Information Security Policy

Section 1 - Introduction

1.1        Background and Context
King’s Cross Group (King’s Cross Group or “the Company”) is a UK-based asset manager and property developer whose Technology Team (the “Technology Team ” or “the Team”) has in place a programme for continuously improving its service operations, assessing its alignment to the Information Technology Infrastructure Library (ITIL) guidelines for good practice pertaining to IT Service Management (ITSM). A core component of ITSM good practice is Information Security Management (ISM).

Preventing the loss of, or disruption to King’s Cross Group critical information or data requires an effective Information Security Management System (ISMS). Good practice, business stakeholder expectations and increasing regulatory requirements dictate that proactive plans, policies and procedures are in place to enable effective response to and management of information loss or interruption.

King’s Cross Group has in place an ISMS which is aligned to the ISO27001:2022 standard. ISO 27001:2022 is a set of internationally recognised standards describing how to manage all aspects of security encompassing an overarching management framework and documented policies and procedures. Achieving these objectives form part of an on-going commitment to ensure that strategy, solutions, documentation and staff awareness, remain current, effective and conformant.

‍

1.2.        Document Purpose
The purpose of this policy is to preserve the confidentiality, integrity, and availability of the King’s Cross Group information assets, ensuring that these assets are protected against unauthorised access, disclosure, modification, destruction, and disruption.

‍

1.3        Scope
This policy applies to:

• All employees, contractors, consultants, suppliers, and third-party partners who access or handle the King’s Cross Group information assets.
• All information assets, including hardware, software, data, networks, and physical infrastructure owned or managed by the King’s Cross Group.

‍

1.4        Document status
This document is available to view in the IT Policies area of the KXG Hub alongside all other policies.

‍

Section 2 - Policy and core principles

2.1        Information Security Policy Statement
The Information Security Policy provides a framework for the appropriate and effective management of all information assets, including hardware, software, data, networks, and physical infrastructure owned or managed by the King’s Cross. This policy defines responsibilities that relate to the implementation of the policy and is designed to:

• Protect King’s Cross Group, client and customer information, data and intellectual property within its custody or safekeeping by safeguarding its confidentiality, integrity, and availability.
• Ensure that information-related business operations continue to be carried out in line with the ISO/IEC 27001 standard and to establish a sustainable operation plan for business that is cost effective.
• Measure and monitor the InfoSec and ISMS Objectives (via the regular management review).

‍

2.2        Principles of Information Security Policy
To ensure the protection of its digital assets and maintain trust with stakeholders King’s Cross Group adopts a set of foundational principles that guide its approach to information security. These principles serve as the cornerstone for all security-related decisions, policies, and practices. They are designed to uphold the confidentiality, integrity, and availability of information systems, while aligning with legal, regulatory, and business requirements. By adhering to these principles, the organisation fosters a secure and resilient IT environment that supports its strategic objectives and operational continuity. The principles governing the management of Information security are as follows:

• Confidentiality: Ensure that sensitive information is accessible only to authorised individuals and entities. This includes protecting data from unauthorised access, disclosure, or interception.
• Integrity: Safeguard the accuracy and completeness of information and processing methods. This involves preventing unauthorised modification and ensuring data remains trustworthy.
• Availability: For compatibility and efficiency reasons, IT assets are issued on a ‘fit for purpose’ basis using standard IT equipment as detailed on the approved hardware and software list, set out within this policy.
• Accountability: Assign clear responsibilities for information security. All users must be accountable for their actions and access to systems and data.
• Risk Management: Identify, assess, and manage information security risks in a structured and consistent manner. Risk treatment should align with the organisation’s risk appetite and regulatory requirements.
• Compliance: Adhere to all applicable legal, regulatory, and contractual obligations related to information security, such as GDPR, ISO/IEC 27001, and industry-specific standards.
• Least Privilege: Grant users the minimum level of access necessary to perform their job functions. This reduces the risk of accidental or malicious misuse of data. • Security by Design: Integrate security into the design and development of systems, applications, and processes from the outset, rather than as an afterthought. • Continuous Improvement: Regularly review and update security policies, procedures, and controls to adapt to evolving threats, technologies, and business needs. • Awareness and Training: Promote a culture of security through ongoing education and awareness programs to ensure all personnel understand their responsibilities.

‍

2.3        Responsibilites and Compliance
Security is the responsibility of everyone affiliated with King’s Cross or directly accessing King’s Cross Group systems, King’s Cross Group data, and data entrusted to King’s Cross Group by clients or other third parties. The security measures described within the Information Security Management System define the minimum level of security required to protect the Confidentiality, Integrity, and Availability of King’s Cross Group systems and information. Noncompliance with the required security measures and behaviors outlined in this policy could pose significant business and legal risk to King’s Cross Group and may create a potential for legal actions that could significantly impact King’s Cross Group’s operations and damage its business assets and reputation. Such action may include, but is not limited to, reprimand, financial penalties, and/or legal action. Therefore, compliance with this policy and all King’s Cross Group security-related policies, are mandatory conditions for employment for all King’s Cross Group employees, as well as any third parties (such as outsourcing providers, contractors, Associates, alliance partners, clients, etc.) that access King’s Cross Group systems or data. No one is permitted to bypass the security mechanisms provided by King’s Cross systems or infrastructure for any reason.

