Information Security Policy

Policy Statement

World of Textiles UK LTD is committed to protecting the confidentiality, integrity, and availability of all information assets. We recognize that information is a critical business asset that requires appropriate protection against security threats, whether internal or external, deliberate or accidental.

This policy establishes the framework for managing information security risks and ensuring compliance with legal, regulatory, and contractual requirements.

Purpose and Scope

Purpose

This policy aims to:

• Protect information assets from unauthorized access, disclosure, modification, or destruction
• Ensure business continuity and minimize business damage from security incidents
• Comply with legal, regulatory, and contractual obligations
• Maintain customer and stakeholder confidence
• Protect the organization’s reputation and competitive advantage

Scope

This policy applies to:

• All employees (permanent, temporary, part-time, full-time)
• Contractors, consultants, and agency workers
• Third-party service providers
• Business partners with access to our systems
• All information in any format (electronic, paper, verbal)
• All information systems and technology assets
• All locations where business is conducted

Legal and Regulatory Framework

We comply with applicable legislation and standards including:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Computer Misuse Act 1990
• Privacy and Electronic Communications Regulations (PECR)
• Electronic Communications Act 2000
• Copyright, Designs and Patents Act 1988
• ISO 27001 information security standards (best practice)
• Cyber Essentials certification requirements
• PCI DSS (if processing card payments)
• Industry-specific regulations relevant to textile supply chain

Information Classification

Classification Levels

All information must be classified according to sensitivity:

PUBLIC

• Information intended for public release
• Marketing materials, published reports
• No special handling required
• Examples: Website content, product catalogs

INTERNAL

• Information for internal use only
• Not intended for external distribution
• Reasonable protection required
• Examples: Internal procedures, staff directories

CONFIDENTIAL

• Sensitive business information
• Unauthorized disclosure could harm the organization
• Strong protection controls required
• Examples: Financial data, contracts, strategic plans, customer lists

RESTRICTED

• Highly sensitive information
• Unauthorized disclosure could cause serious harm
• Strictest controls required
• Examples: Personal data, trade secrets, legal documents, security credentials

Handling Requirements

Information must be handled according to its classification:

• Labeling: Mark documents with appropriate classification
• Storage: Secure storage appropriate to classification level
• Transmission: Encrypted transmission for confidential/restricted data
• Disposal: Secure destruction when no longer needed
• Access: Only authorized personnel based on business need

Access Control

User Access Management

Authentication Requirements:

• Unique user IDs for all users
• Strong passwords (minimum 12 characters, complexity requirements)
• Multi-factor authentication (MFA) for remote access and sensitive systems
• Biometric authentication where appropriate
• Regular password changes (every 90 days)

Authorization Principles:

• Least Privilege: Users only have access necessary for their role
• Need to Know: Access based on business requirement
• Segregation of Duties: No single person has end-to-end control
• Regular Reviews: Access rights reviewed quarterly

Account Management:

• New accounts created only with proper authorization
• Accounts disabled immediately upon termination
• Dormant accounts disabled after 90 days of inactivity
• Privileged accounts strictly controlled and monitored
• Shared accounts prohibited (except where technically unavoidable)

Physical Access Control

• Secure Areas: Server rooms, data centers restricted to authorized personnel
• Visitor Management: Sign-in procedures, escorts, visitor badges
• Clear Desk Policy: Sensitive documents locked away when not in use
• Clear Screen Policy: Lock screens when leaving workstations
• Access Cards: Electronic access control with audit trails
• CCTV: Monitoring of sensitive areas

Acceptable Use

Permitted Use

Company IT systems may be used for:

• Legitimate business purposes
• Reasonable incidental personal use (email, internet browsing)
• Professional development and learning

Prohibited Activities

Users must NOT:

• Access, download, or distribute illegal, offensive, or inappropriate content
• Install unauthorized software or hardware
• Bypass or attempt to bypass security controls
• Share login credentials or passwords
• Use company systems for personal commercial gain
• Send spam, chain letters, or malicious emails
• Download pirated software, music, or videos
• Access systems or data without authorization
• Disclose confidential information to unauthorized parties
• Use company resources for political campaigning or lobbying
• Engage in cyberbullying or harassment

Personal Use

Limited personal use is permitted provided it:

• Does not interfere with work duties
• Does not consume significant resources
• Complies with all other policies
• Does not involve prohibited activities

