Unit4’s Commitment and Policy
Unit4 is a company which is committed to preserving the security of its information assets. We have identified the information
assets of the company, our customers and business partners which we need to proactively take action to protect. We promote
information security best practices and encourage vigilance over possible threats from any source. To help us achieve our aim,
we have created an information security management system which satisfies the requirements of BS EN ISO 27001 and have
sought assessment and formal registration to the Standard.
We have agreed our Information Security Objectives.
We have a clear Information Security Policy.
We insist that we are security-focused throughout the organisation.
We have identified and evaluated our Information Security risks.
We comply with relevant Legal and Regulatory requirements.
We have defined everyone’s Roles, Responsibilities & Authorities.
We have appointed a Standards Compliance Director and a Head of Compliance and Security.
We recognise that effective Internal & External Communications are paramount.
Because...... “Information Security is the Foundation of our Business”
Scope of the Information Security Management System
The Scope of our Information Security Management System is defined as -
“The Design, Development, Provision and Support of Unit4 Software Products and Associated
Consultancy, Technical and Managed IT Services. Statement of Applicability v5.”
Our Information Security Policy
It is our Policy to ensure that:
Information will be protected against unauthorised access and disclosure.
Confidentiality of information will be maintained.
Integrity of information is protected from unauthorised modification.
Regulatory and legislative requirements will be met.
Business continuity plans will be maintained and tested (as far as practicable).
All suspected breaches of information security will be reported and investigated.
We ensure adequate prevention and detection of viruses and other malicious software.
That appropriate training will be provided for all employees.
We are also committed to:
Assuring customers of full confidentiality.
Identifying, through appropriate risk assessment, the value of information assets and to understanding the
vulnerabilities and threats that may expose them to risk.
Managing such risks appropriately.
Complying with contractual requirements, procedures & practices and ISO27001.
Complying with applicable Legislation, as referenced in our Legal Register.
We will set, monitor, achieve and review measurable objectives for the maintenance and improvement of our
Information Security Management System. The ultimate forum for this will be the Management Review. Approved by Managing Director UK&I : Date: 27/09/2017
Unit4 Information Security Management Policy “To promote information security best practices and encourage vigilance over possible threats from any source
under the guidelines of ISO 27001 as Information Security is the Foundation of our Business”
Version 4.08 09/17
Info
rma
tio
n S
ecu
rity
R
esp
on
sib
ilitie
s
Unit4 communicates this policy and the obligations/responsibilities required by the Information Security Management system to all our employees on their induction into the organisation. We have displayed this Policy on internal noticeboards and have developed an area on our intranet dedicated to our Information Security Management System. The responsibility of the upkeep of the Information Security Management system lies with: Finance Director – Paul Cross - Ultimate responsibility for strategic direction, objectives and goals. Head of Compliance and Security – Joanne Higginson - Responsibility for ensuring the requirements of the standard are implemented, maintained and has responsibility for reporting on its performance. Supported by the Standards Compliance Team made up of Kirsty Dalby. To re-enforce our commitment we have nominated Information Champions across our organisation. These individuals continually assess the activities within their teams to identify improvement and wherever possible to reduce any possible threat to security of data.
Information Security Champions Customer Support Suzanne Pharoah Inside Sales Neil Georgeson Sales Sohail Bokhari Technical Support Stewart Phillips Consultancy Suzanne Holder Marketing Elise Toulman Customisation UBW Helen Mcloughlin Project Management Suzanne Holder Development David Evans Facilities Team Leader / Coordinator Finance Angela Parson Legal Anne Asher HR Kirsty Graham Pre Sales Nick Dawson Sales Admin Valerie Collins
Staff Responsibility All staff are responsible for considering how their actions can affect information security and they are encouraged to take an active role in the information security management system. In practice this means all staff:
Ensuring that any sensitive information that they are required to handle is treated appropriately.
In line with internal Policies, all confidential or sensitive information should be locked away in the appropriate project folder when it is not in use, particularly outside office hours.
Ensuring that, where practical, sensitive electronic documents are password protected.
