Posh Bananas Gifts

Information Security Policy

Table of Contents

Purpose. 5

Objectives. 6

Scope. 6

Compliance monitoring. 6

Review.. 7

Policy Statement 7

1.         Information security policies. 7

2.         Organisation of information security. 8

3.         Human resources security. 9

4.         Asset management 9

5.         Access control 10

6.         Cryptography. 11

7.         Physical and environmental security. 11

8.         Operations security. 12

9.         Communications security. 13

10.      System acquisition, development and maintenance. 13

11.       Supplier relationships. 14

12.      Information security incident management 15

13.      Information security aspects of business continuity management 15

14.      Compliance. 16

APPENDIX. 17

Purpose

Posh Bananas Gifts manages data under three main principles:

Confidentiality: Ensures that sensitive information such as customer data and business secrets is accessible only to authorise individuals to protect privacy and maintain trust. It involves implementing measures such as access controls, encryption and employee training to safeguard this information from unauthorised access or disclosure.

Integrity: Ensures that that data is accurate, complete, and protected against unauthorised alteration. This involves using controls such as access restrictions, file integrity monitoring and version management to prevent tampering and ensure that information remains trustworthy and reliable.

Availability: Ensures that information and systems are accessible to authorised users when needed, minimising downtime and disruptions. This involves implementing reliable hardware, backup solutions and disaster recovery plans to maintain continuous access to information.

Data we manage, in any form, faces potential risk and always requires adequate protection. Risks may result from errors, oversights, misunderstandings or malicious acts.  It is critical for all employees to understand their roles and responsibilities in safeguarding business information and assets.

A security incident can lead to brand damage, financial losses, compromised trading capabilities or even violations of regulations and laws, adversely affecting Posh Bananas
GiftsThus, it is the collective duty of all employees, contractors and vendors to strictly always comply with this policy and all related documents.

Along with the Information Security Policy there are two other critical documents that together aim to protect the business and the assets we manage.

These are:

Information Risk Policy

Data Protection Policy

Objectives

Posh Bananas Gifts’s security objectives are to ensure:

• All information risks have been identified, managed and handled according to an officially approved risk approach, demonstrating our commitment to proactive risk management.

• Information has been stored securely, made accessible only to authorised personnel, and shared appropriately, respecting the confidentiality and integrity of the actual data.
• All controls, whether physical, logical or procedural, have been implemented to provide an appropriate balance between user experience and the required level of security, ensuring both efficiency and protection.

• We have met our contractual and legal obligations relating to information security, affirming our compliance with external requirements and internal standards.
• Our ongoing change, development and improvement processes have actively incorporated information security considerations at every step to protect business assets, showcasing our dedication to continuous enhancement.
• Incidents, if any, have been identified, investigated and addressed appropriately and in a timely manner, with the results of these incidents used to refine and enhance our procedures for future events, thus improving our resilience and response strategies.
• We have actively maintained and updated both our security posture and our policies to reflect evolving situations ensuring our approaches remain relevant and effective.

Scope

The Information Security Policy, along with its supporting controls, processes and procedures, is applicable to all information owned by or under the responsibility of Posh Bananas Gifts, regardless of the format in which the information is stored. This scope also extends to, and third party contracted to Posh Bananas Gifts.

The Information Security Policy and its supporting controls, processes and procedures apply to all individuals who have access to Posh Bananas Gifts information and technologies. This includes both employees and external parties that provide information processing services to Posh Bananas Gifts, ensuring comprehensive coverage and protection across all interactions with Posh Bananas Gifts information assets.

Compliance monitoring

Compliance with the established controls outlined in the Information Security Policy will be diligently monitored by the Information Security Team. This team is tasked with reporting their findings and compliance status directly to the designated <CONTROLLING BODY>, ensuring transparency and accountability in our security efforts.

The overarching responsibility for the information security of the Posh Bananas Gifts is allocated to the Owner. The Ownere oversees all aspects of information security, from policy implementation to compliance monitoring, ensuring that our security measures are robust and effective.

Review

To ensure that all policies remain current and fully aligned with evolving security requirements, a comprehensive review will be conducted at least annually. This review will be undertaken by the designated policy <MAINTAINER> who is/are responsible for assessing the policy’s effectiveness and alignment with the latest security practises and regulatory requirements. Subsequently, any modifications or updates proposed during the review must be formally approved by the policy <OWNER>, ensuring that changes are both necessary and beneficial for enhancing our information security framework.

