Information Security Policy
The information security requirements, principles and controls that protect the assets entrusted to Dead Simple Computing.
1. Introduction
Purpose
This policy establishes the information security requirements for Dead Simple Computing Ltd, trading as Dead Simple Computing and DSC - Cyber And Managed Services.
The policy defines commitment to protecting information assets and establishes security principles and controls. It aligns with National Cyber Security Centre (NCSC) guidance and reflects UK cyber security best practice.
Scope
Applies to all DSC employees, contractors, and third parties; all information assets owned by or entrusted to DSC; all systems, networks, and services operated by DSC; all customer environments and data; and all physical locations from which DSC operates.
Sectors Served
- Defence and National Security
- Aerospace and Space
- Financial Services
- Education
- Public Sector
- Construction and Engineering
2. Data Classification
| Level | Description | Examples |
|---|---|---|
| Public | Information intended for public disclosure | Website content, marketing materials |
| Internal | Information for internal DSC use | Internal procedures, staff communications |
| Confidential | Sensitive business information | Customer contracts, pricing, HR records |
| Restricted | Highly sensitive, need-to-know only | Customer credentials, security reports, defence data |
Government Classification Alignment
| Government Classification | DSC Handling |
|---|---|
| OFFICIAL | Handle as Confidential minimum |
| OFFICIAL-SENSITIVE | Handle as Restricted with additional controls |
| SECRET / TOP SECRET | DSC does not handle |
3. Access Control
Principles
- Least privilege: Users receive minimum access necessary for their role
- Need-to-know: Access to sensitive information only when required
- Segregation: Customer environments are logically separated
- Defence in depth: Multiple layers of access control
Authentication
Password Requirements
- Standard accounts: minimum 12 characters
- Privileged/customer accounts: minimum 16 characters
- Unique passwords per system, stored in approved password manager only
Multi-Factor Authentication
MFA required for: all DSC cloud services, all customer tenant access, remote access to DSC systems, and password manager access.
4. Cryptography
NCSC Approved Standards
| Purpose | Approved |
|---|---|
| Symmetric encryption | AES-128, AES-256 |
| Asymmetric encryption | RSA-2048 minimum (RSA-3072/4096 preferred) |
| Hashing | SHA-256, SHA-384 |
| Transport security | TLS 1.2, TLS 1.3 |
Not permitted: MD5, SHA-1, DES, 3DES, RC4, RSA-1024, TLS 1.0/1.1, SSL
5. Sector-Specific Requirements
Defence Sector
- All data processed and stored in the United Kingdom only
- Security clearances (SC, DV) obtained where required
- Need-to-know strictly enforced
- DEFCON and DCC compliance where applicable
Aerospace and Space
- Export Control Act 2002 compliance
- Enhanced controls for dual-use technology
- Strict IP protection for designs and technical data
| Sector | Key Requirements |
|---|---|
| Financial Services | FCA outsourcing requirements, PCI-DSS support, client confidentiality |
| Education | KCSIE safeguarding, enhanced DBS, pupil data protection, content filtering |
| Public Sector | PSN requirements, FOI awareness, NHS DSPT support where applicable |
| Construction and Engineering | IP/CAD/BIM protection, project data security, export controls |
6. Vulnerability Management
| Severity | Remediation |
|---|---|
| Critical/High | Within 14 days (Cyber Essentials requirement) |
| Medium | Within 30 days |
| Low | Within 90 days |
7. NCSC Alignment
10 Steps to Cyber Security
| NCSC Step | Policy Coverage |
|---|---|
| Risk management | Risk Management section |
| Engagement and training | Personnel Security section |
| Asset management | Asset Management section |
| Architecture and configuration | Network and Endpoint Security sections |
| Vulnerability management | Vulnerability Management section |
| Identity and access management | Access Control section |
| Data security | Classification, Credentials, Cryptography sections |
| Logging and monitoring | Remote Access, Incident Management sections |
| Incident management | Incident Management section |
| Supply chain security | Supplier Security section |
Cyber Essentials Controls
| Control | Implementation |
|---|---|
| Firewalls | Boundary firewalls with restrictive rule sets |
| Secure configuration | Standard secure configurations and hardening |
| User access control | Least privilege, unique accounts, access reviews |
| Malware protection | EDR/antimalware on all endpoints |
| Patch management | 14-day critical/high, 30-day medium |
Certification
Cyber Essentials Plus
Certificate: 0e54f576-13f7-426b-a4a6-d2994fd8b66a
Valid until: 17 November 2026
8. Security Metrics
| Metric | Target | Frequency |
|---|---|---|
| Cyber Essentials Plus certification | Maintained | Annual |
| Security incidents affecting customers | Zero | Ongoing |
| Leaver access revocation | Within 24 hours | Per event |
| High-privilege credential review | 100% reviewed | Quarterly |
| Security awareness training | 100% completion | Annual |
| Critical vulnerability remediation | Within 14 days | Per event |
| Access reviews completed | 100% | Quarterly |
Approved by
Daniel McClure Fisher
Director, Dead Simple Computing Ltd
December 2025