Information Security Policy
1. Purpose
The purpose of this Information Security Policy is to protect The Pod Collective's information assets, client data, intellectual property, systems, and business operations from unauthorized access, disclosure, alteration, loss, or destruction.
This policy establishes the framework for safeguarding information and ensuring compliance with applicable legal, regulatory, and contractual obligations, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Scope
This policy applies to:
All employees, contractors, freelancers, and third-party suppliers working on behalf of The Pod Collective.
All information assets owned, processed, stored, or transmitted by The Pod Collective.
All devices, software, cloud platforms, and communication systems used for business purposes.
This includes but is not limited to:
Client information
Podcast recordings and production files
Marketing materials
Financial information
Employee information
Business systems and documentation
3. Information Security Objectives
The Pod Collective is committed to:
Protecting the confidentiality of client and business information.
Maintaining the integrity and accuracy of information assets.
Ensuring the availability of information and services when required.
Complying with legal, regulatory, and contractual requirements.
Minimising the risk of data breaches and cyber threats.
Promoting a culture of security awareness throughout the organisation.
4. Roles and Responsibilities Management
Management is responsible for:
Ensuring appropriate security controls are implemented.
Reviewing security risks regularly.
Supporting staff training and awareness initiatives.
Responding to security incidents.
Employees and Contractors
All personnel are responsible for:
Following this policy and related procedures.
Protecting company and client information.
Reporting suspected security incidents immediately.
Using company systems responsibly.
5. Access Control
Access to information will be granted on a "least privilege" basis.
The Pod Collective will:
Restrict access to information based on business need.
Use unique user accounts for all employees and contractors.
Require strong passwords for all systems.
Enable Multi-Factor Authentication (MFA) wherever available.
Remove or update access permissions when personnel leave or change roles.
Passwords must:
Be at least 12 characters long.
Contain a combination of letters, numbers, and symbols.
Not be shared with others.
Be stored securely using an approved password manager.
6. Data Protection and Privacy
The Pod Collective will process personal data in accordance with UK GDPR and applicable privacy legislation.
Personal information must:
Be collected only for legitimate business purposes.
Be stored securely.
Be retained only for as long as necessary.
Be deleted securely when no longer required.
Client information shall never be shared with unauthorised third parties.
7. Device Security
All business devices must:
Be protected by passwords or biometric authentication.
Have automatic locking enabled.
Use up-to-date operating systems and security patches.
Have antivirus or endpoint protection software installed where appropriate.
Lost or stolen devices must be reported immediately.
8. Cloud Services and Data Storage
The Pod Collective relies on cloud-based systems to support its operations.
Approved platforms may include:
Microsoft 365
Google Workspace
Adobe Creative Cloud
Project management systems
Podcast hosting platforms
Secure file-sharing solutions
Sensitive information must not be stored on personal devices unless authorised and protected appropriately.
Regular backups shall be maintained for critical business information and client assets.
9. Client Content and Intellectual Property
Podcast recordings, video content, marketing assets, scripts, and other client materials are confidential.
The Pod Collective will:
Protect client intellectual property from unauthorised access.
Store production files securely.
Limit access to project teams with a legitimate business requirement.
Return or delete materials when required by contractual agreement.
10. Remote Working
Personnel working remotely must:
Use secure internet connections.
Avoid accessing sensitive information on public Wi-Fi unless using a VPN.
Ensure devices are not accessible to unauthorised individuals.
Protect confidential information during video calls and meetings.
11. Third-Party Suppliers
Third-party suppliers who process or access information on behalf of The Pod Collective must:
Demonstrate appropriate security measures.
Comply with applicable data protection laws.
Sign confidentiality agreements where appropriate.
Supplier security risks will be assessed periodically.
12. Security Incident Management
A security incident includes:
Data breaches
Malware infections
Unauthorised access
Lost or stolen devices
Accidental disclosure of information
Any suspected incident must be reported immediately to management.
The Pod Collective will:
Investigate the incident.
Contain and mitigate risks.
Assess legal and regulatory obligations.
Notify affected parties where required.
Implement corrective actions.
13. Security Awareness and Training
All employees and contractors will receive appropriate information security awareness training.
Training will cover:
Password security
Phishing awareness
Data protection responsibilities
Secure handling of client information
Incident reporting procedures
Refresher training will be conducted periodically.
14. Compliance and Monitoring
Compliance with this policy is mandatory.
The Pod Collective reserves the right to:
Monitor the use of company systems.
Conduct periodic security reviews.
Audit compliance with this policy.
Failure to comply may result in disciplinary action, termination of contracts, or legal action where appropriate.
15. Policy Review
This policy will be reviewed annually or following significant changes to business operations, technology, legal requirements, or security risks