Policy Statement

Posh Bananas Gifts is committed to managing our business based on three fundamental principles:

Confidentiality: Access to information is strictly limited to individuals who have a legitimate need to know. We ensure that information is always stored and transmitted securely to protect it from unauthorized access.

Integrity: We maintain the accuracy and reliability of the information we hold, ensuring it can always be trusted by our stakeholders.

Availability: Information is readily accessible to authorized users when needed. We have robust plans in place to address any incidents that may impact the availability of this information.

To uphold these principles, Posh Bananas Gifts will implement an Information Security Management System (ISMS) that adheres to internationally recognized standards. Our information security posture will be aligned with legislative requirements, contractual obligations, stakeholder expectations, customer needs, and best practices established by industry connections and governing bodies.

Adopting a risk-based approach, Posh Bananas Gifts will apply the following controls:

1. Information security policies

Posh Bananas Gifts maintains a structured documentation system at 3 levels:

Policies: These documents articulate the aims, objectives and overarching approach of the company towards information security.

Procedures: These documents detail the specific steps required to complete tasks that support the company’s information security policy.

Standards: These documents provide detailed definitions, configurations, and guidelines that align with the aims of the information security policy and are referenced by the procedures.

A comprehensive set of lower-level policies, procedures and standards will be developed to support the high-level Information Security Policy and its objectives. This suite of supporting documentation will be formally approved by the designated <OWNER>, published, and communicated to all Posh Bananas Gifts employees, as well as relevant external parties.

2. Organisation of information security

Posh Bananas Gifts commits to documenting, implementing, and maintaining a robust governance structure for information security management. This includes the clear assignment of security responsibilities to ensure the effective implementation, management, and operation of information security controls across the organization. It will document, implement and maintain appropriate governance for the management of information security. This will include assignation of identified security responsibilities to implement, manage and operate effective information security controls within Posh Bananas Gifts.

Governance and Roles:

Posh Bananas Gifts will appoint:

• A member of senior management to lead the Information Governance Board, taking full accountability for information risk.
• An Information Governance Board tasked with influencing, overseeing, and promoting the effective management of Posh Bananas Gifts information, ensuring governance principles are applied across all levels.
• An Information Security Manager to manage the day-to-day information security functions, this role is crucial in maintaining the organization’s security posture.
• Information Asset Owners (IAOs) assigned to assume accountability for the management of information assets within their control, ensuring that all assets are properly protected and used appropriately.
• Information Asset Managers (IAMs) responsible for day-to-day information management for specific assets or areas, supporting the IAOs in achieving the security objectives.

3. Human resources security

Posh Bananas Gifts is committed to ensuring that all users are fully aware of their roles and responsibilities in maintaining information security. To achieve this, we will:

• Communicate Security Policies and Acceptable Use: Clearly define and distribute security policies and acceptable use guidelines to all users, ensuring they understand the importance of their compliance.
• Mandatory training and education: Provide comprehensive information security training and education for all staff. This training will be mandatory and tailored to include real-world scenarios, such as responding to phishing attacks and malware.
• Address non-compliant behaviour: Any actions or behaviours not in line with our policies and procedures will be promptly addressed to maintain our security standards.
• Incorporate security into job frameworks: All job descriptions, people specifications, and personal development plans will explicitly include security responsibilities, ensuring that everyone is aware of their security obligations from the outset.
• Annual security awareness training: Employees will undergo formal security awareness training at least annually to stay updated on the latest security threats and best practises.
• Acknowledgement of ISP (Information Security Policy): Upon joining, and at least annually thereafter, employees must acknowledge that they have received, read, understood, and agree to adhere to the current version of the Information Security Policy.

4. Asset management

Posh Bananas Gifts ensures comprehensive documentation and accountability for all assets, including but not limited to:

• Information
• Software
• Electronic information processing equipment
• Third party services

Key points include:

• Ownership and responsibility: Each asset will be assigned an owner who is responsible for its ongoing maintenance and protection. This clear assignment ensures accountability for the security and integrity of every asset.
• Classification of assets: All information assets will undergo classification based on legal or contractual obligations, business value impact and sensitivity. This classification dictates the level of protection and handling requirements. Ensuring that assets are adequately safeguarded according to the importance and sensitivity. Retention and disposal: Define processes and policies will govern the retention and disposal of all information assets. These guidelines ensure that assets are kept no longer than necessary and disposed of securely to prevent unauthorised access or data breaches.

