Information Security Policy

Document Version: 1.0
Date: February 10, 2026
Author: Niall Morrison
Information Officer: Niall Morrison

1. Introduction and Purpose

This Information Security Policy (ISP) outlines the commitment of Novatura (hereafter referred to as “the Agency”) to protect its information assets from all threats, whether internal or external, deliberate or accidental. The purpose of this policy is to ensure the confidentiality, integrity, and availability of all information processed, stored, or transmitted by the Agency, in compliance with legal, regulatory, and contractual obligations, including the UK General Data Protection Regulation (UK GDPR). The Agency uses the Cyber Essentials scheme as a guideline and is working towards full alignment; certification is not yet in place.

This policy applies to all employees, contractors, and third parties who have access to the Agency’s information systems and assets.

2. Information Security Objectives

The Agency is committed to achieving the following information security objectives:

To protect the confidentiality of sensitive information, including client data, intellectual property, and business strategies.
To maintain the integrity of information by ensuring its accuracy, completeness, and authenticity.
To ensure the availability of information systems and data to authorized users when required.
To comply with all applicable laws and regulations, particularly UK GDPR.
To work towards Cyber Essentials alignment as a baseline guideline for cyber security (certification not yet achieved).
To foster a culture of information security awareness among all personnel.

3. Roles and Responsibilities

Information security is a shared responsibility. The following roles and responsibilities are defined:

Management: Responsible for approving this policy, allocating resources for its implementation, and ensuring compliance.
All Employees: Responsible for understanding and adhering to this policy and reporting any security incidents or concerns.
Information Officer (Niall Morrison): Responsible for the day-to-day implementation and oversight of this policy, including risk assessments and incident response.

4. Risk Management

The Agency will implement a systematic approach to information security risk management, which includes:

Risk Identification: Identifying potential threats and vulnerabilities to information assets (formal cadence to be established).
Risk Assessment: Evaluating the likelihood and impact of identified risks.
Risk Treatment: Implementing appropriate controls to mitigate identified risks to an acceptable level.
Risk Review: Reviewing risks and controls to ensure continued effectiveness (review schedule to be established).

5. Asset Management

All information assets (e.g., hardware, software, data, intellectual property) will be identified, classified, and protected according to their value and sensitivity. An asset inventory will be maintained, detailing ownership, location, and security requirements.

6. Access Control

Access to information systems and data will be granted on a “need-to-know” and “least privilege” basis. This includes:

User Registration and De-registration: Formal procedures for granting, modifying, and revoking access.
User Access Provisioning: Ensuring users only have access to the systems and data necessary for their roles.
Privileged Access Management: Strict controls over administrative and privileged accounts.
User Authentication: Use of strong passwords, multi-factor authentication (MFA) where appropriate, and secure authentication mechanisms.

7. Cryptography

Cryptographic controls will be used to protect the confidentiality and integrity of sensitive information, both in transit and at rest, where appropriate. This includes the use of encryption for data storage, secure communication protocols (e.g., HTTPS, SFTP), and secure hashing algorithms.

Secrets Management

To prevent credential leakage and unauthorized access:

Hardcoding Prohibited: API keys, database passwords, and encryption keys must never be hardcoded into source code repositories, regardless of whether the repository is public or private.
Environment Variables: Secrets must be injected into applications via environment variables (.env files) or secure secret management services.
Storage: Master credentials and shared secrets must be stored in the Agency’s password manager (1Password), protected by strong master passwords and biometrics.
Key Rotation: If a secret is suspected to be compromised or accidentally committed to a repository, it must be revoked and rotated immediately.

8. Physical and Remote Working Security

As a remote-first Agency with no central data center, physical security focuses on the protection of end-user devices and the remote working environment.

Device Security: All laptops and mobile devices accessing Agency data must be encrypted at the disk level (e.g., Apple FileVault). Devices must be configured to auto-lock after a short period of inactivity.
Remote Work Environment: When working from public locations (e.g., cafes, co-working spaces), employees must ensure screens are not visible to unauthorized persons (“shoulder surfing”).
Lost or Stolen Devices: Any loss or theft of a device must be reported to the Security Lead immediately so that remote wipe procedures can be initiated.

