Information Security Policy

1. Introduction

1.1 Purpose

The purpose of this Information Security Policy is to protect Verv Energy’s information assets from threats, whether internal or external, deliberate or accidental. This policy outlines the measures necessary to ensure the confidentiality, integrity, and availability of Verv’s information resources.

1.2 Scope

This policy applies to all employees, contractors, and third-party service providers who access Verv’s information systems. It covers all forms of information, including electronic, paper, and verbal communications.

1.3 Objectives

Ensure the confidentiality, integrity, and availability of Verv’s information.
Protect information against unauthorised access and breaches.
Comply with relevant legal, regulatory, and contractual obligations.
Promote a culture of security awareness and responsibility among employees.

2. Roles and Responsibilities

2.1 Information Security Manager

Develop and maintain the information security policy.
Conduct regular risk assessments and security audits.
Ensure compliance with legal and regulatory requirements.
Provide information security training and awareness programmes.
Investigate security incidents and implement corrective actions.

2.2 Department Heads

Ensure departmental compliance with the information security policy.
Report any security incidents or concerns to the Information Security Manager.

2.3 Employees

Adhere to all information security policies and procedures.
Report any suspicious activities or security breaches to their supervisor or the Information Security Manager.
Participate in security training and awareness programmes.

3. Information Security Measures

3.1 Access Control

User Authentication: All users must have unique user IDs and passwords. Multi-factor authentication (MFA) will be implemented where applicable.
Access Rights: Access to information systems will be based on the principle of least privilege, ensuring that users only have access to information necessary for their roles.
Review of Access Rights: Access rights will be reviewed regularly to ensure they remain appropriate.

3.2 Data Protection

Data Classification: Information will be classified based on its sensitivity and criticality. Classifications will determine the level of protection required.
Data Encryption: Sensitive data will be encrypted both in transit and at rest.
Data Retention: Data will be retained only as long as necessary for business or legal purposes. Secure disposal methods will be used for data no longer needed.

3.3 Network Security

Firewalls: Firewalls will be used to protect Verv’s network from unauthorised access.
Intrusion Detection and Prevention: Systems will be in place to detect and prevent potential security breaches.
Secure Connections: Virtual Private Networks (VPNs) and other secure connection methods will be used for remote access.

3.4 Physical Security

Secure Facilities: Physical access to information systems and storage areas will be restricted to authorised personnel.
Workstation Security: Computers and other devices must be locked when unattended. Anti-virus and anti-malware software will be installed and regularly updated.
Backup and Recovery: Regular backups of critical data will be performed, and recovery procedures will be tested periodically.

4. Incident Response

4.1 Reporting

Incident Reporting: All information security incidents, including data breaches, must be reported immediately to the Information Security Manager.
Documentation: Detailed records of all security incidents will be maintained, including the nature of the incident, the response actions taken, and the outcomes.

4.2 Response Procedures

Incident Management: An incident response team will be established to manage and respond to security incidents.
Investigation: Incidents will be investigated to determine their cause and impact. Appropriate remedial actions will be taken.
Communication: Relevant stakeholders, including affected individuals and regulatory authorities, will be notified as required.

5. Training and Awareness

5.1 Employee Training

Security Training: Regular training sessions will be conducted for all employees on information security policies, procedures, and best practices.
Drills and Exercises: Periodic drills and exercises will be conducted to test the effectiveness of security measures and employee preparedness.

5.2 Awareness Programmes

Security Awareness: Ongoing security awareness programmes will be implemented to keep employees informed about potential threats and the importance of information security.
Communication: Regular updates and reminders about security policies and procedures will be communicated through internal channels.

6. Policy Compliance

6.1 Audits and Inspections

Regular Audits: The Information Security Manager will conduct regular audits and inspections to ensure compliance with the information security policy.
Corrective Actions: Any identified deficiencies will be addressed promptly, and corrective actions will be implemented to prevent recurrence.

6.2 Disciplinary Actions

Non-Compliance: Employees found to be in violation of the information security policy may face disciplinary actions, up to and including termination of employment.
Reporting: Any deliberate breach of security protocols must be reported to the Information Security Manager for investigation.

7. Review and Update

7.1 Policy Review

Annual Review: The information security policy will be reviewed annually to ensure its continued relevance and effectiveness.
Updates: The policy will be updated as needed to reflect changes in the threat landscape, technological advancements, and best practices.

8. Conclusion

Verv is committed to ensuring the security and integrity of its information assets. This Information Security Policy provides the framework for protecting the company against information security threats and disruptions. By adhering to the standards and procedures outlined in this policy, Verv can maintain a secure environment conducive to its mission and objectives.