SSG Guides

IT Security Policy

Suggest Edits
  1. Purpose
    The IT Security Policy establishes guidelines for protecting Melrose Labs' information assets, ensuring confidentiality, integrity, and availability of systems and data.
  2. Scope
    Applies to all employees, contractors, and third parties accessing Melrose Labs' IT infrastructure, including networks, applications, cloud services, and data storage.
  3. Information Security Principles
    • Confidentiality: Ensuring data access is restricted to authorised users.
    • Integrity: Protecting data from unauthorised modifications.
    • Availability: Ensuring data and systems remain accessible when needed.
  4. Access Control
    • User access is managed based on the Change Management Policy.
    • Multi-factor authentication (MFA) is required for remote access.
    • Access is granted on a need-to-know and least privilege basis.
  5. Network and Infrastructure Security
    • All network traffic is monitored for security threats.
    • Firewalls, intrusion detection, and encryption are implemented.
    • Secure connections (e.g. VPN, SSH) are required for cloud service access (Cloud Security Standards Policy).
  6. Data Protection and Backup
    • Critical data is encrypted at rest and in transit.
    • Backups are managed per the Backup Policy.
    • Data retention follows regulatory compliance requirements.
  7. Software and Patch Management
    • Regular vulnerability assessments and patching are required as per the Software Update and Vulnerability Management Policy.
    • All software must be approved and scanned for security risks before deployment.
  8. Incident Response and Disaster Recovery
    • Security incidents must be reported immediately to IT security teams.
    • Incident response follows the Disaster Recovery Plan (DRP).
    • Affected systems are restored based on Business Continuity Plan (BCP) guidelines.
  9. Employee Responsibilities
    • Employees must complete regular security awareness training.
    • Password policies enforce complexity and expiration requirements.
    • Personal devices used for work must comply with security guidelines.
  10. Compliance & Review
    • IT Security Policy is reviewed annually to align with industry standards (ISO 27001, GDPR).
    • Security audits and penetration testing are conducted regularly.

Updated 3 days ago