Effective Date: 1st September 2023

## 1. Introduction

Elevating Business Limited (“we,” “our,” or “us”) is committed to safeguarding the confidentiality, integrity, and availability of our information assets and ensuring the security of our business operations. This Security Policy outlines our approach to security and the responsibilities of all employees and stakeholders.

## 2. Information Security Objectives

Our information security objectives include:

– Protecting sensitive and confidential information.

– Ensuring the availability and reliability of our systems.

– Complying with legal and regulatory requirements, including GDPR.

– Minimizing the risk of security incidents and breaches.

– Continuously improving our security posture.

## 3. Roles and Responsibilities

### 3.1. Management

Management is responsible for:

– Defining and communicating security objectives.

– Allocating resources for security initiatives.

– Monitoring compliance with this policy.

– Approving security-related policies and procedures.

### 3.2. Employees

All employees are responsible for:

– Complying with security policies and procedures.

– Reporting security incidents promptly.

– Safeguarding sensitive information.

– Participating in security awareness training.

### 3.3. IT Department

The IT department is responsible for:

– Implementing and maintaining security measures.

– Conducting regular risk assessments and security audits.

– Managing access controls and authentication.

– Responding to security incidents and breaches.

## 4. Access Control

Access to systems and data is controlled based on the principle of least privilege:

– User access is granted based on job roles and responsibilities.

– Access rights are reviewed regularly and revoked upon job changes.

– Strong authentication mechanisms are implemented.

– Passwords are securely stored and regularly updated.

## 5. Data Protection

We are committed to protecting personal and sensitive data:

– Data classification and handling procedures are established.

– Encryption is employed for sensitive data in transit and at rest.

– Data backups are conducted regularly and securely stored.

– Data retention policies are defined and adhered to.

## 6. Incident Response

We maintain an incident response plan:

– Security incidents are reported promptly.

– Incident response team is designated and trained.

– Incidents are investigated, documented, and reported as required by law.

– Remediation plans are developed and executed.

## 7. Training and Awareness

We provide ongoing security awareness training:

– Employees receive training on security policies and procedures.

– Phishing awareness and social engineering training are conducted.

– Employees are encouraged to report security concerns.

## 8. Compliance and Audit

We conduct regular security audits and assessments:

– Compliance with this policy is audited periodically.

– Security controls are tested and evaluated.

– Audit results are used to improve security measures.

## 9. Review and Revision

This Security Policy is reviewed periodically to ensure its effectiveness and relevance. Updates may be made as necessary to address new threats or changes in the business environment.

## 10. Contact Information

For questions, concerns, or reporting security incidents, please contact:

Matthew Southgate,

Runway House, Northweald, Essex, CM16 6HR