5. Access control

At Posh Bananas Gifts, access to assets and information strictly regulated to ensure security and compliance:

• Job-related access: Access is granted based on job related requirements and is promptly revoked when no longer necessary or justified, ensuring users only have access to what they need to perform their duties.
• Least privilege: We adhere to the principle of least privilege, granting users the minimum levels of access or permissions needed to perform their job functions.
• Unique user identification: Each user is assigned a unique user ID. The sharing of credentials or use of shared IDs is strictly prohibited to maintain accountability and traceability.
• Secure credentials: Passwords and other forms of identification must be kept secure and confidential. Under no circumstances should they be shared.
• Access request and authorization: Documented processes are in place for the requesting, authorising and granting of access to information, assets and systems, ensuring a controlled and auditable method of access management.
• Multi-Factor Authentication (MFA): MFA is mandatory for accessing certain sensitive data or assets, enhancing security by requiring multiple forms of verification. Specific requirements are detailed in the Access Control Standards.
• Logging and monitoring: All access attempts, successful or not, are logged. Changes in user details, privileges or rights, especially concerning sensitive data such as Personally Identifiable Information PII, or payment card information are meticulously recorded.
• Periodic review of access rights: User access lists on every authentication platform are reviewed at least once in every 6 months to ensure access privileges remain valid and appropriate.
• Automatic revocation of access: User access is automatically revoked by the system after 90 days of inactivity, minimising the risk of unauthorised access.
• Passwords management education: Users receive guidance on creating strong passwords and maintaining good password hygiene promoting secure authentication practises.

6. Cryptography

Posh Bananas Gifts is committed to the secure effective use of cryptography to safeguard the confidentiality, authenticity, and integrity of our information and systems:

• Guidance and tools: We provide comprehensive guidance and tools to ensure the correct application of cryptographic measures across the organisation.
• The encryption of sensitive data: All sensitive or confidential data must be encrypted during transmission, including data shared via end user messaging technologies such as e-mail to prevent unauthorised access.
• Standards for strong cryptography: Our cryptographic processes and techniques adhere to industry recognised definitions of strong cryptography. These processes are reviewed, at least annually, to confirm they continue to offer robust security against evolving threats.
• Record keeping: A detailed record of all cryptographic materials, including processes, algorithms, keys, data flows and technologies is maintained and periodically reviewed. This ensures our encryption methods remain up to date and aligned with the current standards for strong encryption and are effective against new developments and potential threats.
• Management of cryptographic material: In the event of an employee's departure from the company, any cryptographic material known to them will be changed immediately. This step is crucial to ensuring the continued security of the assets or systems protected by that cryptographic material.

7. Physical and environmental security

Posh Bananas Gifts ensures that all information processing facilities are securely housed and safeguarded against unauthorised access, damage, and interference through:

• Secure areas: Facilities located within securely defined areas with effective security perimeters established to physically protect them from unauthorised entry and environmental hazard.
• Layered security controls: A combination of internal and external security measures is implemented to deter or prevent unauthorized access. These controls are especially critical for protecting assets deemed sensitive or essential, offering defense against both forcible and hidden attacks.
• Access control system protection: The systems controlling access to secure areas receive adequate protection to prevent tampering or exploitation. A comprehensive history of access control system usage will be maintained for at least 12 months, unless such retention is restricted by law.
• CCTV usage: Where CCTV is utilized as part of the security measures, the recording devices and media are stored in areas with restricted access. Recordings are retained according to contractual and business needs, provided they do not conflict with local law.
• Separation of duties: To mitigate the risk of security breaches, duties are separated to ensure no single individual could bypass or undermine the physical security measures in place.

8. Operations security

Posh Bananas Gifts ensures the security of its operations through comprehensive formal documentation and rigorous practices:

• Documented procedures and standards: All operational activities are governed by detailed operating procedures and standards. This documentation covers essential practices, including change management, malware and phishing defense strategies, logging, vulnerability management, and testing, to always maintain security integrity.
• Change Management: A formal change management system is employed to govern any modifications in the operational environment, ensuring that all changes are fully evaluated, authorized, and documented to minimize potential security risk.
• Attack prevention controls: Proactive controls are in place to guard against malware, phishing, and other cybersecurity threats, ensuring the organization's defenses remain robust against evolving attack vectors.
• Logging and vulnerability management: Comprehensive logging of operational activities is conducted alongside diligent vulnerability management and testing processes, ensuring any potential security weaknesses are identified and addressed promptly.
• Software development and deployment: All software development and system deployment adhere to industry recognized standards. Continuous learning from past issues is integrated into the ongoing evolution of our procedures and standards to enhance security measures.
• Software testing: Before release, all software undergoes through testing, which includes manual code reviews, automated testing, and peer reviews as appropriate to ensure reliability and security.
• Training: Developers and testing personnel receive annual training in secure coding techniques and testing tools relevant to the languages and frameworks they use. This training is crucial to fostering a security conscious development environment.

