Information Security Policy

Launch offer: Certificates are currently free when you create a free account and log in. Log in for free access

Information Security (Infosec) Policy

1. Purpose

To establish a robust framework for protecting the confidentiality, integrity and availability of all data and systems at Mecourse Lifelong Learning, ensuring compliance with relevant regulations and industry best practices.

2. Scope

This policy applies to all information assets, systems, networks, applications and users (employees, contractors, partners) that create, process, store or transmit data on behalf of Mecourse Lifelong Learning.

3. Definitions

  • Confidentiality: Ensuring that information is accessible only to authorised users.
  • Integrity: Safeguarding the accuracy and completeness of information and processing methods.
  • Availability: Ensuring that authorised users have timely and reliable access to information and assets.
  • Threat: Any circumstance or event with the potential to adversely impact information assets.
  • Vulnerability: A weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat.
  • Incident: Any confirmed or suspected adverse event compromising confidentiality, integrity or availability.

4. Core Principles

  1. Risk-Based Approach: All security measures are prioritised based on assessed risk to data and systems.
  2. Defence in Depth: Multiple, layered controls are implemented to mitigate risk.
  3. Least Privilege: Access rights are granted only to the extent necessary for job responsibilities.
  4. Secure by Design: Security considerations are integrated into all system and process designs from inception.

5. Technical Controls

5.1 Encryption

  • Data at Rest: All sensitive data—learner records, certificates, personal identifiers—must be encrypted using AES-256 or stronger.
  • Data in Transit: TLS 1.2 (minimum) or TLS 1.3 is mandatory for all web, API and email communications.
  • Key Management: Encryption keys are stored and rotated in a centralised, access-controlled Key Management System (KMS).

5.2 Network Security

  • Firewalls and network segmentation isolate critical systems (e.g., learner database, certificate service).
  • Intrusion Detection/Prevention Systems (IDS/IPS) monitor and block suspicious traffic.
  • VPN with multi-factor authentication (MFA) for all remote administrative access.

5.3 Endpoint Security

  • All corporate devices run up-to-date antivirus/anti-malware and disc-encryption software.
  • Host-based firewalls enforce policy on laptops and servers.
  • Automated patch management ensures operating systems and applications are current.

6. Vulnerability Management

  • Regular Scanning: Monthly automated vulnerability scans of all public-facing and internal systems.
  • Penetration Testing: Annual third-party penetration tests on critical applications and networks.
  • Remediation: Findings are tracked in a central ticketing system; critical/high vulnerabilities are remediated within 15 days, medium within 30 days, low within 60 days.

7. Incident Response

  1. Detection & Reporting: All staff must report suspected incidents immediately to the Security Operations Centre (SOC).
  2. Triage & Analysis: SOC performs initial impact assessment, classification and containment.
  3. Containment & Eradication: Affected systems are isolated; malware removed or compromised accounts reset.
  4. Recovery & Restoration: Services are brought back online in a controlled manner, verifying integrity of data.
  5. Post-Incident Review: Root-cause analysis is conducted and lessons learned are documented.
  6. Notification: If required by law or contract, data-subject and regulator notifications occur within mandated timeframes.

8. Access Control

  • User Provisioning: New user accounts require manager approval and are provisioned by IT according to role-based access control (RBAC).
  • Password Policy: Minimum length 12 characters, complexity requirements, and mandatory rotation every 90 days.
  • Multi-Factor Authentication: Enforced for all administrative, remote and high-privilege accounts.

9. Physical Security

  • Data centres and offices are secured by access badges, CCTV monitoring and visitor logs.
  • Sensitive infrastructure (servers, network gear) resides in locked cabinets within locked rooms.

10. Monitoring & Logging

  • All security events (authentication failures, configuration changes, system alerts) are logged centrally.
  • Logs are reviewed daily by SOC analysts and retained for a minimum of one year.

11. Training & Awareness

  • Annual mandatory infosec awareness training for all staff covering phishing, social engineering, data handling.
  • Quarterly phishing simulations with targeted follow-up for users who click on simulated malicious links.

12. Compliance & Audit

  • Internal audits of information-security controls are conducted semi-annually.
  • Compliance with ISO 27001, GDPR and PSRB data-security requirements is reviewed annually by the Compliance Officer.

13. Roles & Responsibilities

  • Chief Information Security Officer (CISO): Owns the Infosec Policy, oversees implementation, chairs the Incident Response Team.
  • Security Operations Centre (SOC): Monitors, detects and responds to security events.
  • IT & Infrastructure Team: Implements technical controls, patch management, and network security.
  • All Staff: Follow this policy, report incidents and complete required training.

14. Review Cycle

This policy is reviewed at least annually or immediately following a major security incident, significant technology change or update to legal/regulatory requirements.

Site Policies

Media Credits