IT Policy.

1. Introduction

The confidentiality, integrity and availability of information, in all its forms, are critical to the

ongoing functioning and good governance of Geeky Designs Ltd. Failure to adequately

secure information increases the risk of financial and reputational losses from which it may

be difficult for Geeky Designs Ltd to recover. This information security policy outlines Geeky

Designs Ltd approach to information security management. It provides the guiding principles

and responsibilities necessary to safeguard the security of the companies information

systems. Supporting policies, codes of practice, procedures and guidelines provide further

details. Geeky Designs Ltd is committed to a robust implementation of Information Security

Management. It aims to ensure the appropriate confidentiality, integrity and availability of

its data. The principles defined in this policy will be applied to all of the physical and

electronic information assets for which the Geeky Designs Ltd is responsible. Geeky Designs

Ltd is specifically committed to preserving the confidentiality, integrity and availability of

documentation and data supplied by, generated by and held on behalf of third parties

pursuant to the carrying out of work agreed by contract in accordance with the

requirements of data security standard ISO 27001.

1.1 Objectives

The objectives of this policy are to:

1. Provide a framework for establishing suitable levels of information security for all

Geeky Designs Ltd information systems (including but not limited to all Cloud

environments commissioned or run by Geeky Designs Ltd, computers, storage, mobile

devices, networking equipment, software and data) and to mitigate the risks associated

with the theft, loss, misuse, damage or abuse of these systems. a. This explicitly includes

any ISO27001-certified Information Security Management Systems the company may

run.

b. The resources required to manage such systems will be made available

c. Continuous improvement of any ISMS will be undertaken in accordance with Plan Do

Check Act principles

2. Make certain that users are aware of and comply with all current and relevant UK and

EU legislation.

3. Provide the principles by which a safe and secure information systems working

environment can be established for staff, students and any other authorised users.

4. Ensure that all users understand their own responsibilities for protecting the

confidentiality and integrity of the data that they handle.

5. Protect Geeky Designs Ltd from liability or damage through the misuse of its IT

facilities.

6. Maintain research data and other confidential information provided by suppliers at a

level of security commensurate with its classification, including upholding any legal and

contractual requirements around information security.

7. Respond to changes in the context of the organisation as appropriate, initiating a cycle

of continuous improvement.

1.2 Scope

This policy is applicable to, and will be communicated to, all staff and third parties who

interact with information held by the Geeky Designs Ltd and the information systems

used to store and process it. This includes, but is not limited to: Cloud systems

developed or commissioned by Geeky Designs Ltd, any systems or data attached to the

Geeky Designs Ltd data or telephone networks, systems managed by Geeky Designs Ltd,

mobile devices used to connect to Geeky Designs Ltd networks or hold Geeky Designs

Ltd data, data over which Geeky Designs Ltd holds the intellectual property rights, data

over which Geeky Designs Ltd is the data controller or data processor, electronic

communications sent from the Geeky Designs Ltd.

2. Policy

2.1 Information security principles

The following information security principles provide overarching governance for the

security and management of information at Geeky Designs Ltd.

1. Information should be classified according to an appropriate level of confidentiality,

integrity and availability (see Section 2.3. Information Classification) and in accordance

with relevant legislative, regulatory and contractual requirements (see Section 2.2. Legal

and Regulatory Obligations).

2. Staff with particular responsibilities for information (see Section 3. Responsibilities)

must ensure the classification of that information; must handle that information in

accordance with its classification level; and must abide by any contractual requirements,

policies, procedures or systems for meeting those responsibilities.

3. All users covered by the scope of this policy (see Section 1.2. Scope) must handle

information appropriately and in accordance with its classification level.

4. Information should be both secure and available to those with a legitimate need for

access in accordance with its classification level.

a. On this basis, access to information will be on the basis of least privilege and need

to know.

5. Information will be protected against unauthorized access and processing in

accordance with its classification level.

6. Breaches of this policy must be reported (see Sections 2.4. Compliance and 2.5.

Incident Handling).

7. Information security provision and the policies that guide it will be regularly reviewed,

including through the use of annual internal audits and penetration testing.

8. Any explicit Information Security Management Systems (ISMSs) run within the

company will be appraised and adjusted through the principles of continuous

improvement, as laid out in ISO27001 clause 10.

2.2 Legal & Regulatory Obligations

Geeky Designs Ltd has a responsibility to abide by and adhere to all current UK and EU

legislation as well as a variety of regulatory and contractual requirements. A nonexhaustive

summary of the legislation and regulatory and contractual obligations that

contribute to the form and content of this policy is provided in Appendix A. Related

policies will detail other applicable legislative requirements or provide further detail on

the obligations arising from the legislation summarised below.

2.3 Information Classification

The following table provides a summary of the information classification levels that have

been adopted by Geeky Designs Ltd and which underpin the 8 principles of information

security defined in this policy. These classification levels explicitly incorporate the

General Data Protection Regulation’s definitions of Personal Data and Special Categories

of Personal Data, as laid out in Geeky Designs Ltd Data Protection Policy, and are

designed to cover both primary and secondary research data. Detailed information on

defining information classification levels and providing appropriate levels of security and

access is provided in the Data Classification Standard. Information on appropriate

encryption techniques for securing Confidential data can be found on the Geeky Designs

Ltd website here. Information may change classification levels over its lifetime, or due to

its volume – for instance. Confidential Normally accessible only to specified members of

Geeky Designs Ltd staff. Should be held in an encrypted state outside Geeky Designs Ltd

systems; may have encryption at rest requirements from providers.