Any questions about the Information Security policies should be addressed in writing to Xavier Walker- Digital, Data and Technology Director.

‍

Section 3 - Other policies

2.1        Information Security Risk Management
King’s Cross Group shall implement a comprehensive Information Security Risk Management framework to identify, assess, and mitigate risks to its information assets.

Risk assessments shall be conducted periodically and whenever significant changes occur in the IT environment.

Mitigation strategies shall be documented and tracked to ensure timely resolution of identified risks.

All employees must be aware of and comply with the organisation's information security policies and procedures.

2.2        Third Party Risk Management
All third-party vendors and service providers must undergo a risk assessment prior to engagement.

Contracts with third parties shall include clauses that ensure compliance with the organisation's information security standards.

Third-party access to King’s Cross Group systems and data shall be monitored and restricted based on the principle of least privilege.

Periodic reviews of third-party relationships shall be conducted to ensure ongoing compliance and risk mitigation

3.1        IT Procurement Policy
All IT procurement activities must follow a standardised process to ensure compliance, cost-effectiveness, and alignment with organisational goals.

Procurement requests must be approved by the IT department and relevant stakeholders before purchase.

Vendors shall be evaluated based on quality, security, support, and cost criteria.

All procured IT assets must be recorded in the organisation's asset management system and assigned to responsible personnel

3.1        Access Control Policy
King’s Cross Group manages and restricts access to its information systems and data to ensure that only authorized individuals can access specific resources.

King’s Cross Group will adopt principles of least privilege, role-based access, and need-to-know, ensuring users are granted the minimum access necessary to perform their duties.

Procedures will be put in place for user authentication (MFA), account management, access reviews, and revocation of access when no longer needed. Its goal is to protect sensitive information from unauthorised access, reduce security risks, and support compliance with regulatory requirements.

3.1        Data Classification and Handling Policy
King’s Cross Group’s data Classification and handling Policy establishes a framework for categorising data based on sensitivity and defining appropriate handling requirements to safeguard it.

Data is typically classified into categories such as Public, Internal, Confidential, and Highly Confidential, each with specific security measures for storage, access, transmission, and disposal. The policy ensures that sensitive data is protected from unauthorised access, modification, or loss through encryption, access controls, and secure disposal methods.

Employees are required to follow these guidelines, and the organisation regularly reviews the classifications and handling procedures to ensure compliance with legal, regulatory, and business requirements. This policy supports data protection, regulatory adherence, and risk mitigation across the organisation.

3.1        Data Retention Standard
King’s Cross’s Data Retention Standards define the rules and durations for retaining organisational data to meet legal, regulatory, and business requirements. They specify how long different types of data (e.g., financial records, customer information, or employee data) should be stored and ensure timely, secure disposal of data that is no longer needed.

These standards aim to reduce storage costs, minimise security risks, and maintain compliance with regulations such as GDPR or industry standards. Data retention policies typically classify data by type and importance, assign retention periods, and outline secure methods for archiving and deletion, ensuring that data is only kept as long as necessary. Regular reviews ensure alignment with evolving requirements. Detailed Data retention policy can be found on the intranet.

3.1        Data Encryption Policy
To protect the confidentiality and integrity of sensitive information, all data classified as confidential or restricted must be encrypted both in transit and at rest. Encryption ensures that even if data is intercepted or accessed without authorization, it remains unreadable and secure.

King’s Cross Group must use industry-standard encryption protocols (e.g., AES-256, TLS 1.2 or higher) and manage encryption keys securely through approved key management systems. Regular reviews and updates of encryption practices must be conducted to align with evolving threats and compliance requirements.

3.2        Data Backup Policy
To ensure data availability and support business continuity, all critical systems and data must be regularly backed up in accordance with the organization’s backup schedule. Backups must be encrypted, stored securely, and tested periodically to verify their integrity and recoverability.

Backup procedures should include both onsite and offsite storage solutions to protect against data loss due to system failure, cyberattacks, or natural disasters. Access to backup data must be restricted to authorized personnel, and retention periods must comply with legal, regulatory, and business requirements.

3.1        Incident Response Policy
To minimize the impact of security breaches and ensure rapid recovery, King’s Cross Group’s IT security service provided will maintain a structured and well-documented incident response process. All employees are required to report suspected or confirmed security incidents immediately through designated channels.

The Incident Response Team (IRT) is responsible for identifying, containing, eradicating, and recovering from incidents, as well as conducting post-incident reviews. Regular testing of the incident response plan and continuous improvement based on lessons learned are essential to maintaining organizational resilience and compliance with regulatory requirements

3.2        Breach of this policy
Failure to comply with this policy is dealt with under Kings Cross ’s Disciplinary Procedure and, in serious cases, may be treated as gross misconduct leading to summary dismissal.

3.3        Contacts
A copy of this policy is available on the KXG Hub If in doubt, employees should contact the Digital, Data and Technology Team for the most up to date information and guidance on mobile phone usage

3.1        Monitoring and review
The Information and Digital Technology Director has responsibility for implementing this policy and for monitoring its effectiveness. This policy (as amended from time to time) is available on the Kings Cross network and in the Employee Handbook.