9. Cloud Infrastructure Security

The Agency relies on third-party cloud service providers (e.g., Hetzner, DigitalOcean) managed via automation tools (e.g., Laravel Forge).

Access Control: Direct root login via password is disabled on all servers. Access is permitted only via SSH keys or through the Agency’s VPN (Tailscale).
Provider Security: Multi-Factor Authentication (MFA) must be enabled on all Cloud Provider root accounts.
Network Security: Management interfaces and database ports must not be exposed to the public internet. Access is restricted to the Agency’s private network or specific IP allow-lists.

10. Operations Security

Operational procedures will be implemented to ensure the secure operation of information processing facilities. This includes:

Malware Protection: Implementing and updating anti-malware software on all systems, where necessary (regular update cadence to be formalised).
Backup and Recovery: Backing up critical data and testing recovery procedures (schedule to be established).
Logging and Monitoring: Monitoring system logs for security events and anomalies.
Vulnerability Management: Regularly identifying and addressing system vulnerabilities.
System Hardening: Configuring systems securely to minimize attack surfaces.

11. Communications Security

Information in networks and on communication channels will be protected. This includes:

Network Security Management: Implementing firewalls, intrusion detection/prevention systems, and network segmentation.
Information Transfer: Using secure methods for transferring sensitive information internally and externally.

12. System Acquisition, Development, and Maintenance

Security will be integrated into the entire lifecycle of information systems. This includes:

Security Requirements Analysis: Defining security requirements during system acquisition or development.
Secure Development Policy: Implementing secure coding practices and security testing.
Test Data Security: Protecting sensitive data used in testing environments.

13. Use of Generative AI and Large Language Models (LLMs)

The Agency acknowledges the productivity benefits of AI tools (e.g., ChatGPT, GitHub Copilot, Cursor, Super Maven). However, to protect Agency and Client data, the following controls apply:

Data Sanitization: No Personally Identifiable Information (PII), confidential client data, or production secrets (API keys, passwords, private keys) may be input into public LLM prompts.
Code Privacy: When using AI-assisted code editors, employees must ensure that proprietary or highly sensitive algorithms are not submitted to public models for training purposes unless a “Zero Data Retention” or Enterprise agreement is in place.
Output Verification: All code generated by AI tools must be reviewed and tested by a Director prior to deployment. AI-generated code is treated with the same scrutiny as third-party open-source code regarding security vulnerabilities.

14. Supplier Relationships

Security requirements will be addressed in agreements with suppliers who have access to the Agency’s information assets. This includes:

Information Security in Supplier Agreements: Defining security responsibilities and requirements in contracts.
Monitoring Supplier Services: Reviewing supplier compliance with security requirements (review cadence to be established).

15. Information Security Incident Management

A formal process for managing information security incidents will be established. This includes:

Incident Reporting: Procedures for reporting security incidents and weaknesses.
Incident Response: Procedures for responding to, analyzing, and resolving security incidents.
Lessons Learned: Reviewing incidents to prevent recurrence.

16. Information Security Aspects of Business Continuity Management

Information security will be maintained during disruptions. This includes:

Business Continuity Planning: Integrating information security into business continuity and disaster recovery plans.
Redundancy: Implementing redundant systems and data storage to ensure availability.

17. Compliance

The Agency will comply with all relevant legal, statutory, regulatory, and contractual obligations related to information security. This includes:

UK GDPR: Adhering to principles of data protection, data subject rights, and breach notification requirements.
Cyber Essentials: Working towards the five technical controls (firewalls, secure configuration, user access control, malware protection, security update management) as a guideline; full certification not yet in place.
Intellectual Property Rights: Protecting the Agency’s and its clients’ intellectual property.

18. Policy Review

The Agency intends to establish a regular review cadence for this policy (e.g. at least annually, or when significant changes occur in operations, technology, or regulation). A schedule is not yet in place; updates will be communicated to all relevant personnel when the policy is revised.