Email and Internet Use

Email Security

• Business Use: Email is a business tool and monitored
• Confidential Information: Encrypt sensitive emails
• External Communications: Professional and appropriate
• Attachments: Scan for malware before opening
• Phishing: Report suspicious emails immediately
• Auto-forwarding: Prohibited to external addresses
• Distribution Lists: Use carefully to avoid data breaches

Internet Security

• Acceptable Browsing: Business-related and reasonable personal use
• Blocked Sites: Prohibited content automatically blocked
• Downloads: Only from trusted sources
• Cloud Services: Only approved services for business data
• Social Media: Professional conduct, no disclosure of confidential information
• Monitoring: Internet usage logged and monitored

Mobile Devices and Remote Working

Mobile Device Security

For smartphones, tablets, and laptops:

• Device Encryption: Full disk encryption required
• Password Protection: Strong PIN/password and auto-lock
• Remote Wipe: Capability enabled for lost/stolen devices
• Software Updates: Keep OS and apps updated
• Antivirus: Install and maintain security software
• Lost/Stolen: Report immediately to IT
• Personal Devices (BYOD): Only if approved and meeting security requirements

Remote Access Security

When working remotely:

• VPN Required: Use company VPN for remote connections
• Secure Networks: Avoid public Wi-Fi for confidential work
• Home Security: Secure home networks with strong passwords
• Video Calls: Be aware of background visibility
• Documentation: Do not leave confidential documents visible
• Physical Security: Lock screens when away from device

Data Protection and Privacy

Personal Data Handling

When processing personal data:

• Lawful Basis: Only process with legal justification
• Data Minimization: Collect only what’s necessary
• Purpose Limitation: Use only for stated purposes
• Accuracy: Keep data accurate and up to date
• Storage Limitation: Retain only as long as necessary
• Security: Implement appropriate technical and organizational measures
• Individual Rights: Respect rights to access, rectification, erasure, etc.

Data Subject Rights

We facilitate rights to:

• Access personal data (Subject Access Requests)
• Rectification of inaccurate data
• Erasure (“right to be forgotten”)
• Restriction of processing
• Data portability
• Object to processing
• Opt out of automated decision-making

Data Breach Response

In the event of a personal data breach:

• Immediate Action: Contain the breach and minimize impact
• Assessment: Evaluate severity and potential harm
• Notification: Report to ICO within 72 hours if required
• Communication: Inform affected individuals if high risk
• Documentation: Record all breaches and response actions
• Investigation: Identify root cause and preventive measures

Cybersecurity Measures

Malware Protection

• Antivirus Software: Installed on all devices and kept updated
• Email Scanning: Automatic scanning of attachments
• Web Filtering: Blocking known malicious sites
• USB Devices: Scanned before use
• Quarantine: Automatic isolation of suspected malware
• Updates: Regular signature updates

Patch Management

• Critical Patches: Applied within 48 hours of release
• Regular Updates: Operating systems and applications kept current
• Testing: Patches tested before deployment where possible
• Vulnerability Scanning: Regular scans for security weaknesses

Network Security

• Firewalls: Protect network perimeter
• Intrusion Detection: Monitor for suspicious activity
• Network Segmentation: Separate sensitive systems
• Wireless Security: WPA3 encryption, strong passwords
• Guest Networks: Isolated from business systems

Backup and Recovery

• Regular Backups: Daily automated backups of critical data
• Off-site Storage: Backups stored securely off-site or in cloud
• Encryption: Backups encrypted in transit and at rest
• Testing: Restore procedures tested quarterly
• Retention: Backups retained according to retention policy
• Ransomware Protection: Immutable backups to prevent encryption

Incident Response

Security Incident Types

Security incidents include:

• Malware infections
• Phishing attacks
• Unauthorized access attempts
• Data breaches
• Lost or stolen devices
• Denial of service attacks
• Insider threats
• Social engineering attacks

Reporting Procedure

All security incidents must be reported immediately:

1. Contact IT Support: Report incident as soon as discovered
2. Preserve Evidence: Do not delete or modify anything
3. Isolate Systems: Disconnect affected systems if instructed
4. Document: Note time, nature of incident, and actions taken

Contact Details:

• IT Support Email: info@worldoftextiles.com
• Telephone: +44 1234 567 890
• Emergency Out-of-Hours: [To be established]

Incident Response Process

1. Detection and Reporting: Incident identified and reported
2. Triage: Assess severity and impact
3. Containment: Isolate affected systems
4. Investigation: Determine cause and extent
5. Eradication: Remove threat and vulnerabilities
6. Recovery: Restore systems and data
7. Post-Incident Review: Lessons learned and improvements

