Tape Ark is a provider of tape to cloud-based storage data migration services which sometimes involves the holding of client confidential information and always involves the processing of customer data. Tape Ark securely maintains its privileged information store, and it is likewise committed to the protection of all customer information, be it transient or under custodianship.
This Policy mandates that a consistent, risk-based approach is implemented for Information Security to maintain information confidentiality, integrity and availability.
It is the policy of Tape Ark to ensure:
- Information will be protected against unauthorized access while in-transit or at-rest;
- Confidentiality of information will be maintained;
- Information will not be disclosed to unauthorized persons through deliberate or careless action;
- Integrity of information is maintained through protection from unauthorized modification;
- Availability of information to authorized users when needed;
- Information Security training is completed by all applicable staff; and
- All suspected breaches of Information Security will be reported and investigated.
Any individual dealing with information at Tape Ark, no matter what their status (eg. employee, contractor or consultant), must comply with the Information Security policies and related Information Security documents.
Strategies to achieve the aims of this policy include:
- Ensure the Information Security Policy is an accurate reflection of the business context and takes into account our strategic direction and all relevant factors both internal and external;
- Ensure measurable objectives are established, communicated, monitored and reviewed for effectiveness by the Management Team in the annual Management System Review Meeting. Corrective actions will be taken as required based on deviations from our objectives. Our objectives are agreed upon collectively. Individual teams are then empowered to deliver results, with delegated accountability and decision-making;
- Ensure all non-conformances and corrective/preventative actions are documented and reviewed at least quarterly;
- Ensure Information Security is addressed for all projects, regardless of type, by way of risk assessments and objectives;
- Educate staff to allow them to independently make an informed decision with regard to the secure handling of IT assets and information, within the framework of the total range of Information Security policies;
- Defend IT assets and information that Tape Ark governs, owns, manages, maintains or controls which are both tangible and intangible;
- Continually improve the Quality and Information Security Management System (QISMS) through regular monitoring and reviews. Corrective measures shall be determined, allocated and recorded for follow-up in the Incident and Improvement System; and
- Comply with legislation and industry best practices including ISO/IEC 27001:2022 that apply to Tape Ark.
All personnel have a responsibility to report perceived and actual Information Security breaches and/or IT incidents either to the CEO or to their immediate supervisor. Management and employees are responsible for embedding Information Security risk management in our core business activities, functions and processes. Information Security risk awareness and risk tolerance are key considerations in our decision-making.