9. Communications security

Posh Bananas Gifts is committed to ensuring the security of information and assets across all networks through rigorous network security controls:

• Documented procedures and standards: We maintain detailed procedures and standards for both staff and third parties. These documents are designed to ensure the security of data in transit, aligning with the sensitivity and classification of the data being transmitted.
• Appropriate security settings: Security configurations are tailored to the classification level of the data, ensuring that protection measures are proportional with the sensitivity of the information.
• Network configuration reviews: Default network settings are critically reviewed and modified as needed upon implementation to close any potential security failings.
• Intrusion detection & prevention: Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS) are deployed on networks that fall within the PCI DSS scope or contain sensitive information, providing proactive monitoring and defense against unauthorized access or attacks.
• Wireless network security: Any wireless network implementation falling under the scope of PCI DSS complies with the relevant security requirements. Wireless networks are subject to approval, ensuring their configurations adhere to established security standards.
• Monitoring for unauthorized wireless access points: Regular scans are conducted to detect unauthorized wireless access points in areas where sensitive data is stored, processed, or transmitted. Alternatively, a technical solution that mitigates the risk of unauthorized wireless connections may be employed to address this concern effectively.

10.  System acquisition, development and maintenance

Posh Bananas Gifts enforces rigorous information security practices during the acquisition, deployment, maintenance, or replacement of systems, adhering to the following principles:

• Documented security requirements: Information security requirements for system deployment, maintenance, or replacement are thoroughly documented in procedures and standards to guide secure operations.
• Baseline security settings: Minimum baseline security configurations are documented and applied to all systems before they are deployed into production. These standards evolve continually to address environmental changes and emerging threats.
• Change control mechanisms: System development and modifications are managed through a valid change control process, requiring appropriate reviews and signoffs to confirm testing and back-out plans.
• Industry standards compliance: All systems are configured in accordance with recognized industry standards, such as Center for Internet Security Benchmarks and vendor guidelines ensuring robust security postures.
• PCI DSS Compliance: Given Posh Bananas Gifts’s obligation to adhere to the PCI Data Security Standard, all changes are evaluated for their impact on PCI DSS compliance throughout the system lifecycle. Significant changes within the PCI DSS scope undergo formal reviews to ascertain compliance impact and ensure secure, compliant deployment.
• Environment segregation: Test, development, deployment and operational environments are distinctly separated with strict access controls ensuring clear segmentation and minimize risk.
• Protection against malicious software: Systems susceptible to malware are safeguarded by appropriate antivirus or protective technologies. Periodic reviews confirm the validity of exemptions to this requirement.
• Monitoring critical system files: Critical system files such as binaries, executables, scripts, page headers and configurations are continuously monitored for unauthorized changes with all anomalous activity promptly investigated.

11.  Supplier relationships

Posh Bananas Gifts implements effective due diligence checks and adheres to comprehensive information security policies and procedures when initiating and managing relationships with suppliers. This ensures that assets accessible to suppliers are adequately protected.

• Access control and monitoring: Supplier access is closely monitored and audited relative to the value of accessed assets and associated risks. Remote access by suppliers is strictly limited to necessary periods, with all activities meticulously logged to ensure traceability and accountability.
• PCI DSS Compliance for suppliers: Suppliers falling within the scope of PCI DSS must demonstrate their compliance before engagement and undergo annual validation to meet Posh Bananas Gifts PCI DSS compliance requirements. This step is critical to maintaining a secure and compliant supply chain.
• Responsibility matrix: To clarify responsibilities, all suppliers are required to agree to a responsibility matrix. Although the format can vary, the use of a RACI (Responsible, Accountable, Consulted, Informed) matrix is strongly recommended. This ensures clear specification of responsibilities concerning security controls and management.
• Contractual obligations: Contracts with third party suppliers must detail security incidents and notification obligations, ensuring that suppliers are legally bound to adhere to specified security standards and practices.