Third-Party Security

Supplier Security

Third parties with access to our systems or data must:

• Due Diligence: Security assessment before engagement
• Contracts: Include security and data protection clauses
• Access Control: Minimum necessary access
• Monitoring: Regular review of access and activity
• Audit Rights: Allow security audits
• Incident Notification: Report security incidents promptly

Cloud Services

When using cloud services:

• Approved Providers: Only vetted and approved services
• Data Location: Understand where data is stored
• Security Controls: Verify provider security measures
• Contracts: Ensure data protection agreements
• Access Management: Control who can access cloud data

Cryptography

Encryption Standards

• Data in Transit: TLS 1.2 or higher for network transmission
• Data at Rest: AES-256 for stored confidential data
• Email Encryption: PGP or S/MIME for sensitive emails
• Full Disk Encryption: All laptops and mobile devices
• Key Management: Secure generation, storage, and rotation of encryption keys

When to Encrypt

Encryption is required for:

• Personal data
• Confidential or restricted information
• Data transmitted over public networks
• Portable devices (laptops, USB drives, external drives)
• Backup media
• Email attachments containing sensitive information

Security Awareness and Training

Training Requirements

All employees must complete:

• Induction Training: Security awareness during onboarding
• Annual Refresher: Mandatory yearly security training
• Phishing Simulations: Regular phishing awareness tests
• Role-Specific Training: Additional training for IT and security roles
• Updates: Training on new threats and policies

Training Topics

• Password security and authentication
• Phishing and social engineering recognition
• Safe internet and email use
• Data protection and privacy
• Mobile device security
• Incident reporting
• Physical security
• Clean desk and clear screen policies

Monitoring and Compliance

Security Monitoring

We monitor:

• System access logs
• Network traffic patterns
• Failed login attempts
• Security alerts and events
• Antivirus/malware detections
• Data transfers (especially to external locations)
• Privileged account activity

Compliance Auditing

Regular audits include:

• Access Reviews: Quarterly review of user access rights
• Security Scans: Monthly vulnerability assessments
• Penetration Testing: Annual ethical hacking tests
• Policy Compliance: Random checks of policy adherence
• Third-Party Audits: Independent security assessments
• Certification: Maintain Cyber Essentials certification

Responsibilities

Chief Information Security Officer (CISO) / IT Manager

• Overall responsibility for information security
• Develop and maintain security policies
• Manage security incidents
• Conduct risk assessments
• Report to senior management on security posture
• Ensure compliance with regulations

Line Managers

• Ensure team members complete security training
• Authorize access requests for team members
• Monitor compliance within their teams
• Report security incidents
• Support security initiatives

All Employees

• Comply with all security policies and procedures
• Protect credentials and access rights
• Report security incidents immediately
• Complete mandatory training
• Handle information according to classification
• Use systems appropriately and responsibly

IT Department

• Implement and maintain security controls
• Monitor security systems and respond to alerts
• Apply patches and updates
• Manage user accounts and access
• Support incident response
• Provide security guidance to users

Consequences of Non-Compliance

Violations of this policy may result in:

• Verbal or written warnings
• Suspension of system access
• Retraining requirements
• Disciplinary action up to dismissal
• Legal action for criminal activity
• Reporting to law enforcement

Security breaches may also violate:

• Data Protection Act (fines up to £17.5 million or 4% of turnover)
• Computer Misuse Act (criminal prosecution)
• Copyright laws
• Contractual obligations

Policy Review and Updates

This policy will be reviewed:

• Annually as a minimum
• Following significant security incidents
• When technology or threats change
• When legislation changes
• When recommended by audits

Contact and Support

For security questions, advice, or to report incidents:

• IT Support: info@worldoftextiles.com
• Telephone: +44 1234 567 890
• Security Incidents: Report immediately via phone or email

External resources:

• National Cyber Security Centre (NCSC): www.ncsc.gov.uk
• Action Fraud: 0300 123 2040 (cybercrime reporting)
• Information Commissioner’s Office (ICO): 0303 123 1113
• Get Safe Online: www.getsafeonline.org

Key Security Principles

Think Before You Click - Verify before opening attachments or links

If in Doubt, Don’t - Ask IT if you’re unsure about security

Report Immediately - Early reporting minimizes damage

Security is Everyone’s Responsibility - We all play a part

Approved by: Senior Management Team / Board of Directors Policy Owner: Chief Information Security Officer / IT Manager Next Review Date: December 2026 Version: 2.0