Zest recognises that information is acritical asset. Failure to protect Zest’s information can result in financialloss including fines, reputational damage and/or loss of business.
In addition to the information there are other associated processes, systems and networks that are critical to Zest and it's essential that we maintain their operational effectiveness.
Customers, employees, partners and suppliers entrust that any information we hold is protected. Some information, including that identified by Zest as being confidential or which needs to comply with legislation/regulation, is particularly sensitive and will be protected with additional controls.
The threat landscape identifies that businesses can be subjected to a wide variety of increasingly sophisticated security threats, such as viruses, hackers, computer-assisted fraud, commercial espionage, industrial sabotage, insider threat, crime, and natural disasters such as fire or flood.
Furthermore, with the dependence on data, information systems and services we become increasingly vulnerable to these types of threats.
The purpose of the Information Security Policy is to define the principles for the protection of Zest’s information assets to protect our customers, employees, and partners information from all threats whether that is internal or external, deliberate, or accidental.
• Ensure secure information sharing.
• Ensure that everyone is clear about their roles in using and protecting information.
• Protect Zest from legal liability and the inappropriate use of information.
The policy supports the three key business objectives for Information Security:
• Confidentiality: unauthorised access to information is prevented, all access to data will be based on a user's 'Need to Know'
• Integrity: Information is protected from unauthorised changes whether accidental or deliberate.
• Availability: Information is available to authorised users when needed.
The Information Security Policy is ahigh-level document which identifies a range of security controls, which together with a governance model provides the information security management system to protect Zest’s information.
The policy applies to all Zest personnel, third parties (As part of the third-party due diligence on-boarding process), contractors, vendor's subsidiaries and any individual or entity that is provided with access to Zest’s information.
Everyone who has access to Zest’sinformation has a responsibility to protect it and comply with the Zest’ssecurity policies and controls.
The policy applies to all forms of information, and include but are not limited to:
• Communications via phone, radio, speech, spoken face to face, by video call, or group Teams call /Chat.
• Information that has been written on paper or printed. This includes any flip charts, whiteboards, paper stored in storage cabinets or drawers.
• Communications that are sent via post/courier, fax and electronic communication for example, instant messaging, file transfer, text messaging, e-mail.
• Information posted on public websites and social media sites.
•Information stored electronically on any device including servers, scanners, printers, workstations, laptops, tablets, and smartphones.
• Information stored on any type of removable media including CD's, DVD's, tape, USB memory sticks, portable disk drives, memory cards and digital cameras.
Zest’s security policies will be communicated to all employees, contractors and third parties to ensure that they fully understand their responsibilities.
Security accountabilities will be included in job descriptions and terms and conditions of employment will cover general responsibilities for security.
Verification checks will be carried out on all new employees, contractors and third parties who hold, transfer, or process Zest’s information. (Verification checks/ processes may vary with in functional areas. Always check with your local Human Resources Partner and / or the People Director)
Enhanced checks will be undertaken for new personnel being assigned to sensitive positions within Zest, or existing staff being promoted to sensitive positions
Conversations involving sensitive information should not occur where they can be easily overheard. Quiet areas or meeting rooms should be used for sensitive information exchange wherever possible.
Telephone conversations involving sensitive information should be conducted discreetly and, where possible, in private, and great care should be exercised if communications can be easily recorded by any parties, such as during an online Teams call or similar
Encryption techniques will be used to protect sensitive information both at rest and when in transit. (When data encryption is not possible due to legacy systems or compatibility issues compensating controls will be in place)
All personnel have a responsibility to adhere to the policy and standards regardless of their status:
• All Regulatory and legislative requirements will be met.
• All users of IT systems will be accountable for their actions.
• Responsibilities for the protection of individual IT assets and for carrying out specific security processes will be clearly defined and documented.
• Procedures will be implemented to ensure compliance with legal restrictions on the use of material in respect of intellectual property rights and on the use of proprietary software products.
• Controls will be applied to protect personal information in accordance with relevant legislation.
• IT systems shall be regularly checked for compliance with security requirements.