> ## Documentation Index
> Fetch the complete documentation index at: https://docs.squid.gg/llms.txt
> Use this file to discover all available pages before exploring further.

# Information Security Policy

# **1. Purpose**

Squid Academy is committed to protecting the confidentiality, integrity, and availability of its information, systems, services, and data.

The purpose of this information security policy is to establish the principles, responsibilities, and controls necessary to safeguard information assets against unauthorized access, disclosure, alteration, loss, or destruction.

This policy supports the Academy's obligations relating to:

* Data protection and privacy
* Safeguarding responsibilities
* Educational delivery
* Business continuity
* Regulatory compliance
* Customer trust

# **2. Scope**

This policy applies to:

* Employees
* Directors
* Contractors
* Consultants
* Tutors
* Coaches
* Assessors
* Volunteers
* Third-party service providers with authorised access

The policy applies to:

* Information assets
* Student records
* Assessment data
* Learning platforms
* Internal systems
* Cloud services
* Company devices
* Communication platforms
* Physical and digital records

# **3. Information Security Objectives**

Squid Academy aims to

* Protect sensitive information from unauthorized access.
* Ensure information remains accurate and reliable.
* Maintain availability of critical services.
* Reduce security risks.
* Comply with legal and contractual obligations.
* Promote security awareness throughout the organization.
* Support safe and secure learning environments.

# **4. Security Principles**

The Squid Academy's information security program is based on the following principles:

## **Confidentiality**

Information shall only be accessible to authorized individuals with a legitimate business need.

## **Integrity**

Information shall be protected from unauthorized modification, corruption, or destruction.

## **Availability**

Information and systems shall remain available to authorized users when required.

## **Accountability**

Individuals are responsible for protecting information entrusted to them.

## **Least Privilege**

Access rights shall be limited to the minimum level necessary for a user's role.

# **5. Roles and Responsibilities**

## **Senior Management**

Responsible for:

* Security oversight.
* Resource allocation.
* Risk management.
* Policy approval.

## **Information Security Lead**

Responsible for:

* Security governance.
* Policy maintenance.
* Incident coordination.
* Risk monitoring.
* Security improvement initiatives.

## **Staff and Contractors**

Responsible for:

* Following security policies.
* Protecting information assets.
* Reporting security incidents.
* Maintaining secure working practices.

## **Third-Party Suppliers**

Responsible for:

* Protecting Academy information under contractual obligations.
* Maintaining appropriate security controls.
* Reporting security incidents affecting Academy data.

# **6. Information Classification**

Information shall be classified according to sensitivity.

## **Public**

Information approved for public release.

Examples:

* Marketing materials
* Public website content

## **Internal**

Information intended for internal use.

Examples:

* Internal procedures
* Operational documents

## **Confidential**

Information requiring protection from unauthorized disclosure.

Examples:

* Business plans
* Commercial agreements
* Staff records

## **Restricted**

Highly sensitive information requiring enhanced protection.

Examples:

* Student records
* Safeguarding reports
* Assessment data
* Personal data
* Security credentials

# **7. Access Control**

Access to systems and information shall be as follows:

* Authorized.
* Role-based.
* Reviewed periodically.
* Removed promptly when no longer required.

The Academy will apply the principle of least privilege whenever access is granted.

Users shall only access information necessary to perform their duties.

# **8. Authentication and Password Security**

Users must:

* Maintain strong passwords.
* Keep credentials confidential.
* Use multi-factor authentication where available.
* Avoid password sharing.
* Report suspected credential compromise immediately.

Shared accounts should be avoided unless operationally required and formally approved.

# **9. Acceptable Use of Systems**

Company systems must be used:

* Lawfully.
* Responsibly.
* Professionally.

Users must not:

* Circumvent security controls.
* Install unauthorized software.
* Access prohibited content.
* Use systems for illegal activities.
* Share sensitive information without authorization.

# **10. Remote Working and Cloud Services**

When accessing Academy systems remotely, users must:

* Use approved devices where possible.
* Maintain device security.
* Protect login credentials.
* Avoid accessing sensitive information on unsecured public networks.

Approved cloud platforms may be used only in accordance with Academy policies.

# **11. Data Protection**

Personal data shall be processed in accordance with the following:

* Applicable data protection legislation.
* The Academy Privacy Policy.
* Data Processing Agreements.
* Data Retention Schedules.

Access to personal data shall be limited to authorized personnel.

# **12. Safeguarding Information**

Safeguarding records requires authorized enhanced protection.

Such information shall:

* Be restricted to authorised personnel.
* Be stored securely.
* Be shared only when necessary.
* Be handled confidentially.

Safeguarding concerns shall always be prioritized appropriately.

# **13. Security Monitoring**

The Academy may monitor systems, networks, and services to:

* Detect security threats.
* Investigate incidents.
* Protect information assets.
* Maintain service integrity.

Monitoring activities shall be conducted lawfully and proportionately.

# **14. Incident Management**

All actual or suspected security incidents must be reported immediately.

Examples include:

* Data breaches
* Unauthorised access
* Malware infections
* Credential compromise
* Loss of devices
* System misuse

Incidents shall be managed in accordance with the Security & Incident Response Policy.

# **15. Business Continuity**

Squid Academy will maintain appropriate measures to support service continuity and recovery following the:

* Cyber incidents
* System failures
* Service outages
* Infrastructure disruptions

Business continuity and disaster recovery arrangements shall be reviewed periodically.

# **16. Security Awareness**

Personnel shall receive appropriate security awareness training covering:

* Information security responsibilities
* Data protection
* Password security
* Phishing awareness
* Safeguarding considerations
* Incident reporting

Training may be refreshed periodically.

# **17. Third-Party Management**

Where third parties process or access Academy information:

* Appropriate due diligence shall be performed.
* Security expectations shall be documented.
* Contractual protections shall be implemented where required.
* Risks shall be reviewed periodically.

# **18. Compliance**

Failure to comply with this policy may result in:

* Removal of access privileges
* Disciplinary action
* Contractual remedies
* Legal action where appropriate

The Academy reserves the right to investigate potential violations.

# **19. Policy Review**

This policy shall be reviewed annually or whenever

* Significant security changes occur.
* Legal requirements change.
* New technologies are introduced.
* Material incidents occur.
