Information Security Policy

Introduction

1.1. This document defines the Information Security Policy for the Gambling Commission.

1.2. This document forms a key component of overall information governance and should be used in conjunction with other policy documents that provide more detailed information.

1.3. The primary objective of the Information Security Policy is to provide a framework for other policies. This will define the organisational structure to protect the Confidentiality, Integrity, and Availability of Commission systems and information.

1.4. The policies listed in section 6 of this policy complement the Information Security Policy. They provide further context to the overall processes, procedures and standards to be used and referenced by colleagues.

Purpose and scope

2.1. The purpose of this policy is to ensure the Gambling Commission’s effective operation of information systems, and that those systems are delivered when and how they are needed.

2.2. The policy will aim to preserve the 3 major categories of information security:

• confidentiality – Access to data shall be confined to those with appropriate authority
• integrity – Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification
• availability – Information shall be available and delivered to the right person, at the time when needed.

2.3. The scope of the Information Security Policy covers the storage, access and transmission of information during Commission business. It therefore applies to the conduct of colleagues, contractors, suppliers and others with access to that information (wherever the information or they are located) as well as the applications, systems, equipment and premises that create, process, transmit, host, or store information, whether in-house, personally owned or provided by external suppliers.

2.4. The Commission is committed to preserving the confidentiality, integrity and availability of all our key information assets to effectively deliver strategic goals and to maintain its legal and contractual compliance and reputation.

2.5. This policy is owned by the Commission’s Security Governance Group, who will:

• systematically examine the organisation's information security risks, taking account of the threats, vulnerabilities, and impacts
• design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable in line with the Commission’s Risk Appetite
• adopt an overarching management process to ensure that the information security controls continue to meet the organisation's information security needs on an ongoing basis
• monitor the development of the Information Security Policy to ensure continual improvement.

Individual responsibilities

3.1. All colleagues

3.2. All individual users of Gambling Commission information systems and those handling or having access to Commission information outside of those systems shall be responsible for:

• complying with all relevant information management and security policies, practices and procedures including any external accountability
• report information security incidents via the defined and approved channels.

3.3. Senior Information Risk Owner (SIRO) The SIRO at the Commission is the Chief Technology Officer who is ultimately responsible for Information Security Standards and Incident Response.

3.4. Information Asset Owner (IAO) The IAOs are owners for allocated Information Assets that are recorded in our Information Asset Register (IAR) and directly relate to the functions and activities that IAOs oversee.

3.5. Data Protection Officer (DPO) The DPO at the Commission is the Head of Governance and is ultimately responsible for all data processing activities.

Information Security Objectives

4.1. Compliance

• the Gambling Commission ensures compliance with the rules of conduct in accordance with applicable regulations, legal acts, and standards
• the aim of this policy is to avoid the violations of any laws, regulations, contracts or other requirements
• all individuals using information systems within the Commission shall observe and comply with related laws and regulations as described in this policy.

4.2. All information security policies and practices support and facilitate good information management and support the Commission’s wider values and strategic objectives.

4.3. Commission security objectives:

• information is only accessible to authorised persons for as long as it is necessary to fulfil their duties at the Commission
• levels of access are determined and controlled by delegated authority
• confidentiality and integrity of information and systems is always maintained
• all Commission applications and cloud hosted services will be available as per third party service level agreement
• business continuity policies, plans and procedures are established, maintained and tested
• all information management and information security policies are always easily available to all staff
• all breaches of information security and suspected weaknesses are reported and investigated, and appropriate actions taken
• regular audits of processes and policies are conducted to ensure continuous review and improvement of the Information Security Policy
• new systems or services are deployed in a controlled and secure manner
• we will audit and test our systems for vulnerabilities routinely, regularly and document and track the outcomes of vulnerability testing
• patch management will be carried out by automated means where possible
• when a vulnerability is identified it will always be managed using a documented process that includes assessment, management reporting and remediation to agreed timescales.

4.4. The Commission’s Security Governance Group will monitor security objectives and review them annually.

4.5. The Commission’s Security Governance Group will ensure that these objectives support the management of risk, in particular:

• risks to confidentiality
• risks which will impact on service delivery to external stakeholders
• risks to the availability of services and information.

Compliance

5.1. Adherence to the Information Security Policy is essential for ensuring the security and effectiveness of the Gambling Commission’s Digital, IT and Facilities environment.

5.2. It is mandatory that all employees comply with this policy, any non-compliance may lead to proportionate formal action.

5.3. To support all areas of the organisation, the Commission will provide ongoing training and resources that ensure that all colleagues understand the policy and its requirements.

5.4. This policy will help to maintain a secure and efficient working environment for all Commission colleagues.

Information Security related policies

The related policies to the Information Security policy are:

• Acceptable Use Policy
• Access Control Policy
• Asset Management Policy
• Backup Policy
• Business Continuity Policy
• Change Management Policy
• Data Protection Policy
• Information Classification and Handling Policy
• Information Security Awareness and Training Policy
• Records Management Policy
• Risk Management Policy
• Security Logging and Monitoring Policy
• Third Party Supplier Security Policy.

Policy review

7.1. To be reviewed annually. Next review date due January 2026.

References

8.1. Regulations

• UK General Data Protection Regulation (GDPR)
• The Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• Freedom of Information Act 2000
• The Computer Misuse Act (1990)
• Public Records Act 1958.

8.2. Compliance Standards and Guidance

• ISO/IEC 27001 and ISO/IEC 27002
• Government Functional Standard GovS 007: Security
• Public Services Network (PSN) compliance
• NIST Cybersecurity Framework
• Cyber Essentials
• Information Commissioner’s Office (ICO)
• Government Security Classification Policy
• National Cyber Security Centre (NCSC).

Version history

Version history record:

Version history record

Version	Author and/or reviewed by	Date	Description of change
1.2	Senior Officer – Information Management	February 2021	Review. No change
1.3	Security and Business Continuity Manager	March 2024	Updated some of the key roles as they had changed. Some minor changes to other parts of the policy
1.4	Security and Business Continuity Co-ordinator	11 October 2024	Updated format and reviewed content
1.5	Security and Business Continuity Co-ordinator	14 October 2024	Reviewed content, updated, added reference to further policy documentation
1.6	Security and Business Continuity Co-ordinator	20 November 2024	Reviewed based on most recent comments. Further work on sections: 2.6, 3.3, 4.5, 5.0
1.7	Security and Business Continuity Co-ordinator	25 November 2024	Further review based on previous comments. Ready for review by group and then PRP
1.8	Security and Business Continuity Co-ordinator	20 December 2024	Further review based on PRP feedback
1.9	Security and Business Continuity Co-ordinator	02 January 2025	Further review