Guidelines on information security

Guidelines on information security

1. Preamble

Capita’s production and performance depends largely on the availability and quality of information technology services. In the meantime, many business processes are IT-based and linked with one another as part of a future-integrated Information Management (ISM). For Capita, the 'security of information technology' is not only a prerequisite for the performance of its tasks – it is also of great strategic value. IT security is an essential component for responsible action in the digital sector.

Nevertheless, the infrastructure of information technology is subject to ever increasing threats. Therefore, the adoption of protective measures, to guarantee all IT supported services, becomes a top priority.

The guidelines on information security describe the information security process for Capita and serve as the basis for a uniform IT security concept. The resulting measures are intended to ensure maximum security in the field of information technology.

This security is an indispensable prerequisite for the implementation of the laws and specifications to be observed for our clients; these should be ensured, in particular, in the processing of personal data and are, in addition, required by law. The successful implementation of the information security process presupposes a well-regulated 'responsibility structure' as well as the support of all Capita employees.

In order to operate sustainable information security, a universally applicable framework is formulated with these guidelines. The goal is to provide adequate protection to the critical infrastructure, systems, applications and information.

2. Applicability

The guidelines on information security and their related documents:

• IT security concept ISP
• Data protection concept

apply to all Capita employees. Contractual partners, who provide services in the field of information and communication technology, are obliged to comply with the requirements listed below.

3. Classification

The overall level of Capita's information security is classified as 'high'.

This classification is based on the fact that all essential functions and tasks are supported by information technology, and a failure of information systems must not affect task performance.

As a Customer Care Centre, Capita also processes data which requires increased protection in terms of confidentiality and unauthorised access (order data processing).

4. Goals

The guidelines on information security is the strategic document, which serves as the basis for information security within Capita for the business processes supported by information technology. Information security is an integral and essential part of every administrative action, and must therefore always be taken into consideration. It serves to preserve the following fundamental information properties:

Confidentiality
Information or functions may only be made available to the authorised persons.

Integrity
The integrity of information is to be ensured at all times. Information must be accurate and complete, while functions must provide the correct results.

Availability
The use of information or functions must be possible for the authorised persons
in the required period of time with the necessary grade.

Authenticity
Authenticity, reliability and accountability of information or function must be given and be verifiable at any time.

Liability
Any processing of information must be clearly traceable and demonstrable (not deniable), and thus revisable.

Responsibility
All employees are obligated to protect information, so that the company does not incur any damages due to unauthorised use of information.

5. Responsibility

Capita company management has the overall responsibility for information security.

This is professionally handled by the IT security officer. This means, in particular, the obligation to implement an adequate level of protection depending on the value of and the risks to the information.

The IT security officer must be involved in all projects at an early stage in order to take into account security-related aspects already in the planning stage. Provided that personal data is affected, the same applies to the data protection officer.

6. Continuous improvement

The company management promotes the compliance and further improvement of the security level. Employees are encouraged to share possible improvements and weaknesses through the appropriate channels.

The desired levels of security and privacy are ensured through the continuous revision of regulations and compliance therewith. Deviations are analysed with the aim of improving the security situation and always keeping IT security technology up to date.