1. Purpose
    This policy outlines the cybersecurity framework for Arc network to protect digital assets, maintain data integrity, and ensure business continuity in an evolving threat landscape.
  2. Scope
    This policy applies to all employees, contractors, vendors, and any individuals with access to Arc network systems, networks, and data.
  3. Governance & Responsibility
    1. The group operations director is responsible for overseeing cybersecurity measures.
    2. Department heads must ensure compliance within their teams.
    3. All employees must adhere to security guidelines and report any suspicious activity.
  4. Access Control & Authentication
    1. Employees must use strong passwords and multi-factor authentication (MFA) for all systems.
    2. Access is granted based on the principle of least privilege.
    3. Regular access reviews will be conducted to ensure only authorized personnel have access to sensitive data.
  5. Data Protection & Privacy
    1. All company and customer data must be encrypted in transit and at rest.
    2. Employees must follow GDPR, California Consumer Privacy Act, and other relevant data protection regulations.
    3. Personal and sensitive data must only be stored on approved devices and platforms.
  6. Network Security
    1. Firewalls, intrusion detection systems (IDS), and anti-malware tools must be used to safeguard networks.
    2. All company devices must have up-to-date security patches and antivirus software.
  7. Incident Response & Reporting
    1. A formal incident response plan is in place to manage security breaches.
    2. Employees must report any suspected breaches or phishing attempts immediately.
    3. Security incidents will be logged, analysed, and remediated to prevent recurrence.
  8. Employee Training & Awareness
    1. Cybersecurity training is mandatory for all employees.
    2. Regular phishing simulations and awareness programs will be conducted.
    3. Employees must undergo refresher training at least annually.
  9. Third-Party & Vendor Management
    1. Vendors must comply with Arc network’s cybersecurity standards, detailed in this policy.
    2. Third-party access to company systems must be monitored and reviewed regularly.
    3. Contracts must include cybersecurity clauses and compliance requirements.
  10. Business Continuity & Disaster Recovery
    1. Regular data backups are conducted and securely stored.
    2. A disaster recovery plan is in place and tested annually.
    3. Systems have redundancy and failover mechanisms to ensure minimal downtime.
  11. Policy Compliance & Enforcement
    1. Non-compliance with this policy may result in disciplinary action.
    2. Regular audits and assessments will be conducted to ensure policy adherence.
    3. Employees are encouraged to provide feedback for continuous policy improvement.
  12. Review & Updates
    1. This policy will be reviewed annually and updated as necessary by the group operations director or deputy.
    2. Any major cybersecurity incidents will trigger an immediate review of the policy.

Appendix A: Cyber Breach Incident Response Protocol

This document is a best-practice guide for the best way to respond to a cyber security breach, for use by senior management, marketing, digital, and IT, depending on the exact nature of the breach.

  1. Basic Response Protocol
    1. Verify the nature of the breach. See separate response protocol for customer data breach.
    2. IT lead or deputy, digital director and group operations director meet, plus supplier representative if relevant.
    3. Confirm exact nature of the breach, which partners are involved, its impact on the business, and time to resolution.
    4. Alert senior management team and local exec team. Information included in point C should be communicated to them.
    5. If we have been hacked, break contact with the hacker.
    6. Agree timeline for resolution with supplier and action required to resolve it.
    7. Broadcast all-staff email so teams are informed of the breach and expected time for resolution.
    8. If the breach is of a customer-facing system, alert customer services and give them a list of FAQs to answer questions we are most likely to receive.
    9. Once our response is complete and we have informed all relevant parties, undertake a wash-up meeting to review approach to date and further actions required.
  2. Specific Response Protocols by Threat
    1. DDOS Attack
      Note that our first line of defence against DDOS attacks is our CDN Cloudflare.

      1. A DDOS attack is reported by Cloudflare or one of our technical partners.
      2. Response team meet to identify severity of attack and appropriate response.
      3. Response approach is put into effect. Working with Cloudflare and affected CMS/platform/s.
      4. Group operations director informs senior leadership team and local leadership team of attack, response timeline and any implications to business performance.
      5. Only in exceptional circumstances will an all-staff email be required.
      6. Conduct post-mortem to agree how to sharpen up our future response to this kind of attack.
    2. Successful Email Phishing Attack
      1. A member of staff reports a successful phishing attack.
      2. IT lead or deputy puts together a response team of local CMO, group operations director, local digital lead to identify severity of attack.
      3. Break contact with phishing agent.
      4. Agree and implement response, timeline for implementation and any implications to business performance.
      5. Group operations director informs senior leadership team and local leadership team of attack, response timeline and any implications to business performance.
      6. Only in exceptional circumstances will an all-staff email be required.
      7. Conduct post-mortem to agree how to sharpen up our future response to this kind of attack.
    3. Network/Connectivity Outage
      1. A network/connectivity outage is reported at one of our offices.
      2. Local MSP, IT lead and group operations director conduct a conference call to identify severity of outage.
      3. Local MSP agrees and implements response, timeline for implementation and any implications to business performance.
      4. Group operations director informs senior leadership team and local leadership team of attack, response timeline and any implications to business performance.
      5. In the event of a prolonged outage, staff are asked to work remotely until further notice.
      6. Only in exceptional circumstances will our IT lead and group operations director need to talk directly with Transputec’s systems engineers to agree a solution.
      7. Conduct post-mortem to agree how to sharpen up our future response to an outage.
    4. Ransomware Attack
      Note that we do not pay ransom demands.

      1. A ransomware attack is reported/a system goes down as the result of a ransomware attack.
      2. Dependent on the system attack, local MD, IT lead and group operations director meet to identify severity of attack.
      3. Break contact with attacker.
      4. Agree and implement response, timeline for implementation and any implications to business performance.
      5. IT lead informs senior management team and local exec team of attack, response timeline and any implications to business performance.
      6. Only in exceptional circumstances will an all-staff email be required.
      7. Conduct post-mortem to agree how to sharpen up our future response to this kind of attack and implement these learnings.

Appendix B: Customer Data Breach Incident Response Protocol

  1. Verify the nature of the breach, ie screen for phishing and/or malicious breach notifications from third parties.
  2. Initial response team meets to agree response: local CMO, digital director, head of IT, group operations director.
  3. Formally record when we were first aware of a verified breach. Document breach timeline, including meetings, conversations, phone calls, and emails.
  4. Confirm exact nature of the breach, which partners are involved and the volume and type of customer data that has been exposed.
  5. Alert the Arc network senior leadership team. Information included in point 4 should be communicated to them.
  6. Take legal advice on how best to respond to the breach, and whether we need to self-report to the ICO.
  7. Resolve the data vulnerability and agree how and when to inform affected users.
  8. If appropriate, self-report to the ICO with a 72-hour window of having verified the breach.
  9. If we have been hacked, break contact with the hacker.
  10. Inform key business individuals in data and marketing to let them know the data has been kindised and a summary of the action taken so far and subsequent action to follow.
  11. Agree and sign-off messaging to be used to affected users. Ensure that wording is accurate and legally correct.
  12. Broadcast all-staff email so teams are prepared for question.
  13. Communicate the breach to affected users within an agreed time limit of being made aware of the breach. This will routinely be done via email.
  14. Alert customer services of the email broadcast and give them a list of FAQs to answer questions we are most likely to receive.
  15. Keep a log of all customer service questions for future review.
  16. Once our response is complete and we have informed all relevant parties, undertake a wash-up meeting to review approach to date and further actions required.