When it is necessary to send confidential or sensitive information to a customer, supplier or other third party, that this is completed in a secure manner.
If emailing electronic files, ensure those files are password protected with the password being passed on to the recipient separately.
If files are to be copied to a mobile device, ensure they are password protected with the password being passed on to the recipient separately.
If sensitive information is being delivered by post, the package should be marked “Private and Confidential” and a signature should be required upon receipt.
Ensure once information is no longer required it is disposed of in a secure manner.
If it is necessary to archive sensitive information ensure it is clearly labelled as confidential and appropriately archived.
Unit4 Information Security Management Objectives & Targets
In order for us as a company and our staff to identify and monitor if we are successfully meeting our Information Security Management Policy, we have set Information Security Objectives and Targets across our organisation. This allows our performance to be regularly monitored and measured for success. Our Information Security and Targets are shown below:
To analyse and report on the performance of the control measurements
Review Third Party Quarterly to Ensure Effectiveness in 2017
To maintain certification to ISO 27001 for Information Security Management at all sites through 2017
Complete bi-annual security reports
To ensure a security incident will not result in a loss of custom
Begin investigation into security incidents within 1 business day during 2017
Complete third party authorisation process for all new third parties
Ensuring awareness of Information Security goals and systems for new starters
Ensuring ongoing Information Security awareness training is available and monitored
To have no significant security breaches during 2017 Ho
w d
o w
e a
ch
ieve
th
is?
Info
rma
tio
n S
ecu
rity
Op
era
tio
na
l C
on
tro
l
Below identifies the steps taken to introduce and control the Information Security Management System. Unit4 has considered the security requirements of our stakeholders and has implemented security controls to meet the expectations of the market.
Le
ga
l R
eg
iste
r
Identify Information Security Assets and Risks, Prepare compliance Control Manual
Establish POLICY, OBJECTIVES, and LEGAL & REGULATORY REQUIREMENTS
Complete STATEMENT OF APPLICABILITY, ASSET REGISTER, STAFF HANDBOOK,
BUSINESS CONTINUITY PLAN
Monitor and Measure performance
Pro
ce
du
res &
Re
co
rds
ISO 9001 (Quality Management) and ISO 27001 (Information Security Management)
Our Information Security Management System has been designed to fully integrate with our Quality Management System based on the requirements of ISO 9001. As such all our procedures for Information Security Management are held within our Quality Management System all of which are stored centrally under: http://44mossagruk/quality/Business%20Procedures/Forms/AllItems.aspx In addition we have created an area on our intranet site which is dedicated to Information Security Management System: http://44mossagruk/quality/IS/default.aspx This area is available to all staff and holds all our Information Security records and information.
Review Performance, re-evaluate Risks & Set New Improvement targets
Compliance with Legislation
To avoid breaches of any law, statutory, regulatory or contractual obligations, and of any security requirements Unit4 carry out a review of compliance with legislation annually. We have defined all relevant statutory, regulatory and contractual requirements and our approach to meeting these requirements within our Register of Information Security Legislation which can be found here: http://44mossagruk/quality/IS/Shared Documents/6. IS Legal Register/Register of Information Security Legislation.docx We ensure compliance on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products. Records are protected from loss, destruction and falsification and data protection and privacy is ensured and supported by the Unit4 Data Protection Policy which can be found via the link below: http://www.unit4.com/about/ethics Managers ensure that all security procedures within their area of responsibility are carried out correctly to achieve compliance with security policies and standards which in turn helps us to comply with legislative requirements. Changes in legislation requirements will be reflected in the Register of Information Security Legislation.
