1. Purpose
Squid Academy is committed to protecting the confidentiality, integrity, and availability of its information, systems, services, and data. The purpose of this information security policy is to establish the principles, responsibilities, and controls necessary to safeguard information assets against unauthorized access, disclosure, alteration, loss, or destruction. This policy supports the Academy’s obligations relating to:- Data protection and privacy
- Safeguarding responsibilities
- Educational delivery
- Business continuity
- Regulatory compliance
- Customer trust
2. Scope
This policy applies to:- Employees
- Directors
- Contractors
- Consultants
- Tutors
- Coaches
- Assessors
- Volunteers
- Third-party service providers with authorised access
- Information assets
- Student records
- Assessment data
- Learning platforms
- Internal systems
- Cloud services
- Company devices
- Communication platforms
- Physical and digital records
3. Information Security Objectives
Squid Academy aims to- Protect sensitive information from unauthorized access.
- Ensure information remains accurate and reliable.
- Maintain availability of critical services.
- Reduce security risks.
- Comply with legal and contractual obligations.
- Promote security awareness throughout the organization.
- Support safe and secure learning environments.
4. Security Principles
The academy’s information security program is based on the following principles:Confidentiality
Information shall only be accessible to authorized individuals with a legitimate business need.Integrity
Information shall be protected from unauthorized modification, corruption, or destruction.Availability
Information and systems shall remain available to authorized users when required.Accountability
Individuals are responsible for protecting information entrusted to them.Least Privilege
Access rights shall be limited to the minimum level necessary for a user’s role.5. Roles and Responsibilities
Senior Management
Responsible for:- Security oversight.
- Resource allocation.
- Risk management.
- Policy approval.
Information Security Lead
Responsible for:- Security governance.
- Policy maintenance.
- Incident coordination.
- Risk monitoring.
- Security improvement initiatives.
Staff and Contractors
Responsible for:- Following security policies.
- Protecting information assets.
- Reporting security incidents.
- Maintaining secure working practices.
Third-Party Suppliers
Responsible for:- Protecting Academy information under contractual obligations.
- Maintaining appropriate security controls.
- Reporting security incidents affecting Academy data.
6. Information Classification
Information shall be classified according to sensitivity.Public
Information approved for public release. Examples:- Marketing materials
- Public website content
Internal
Information intended for internal use. Examples:- Internal procedures
- Operational documents
Confidential
Information requiring protection from unauthorized disclosure. Examples:- Business plans
- Commercial agreements
- Staff records
Restricted
Highly sensitive information requiring enhanced protection. Examples:- Student records
- Safeguarding reports
- Assessment data
- Personal data
- Security credentials
7. Access Control
Access to systems and information shall be as follows:- Authorized.
- Role-based.
- Reviewed periodically.
- Removed promptly when no longer required.
8. Authentication and Password Security
Users must:- Maintain strong passwords.
- Keep credentials confidential.
- Use multi-factor authentication where available.
- Avoid password sharing.
- Report suspected credential compromise immediately.
9. Acceptable Use of Systems
Company systems must be used:- Lawfully.
- Responsibly.
- Professionally.
- Circumvent security controls.
- Install unauthorized software.
- Access prohibited content.
- Use systems for illegal activities.
- Share sensitive information without authorization.
10. Remote Working and Cloud Services
When accessing Academy systems remotely, users must:- Use approved devices where possible.
- Maintain device security.
- Protect login credentials.
- Avoid accessing sensitive information on unsecured public networks.
11. Data Protection
Personal data shall be processed in accordance with:- Applicable data protection legislation.
- The Academy Privacy Policy.
- Data Processing Agreements.
- Data Retention Schedules.
12. Safeguarding Information
Safeguarding records require enhanced protection. Such information shall:- Be restricted to authorised personnel.
- Be stored securely.
- Be shared only when necessary.
- Be handled confidentially.
13. Security Monitoring
The Academy may monitor systems, networks, and services to:- Detect security threats.
- Investigate incidents.
- Protect information assets.
- Maintain service integrity.
14. Incident Management
All actual or suspected security incidents must be reported immediately. Examples include:- Data breaches
- Unauthorised access
- Malware infections
- Credential compromise
- Loss of devices
- System misuse
15. Business Continuity
The Academy will maintain appropriate measures to support service continuity and recovery following:- Cyber incidents
- System failures
- Service outages
- Infrastructure disruptions
16. Security Awareness
Personnel shall receive appropriate security awareness training covering:- Information security responsibilities
- Data protection
- Password security
- Phishing awareness
- Safeguarding considerations
- Incident reporting
17. Third-Party Management
Where third parties process or access Academy information:- Appropriate due diligence shall be performed.
- Security expectations shall be documented.
- Contractual protections shall be implemented where required.
- Risks shall be reviewed periodically.
18. Compliance
Failure to comply with this policy may result in:- Removal of access privileges
- Disciplinary action
- Contractual remedies
- Legal action where appropriate
19. Policy Review
This policy shall be reviewed annually or whenever- Significant security changes occur.
- Legal requirements change.
- New technologies are introduced.
- Material incidents occur.