2.4 Suppliers

All L Geeky Designs Ltd suppliers will abide by Geeky Designs Ltd Information Security

Policy, or otherwise be able to demonstrate corporate security policies providing

equivalent assurance. This includes: • when accessing or processing Geeky Designs Ltd

assets, whether on site or remotely • when subcontracting to other suppliers.

2.5 Cloud Providers

Under the GDPR, a breach of personal data can lead to a fine of up to 4% of global

turnover. Where Geeky Designs Ltd user Cloud services, Geeky Designs Ltd retains

responsibility as the data controller for any data it puts into the service, and can

consequently be fined for any data breach, even if this is the fault of the Cloud service

provider. Geeky Designs Ltd will also bear the responsibility for contacting Information

Commissioner’s Office concerning the breach, as well as any affected individual. It will

also be exposed to any lawsuits for damages as a result of the breach. It is extremely

important, as a consequence, that Geeky Designs Ltd is able to judge the

appropriateness of a Cloud service provider’s information security provision. This leads

to the following stipulations: 1. All providers of Cloud services to Geeky Designs Ltd must

respond to Geeky Designs Ltd Cloud Assurance Questionnaire prior to a service being

commissioned, in order for Geeky Designs Ltd to understand the provider’s information

security provision. 2. Cloud services used to process personal data will be expected to

have ISO27001 certification, with adherence to the standard considered the best way of

a supplier proving that it has met the GDPR principle of privacy by design, and that it has

considered information security throughout its service model. 3. Any request for

exceptions will be considered by the Risk Manager and the Chief Operating Officer. 2.6

Compliance, Policy Awareness and Disciplinary Procedures Any security breach of Geeky

Designs Ltd information systems could lead to the possible loss of confidentiality,

integrity and availability of personal or other confidential data stored on these

information systems. The loss or breach of confidentiality of personal data is an

infringement of the General Data Protection Regulation, contravenes Geeky Designs Ltd

Data Protection Policy, and may result in criminal or civil action against Geeky Designs

Ltd. The loss or breach of confidentiality of contractually assured information may result

in the loss of business, financial penalties or criminal or civil action against Geeky

Designs Ltd. Therefore it is crucial that all users of the companies information systems

adhere to the Information Security Policy and its supporting policies as well as the

Information Classification Standards. All current staff and other authorised users will be

informed of the existence of this policy and the availability of supporting policies, codes

of practice and guidelines. Any security breach will be handled in accordance with all

relevant policies, including the Conditions of Use of IT Facilities at the Geeky Designs Ltd

and the appropriate disciplinary policies.

2.7 Incident Handling

If a member of staff is aware of an information security incident then they must report it

to the support tam or telephone 0151 493 9493. Breaches of personal data will be

reported to Geeky Designs Ltd. If necessary, members of the company can also use

Geeky Designs Ltd Whistle Blowing (Public Interest Disclosure) policy

2.8 Supporting Policies, Codes of Practice, Procedures and Guidelines

Supporting policies have been developed to strengthen and reinforce this policy

statement. These, along with associated codes of practice, procedures and guidelines

are published together and are available on Geeky Designs Ltd website. All staff,

students and any third parties authorised to access Geeky Designs Ltd network or

computing facilities are required to familiarise themselves with these supporting

documents and to adhere to them in the working environment. Supporting policies may

be found at:

2.9 Review and Development

This policy, and its subsidiaries, shall be reviewed by the Management and updated

regularly to ensure that they remain appropriate in the light of any relevant changes to

the law, organisational policies or contractual obligations. Additional regulations may be

created to cover specific areas. The Management comprises representatives from all

relevant parts of the organisation. It shall oversee the creation of information security

and subsidiary policies. The Management will determine the appropriate levels of

security measures applied to all new information systems

3.Responsibilities

Members of Geeky Designs Ltd and collaborators on Geeky Designs Ltd projects will be users of

Geeky Designs Ltd information. This carries with it the responsibility to abide by this policy and

its principles and relevant legislation, supporting policies, procedures and guidance. No

individual should be able to access information to which they do not have a legitimate access

right. Notwithstanding systems in place to prevent this, no individual should knowingly

contravene this policy, nor allow others to do so. To report policy contraventions, please see

Section 2.5: Incident Handling Data Controllers: Many members of Geeky Designs Ltd will have

specific or overarching responsibilities for preserving the confidentiality, integrity and availability

of information. These include: Principal Investigators / Project administrators: Responsible for

the security of information produced, provided or held in the course of carrying out research,

consultancy or knowledge transfer activities. This includes ensuring that data is appropriately

stored, that the risks to data are appropriately understood and either mitigated or explicitly

accepted, that the correct access rights have been put in place, with data only accessible to the

right people, and ensuring there are appropriate backup, retention, disaster recovery and

disposal mechanisms in place.