Cro
ss r
efe
ren
ce
be
twe
en
ou
r In
form
atio
n S
ecu
rity
Ma
na
ge
me
nt
Syste
m a
nd
IS
O 2
70
01
Info
rmatio
n S
ecurity
Managem
ent R
equirem
ents
4.1
U
nd
ers
tan
din
g t
he
Org
an
isa
tio
n a
nd
it
s co
nte
xt
5
.3 O
rga
nis
ati
on
al ro
les,
re
spo
nsi
bil
itie
s a
nd
au
tho
riti
es
7.3
A
wa
ren
ess
9
. P
erf
orm
an
ce
eva
lua
tio
n
4.2
U
nd
ers
tan
din
g t
he
ne
ed
s a
nd
e
xp
ecta
tio
ns
of
inte
rest
ed
pa
rtie
s 6
. P
lan
nin
g
7.4
Co
mm
un
ica
tio
n
9.1
Mo
nit
ori
ng
, m
ea
sure
me
nt,
a
na
lysi
s a
nd
eva
lua
tio
n
4.3
De
term
inin
g t
he
sco
pe
of
the
in
form
ati
on
se
cu
rity
ma
na
ge
me
nt
syst
em
6
.1 A
cti
on
s to
ad
dre
ss r
isk a
nd
o
pp
ort
un
itie
s 7
.5 D
ocu
me
nte
d I
nfo
rma
tio
n
9.2
In
tern
al A
ud
it
4.4
In
form
ati
on
se
cu
rity
ma
na
ge
me
nt
syst
em
6
.2 I
nfo
rma
tio
n s
ecu
rity
ob
jecti
ve
s a
nd
p
lan
nin
g t
o a
ch
iev
e t
he
m
8.
Op
era
tio
n
9.3
Ma
na
ge
me
nt
Re
vie
w
5.
Le
ad
ers
hip
7
. S
up
po
rt
8.1
Op
era
tio
na
l P
lan
nin
g a
nd
co
ntr
ol
10
. Im
pro
ve
me
nt
5.1
Le
ad
ers
hip
an
d c
om
mit
me
nt
7.1
Re
sou
rce
s 8
.2 I
nfo
rma
tio
n s
ecu
rity
ris
k
ass
ess
me
nt
10
.1 N
on
co
nfo
rmit
y a
nd
co
rre
cti
ve
a
ctio
n
5.2
po
licy
7
.2 C
om
pe
ten
ce
8
.3 I
nfo
rma
tio
n s
ecu
rity
ris
k t
rea
tme
nt
10
.2 C
on
tin
ua
l Im
pro
ve
me
nt
4. C
on
text
of
the
Org
anis
atio
n
5. L
ead
ersh
ip
6.
Pla
nn
ing
7. S
up
po
rt
8.
Op
erat
ion
9.
Per
form
ance
Ev
alu
atio
n
10.
Per
form
ance
Ev
alu
atio
n
4.
1 4.
2 4.
3 4.
4 5.
1 5.
2 5.
3 6.
1 6.
2 7.
1 7.
2 7.
3 7.
4 7.
5 8.
1 8.
2 9.
1 9.
2 9.
3 10
.1
10.2
ISM
S P
olic
y M
anu
al
Stat
emen
t o
f A
pp
licab
ility
Ass
et R
egis
ter
& R
isk
Ass
essm
ent
Bu
sin
ess
Co
nti
nu
ity
Pla
n
IS H
and-
bo
ok
Lega
l Reg
iste
r
Inte
rnal
Tra
inin
g/Tr
ain
ing
Rec
ord
s
Rec
ruit
men
t p
roce
ss
Ind
uct
ion
Pro
cess
Inte
rnal
Au
dit
Pro
cess
Man
agem
ent
Rev
iew
P
roce
ss/M
on
thly
rep
ort
ing
Inci
den
t R
epo
rtin
g
Imp
rove
men
t N
oti
ce P
roce
du
re
Qu
alit
y W
ork
Pro
ced
ure
Au
tho
rise
d S
up
plie
r P
roce
du
re
Stan
dar
ds
Co
mm
un
icat
ion
Pro
ced
ure
IS O
per
atio
nal
Co
ntr
ol P
roce
du
re
Exte
rnal
Do
cum
ent
Co
ntr
ol
Pro
ced
ure
IS/B
CM
Co
ntr
ol o
f R
eco
rds
Pro
ced
ure
Stat
isti
cs p
roce
du
re
Mea
sure
men
t o
f co
ntr
ol
effe
ctiv
enes
s