12.  Information security incident management

Posh Bananas Gifts establishes clear definitions and protocols for identifying, reporting, and managing information security incidents:

• Incident definitions and responses: We will define what constitutes an Information Security Incident and detail the appropriate response and reporting procedures. This ensures a standardized approach to incident management across the organization.
• Reporting and investigation: All actual or suspected breaches of information security must be promptly reported. Each incident will undergo a thorough investigation, with findings documented to inform future prevention strategies.
• Corrective actions and learning: Appropriate corrective actions will be taken to address and rectify any breach. Lessons learned from these incidents will be integrated into our security controls to enhance resilience against future threats.
• Compliance reporting: Breaches involving card data or related to PCI DSS controls may require reporting to acquiring banks, card schemes and regulatory authorities. Similarly, breaches involving personal information must be reported to relevant controlling authorities.
• Notification procedures: Detailed procedures will outline the actions required for breach notifications, ensuring compliance with legal and contractual obligations.
• Incident response testing: The Incident Response Plan will be tested at least annually, with adjustments made to incorporate lessons learned, ensuring the plan remains effective and current.
• Dedicated response personnel: A team is designated to respond to incidents around the clock 24/7. All members of the Incident Response (IR) team will receive annual training to stay updated on the latest incident handling techniques and procedures.

13.  Information security aspects of business continuity management

Posh Bananas Gifts implements comprehensive arrangements to protect and swiftly recover critical business operations in the event of any disruptions affecting information systems, regardless of their origin:

• Secure recovery: Procedures are in place to facilitate the secure and efficient recovery of systems and data, with restoration efforts prioritized according to business criticality.
• Document backup and recovery: Backup, recovery and prioritization for all systems are clearly documented within individual standards, ensuring consistency and preparedness across the organization.
• Business continuity planning: Business continuity plans are diligently maintained and regularly tested to confirm alignment with the requirements of this policy. These tests ensure our plans are robust, actionable and up to date.
• Post-incident analysis: Following an incident, a comprehensive business impact analysis is conducted. This analysis assesses the repercussions of disasters, security breaches, and service disruptions or unavailability, providing valuable insights for continuous improvement.
• Plan Evolution: Insights gained from business impact analysis are utilized to refine and enhance our continuity plans and procedures, better equipping the company to handle future incidents effectively.

14.  Compliance

Posh Bananas Gifts ensures that the design, operation, use, and management of information systems strictly comply with all relevant statutory, regulatory and contractual security requirements. To affirm our commitment to high security standards:

• Comprehensive audits: A blend of internal and external audits is utilized to verify compliance with appropriate standards, best practices, and internal policies and procedures. These audits are crucial for maintaining our security integrity.
• Diverse evaluation methods: Our compliance evaluation methods are multifaceted, which may include:
  •  IT health checks.
  • Gap analysis against documented standards.
  • Internal compliance checks among staff.
  • Feedback from information Asset Owners.
  • Penetration testing, and vulnerability scanning.

This variety ensures a thorough assessment of our security posture from multiple angles.

Review of this document: annually by <MAINTAINER>.

Next review date: 11^th April 2026

APPENDIX.

Additional resources and guidelines.

• Enhance your Information Security Policy and PCI DSS compliance with the following guidance and external resources:
• Data Flow Diagrams: Understanding the flow of cardholder data within your organization is crucial. We recommend exploring online tutorials or the PCI Security Standards Council’s resources to learn how to create and utilize data flow diagrams effectively.
• Incident Response Plan: Develop a robust Incident Response Plan using guidelines from authoritative sources like the PCI Security Standard Council or cybersecurity frameworks such as NIST. Tailor these resources to fit your specific needs.
• Risk Assessment guidelines: Adopt a risk-based approach to security by consulting industry-standard methodologies for risk assessment. Resources from organizations such as NIST or ISO can provide a foundation for developing your risk assessment process.
• PCI DSS compliance checklists: Utilize checklists provided by the PCI SSC or create your own based on their comprehensive guidelines to ensure all compliance aspects are covered.
• Glossary of Terms: Enhance your understanding of key terms with glossary from the PCI SSC or cybersecurity educational platforms to ensure clarity across your policies.
• Resource links: Direct your attention to the PCI SSC official documentation, NIST’s cybersecurity framework, and other reputable sources for in-depth guidance and tools.
• Security policy reviews: Embrace a culture of continuous improvement by documenting reviews and updates of your security policies. Guides on best practices for policy review and updates can be found through professional cyber security associations or governance frameworks.

Documents and guidance can be found here:

https://www.pcisecuritystandards.org/