protected.
  • Report security incidents – be vigilant for suspicious activity (phishing emails, malware infections, suspicious logins) and report it to the IT department immediately.
  • Protect physical documents – physical documents containing sensitive information should be properly secured and disposed of appropriately when no longer needed.
  • Avoid high-risk actions – don’t use public WiFi networks, don’t download software from untrusted sources that could compromise the security of the Company’s information, think carefully before using removable
  • media (e.g. USB drive) and remember to remove it from the host device.

3. General Data Protection Regulation (GDPR)

The Data Protection Act 2018 is the UK’s implementation of the GDPR regulation that protects personal data belonging to EU citizens or residents. Lascar Electronics has a separate Privacy Policy which details how the Company respects the privacy of individuals and is committed to protecting personal data.

4. Product Security Telecommunications Infrastructure (PSTI)

The Product Security Telecommunications Infrastructure Act 2022 is the UK’s Cyber Security regulation for consumer Internet of Thing products. Manufacturers of consumer connectable products (or ‘smart’ products) must comply with specific obligations to ensure they and their products meet minimum security requirements.

Passwords
Lascar Electronics’ products, and their associated software, will never provide a default password. Users will be asked to create their own unique passwords which must meet a set of criteria.

Vulnerability Disclosure
Lascar Electronics has a procedure that allows responsible disclosure of security vulnerabilities by external parties. The aim of this procedure is to address and resolve the vulnerability before it could potentially be exploited maliciously. Guidelines for reporting are detailed below in section 5.

Security Updates
Lascar Electronics extends the life of its products by providing free software upgrades. This includes important security updates. Lascar Electronics aims to provide security updates to all relevant ‘smart’ products, and their associated software, for a minimum of three years from the date of the product’s release. Lascar Electronics will fulfil this timeline whenever it is within their control, as manufacturer and primary code authors, to do so, but may be compromised if updated security related code is required from a component supplier.

5. Vulnerability Disclosure

Lascar Electronics will never knowingly supply a product with security vulnerabilities, but it recognises that their products may become vulnerable to new threats over time that could put safety, personal data, devices and networks at risk.

Contact Details
If you or your organisation has found a weakness in our products or associated software, please send details
to: security@lascar.co.uk

Reporting Guidelines
When reporting a vulnerability, please include as much detail as possible, for example:

  • An overview that describes the nature and potential impact of the issue.
  • Detail the steps required to reproduce the vulnerability so Lascar Electronics can verify the issue and understand the context in which the vulnerability occurs.
  • Specify the version numbers, configurations and other relevant details about the software and products where the vulnerability has been identified.

Timelines
The Company will acknowledge receipt of a vulnerability report as soon as possible and always within 7 days. The Company will conduct an initial assessment within 14 days. If further testing and analysis is required to verify and confirm the vulnerability, this will take place within 30 days. The time required for remediation depends on the complexity of the vulnerability, but the Company will aim to address all issues within 90 days and to prioritise critical weaknesses. After developing and testing the fix, the Company will co-ordinate the disclosure with the reporter within a further 7 days to ensure the fix is widely available before details of the vulnerability are made public.

Responsible Disclosure
Lascar Electronics will not take legal action against individuals or organisations who test the security of products and software, if they do so ethically, causing as little damage to systems as possible, accessing no more data than necessary, and report any found vulnerabilities responsibly.

6. Export Control

The export of certain goods and technology is regulated by the Export Control Organization (ECO). The ECO controls these assets to promote global security and to protect national security. If producing any controlled goods, Lascar Electronics requires one Director, one Manager, one Operator and the Compliance Officer to be trained by the Department for International Trade and for trained individuals to have refresher courses every three years.

7. Access Control

Lascar Electronics will provide all employees and other users with the information they need to carry out their responsibilities effectively and efficiently. Access to information and information systems shall be granted following the principles of least privilege and need-to-know.

Physical Access Control
Lascar Electronics employees who require access to confidential and sensitive information for their job role will be trained on the safe handling of all information and taught the procedures which govern how data is used, stored, shared and organized within the Company.

Personal and confidential data must be retained in locked storage when not in use and keys should not be left in the barrels of filing cabinets and doors.

Digital Access Control
User accounts must be created with strong passwords, and access will be revoked upon termination of employment or contract.

Users should not share their login credentials with others or allow others to use their accounts. No generic or group logins will be permitted.

External communication systems shall have Multi-Factor Authentication (MFA) and authorization mechanisms in place to ensure that only authorized users can access information.

Remote users shall be subject to authorization by the IT Manager. No uncontrolled external access shall be permitted to any network device of network system.

8. Data Protection

Confidential, sensitive, or proprietary information shall be protected from unauthorized access, use, disclosure, alteration, or destruction. Lascar Electronics data usually includes names or numbers. Examples include employee details, product names, prices, costs, tax codes, registration marks, coding and dates.

Information shall be classified based on its sensitivity and appropriate controls implemented to protect it.

Digital information shall be regularly backed up to prevent data loss in case of hardware failure or disaster. Third parties hosting digital data, e.g. Cloud Services, will be required to meet strict requirements and certification.

9. Monitoring

Information systems shall be monitored for unauthorized access, use, or disclosure. Logs shall be regularly reviewed and analyzed to detect and respond to security incidents.

Vulnerability risk assessments shall be periodically performed to identify and mitigate potential security risks.

10. Security Incidents

Incidents can have a huge impact on a Company in terms of cost, productivity and reputation. All security incidents should be reported to the IT department immediately so that the incident and be contained and remediated as quickly as possible. Incident response plans should be in place for predictable security breaches. These plans should be periodically tested to ensure their effectiveness. In accordance with GDPR regulations, Lascar Electronics will report a notifiable breach to the ICO without undue delay and inform data subjects of any personal data breach within 72 hours of the incident.

11. Non-Compliance & Disciplinary Actions

Violations of this policy could result in serious consequences for Lascar Electronics and cause personal distress to individuals. Any breach will be thoroughly investigated and could result in disciplinary action against the offender as outlined in the Company employee handbook.

Version 2.0