Lexcel: Deconstructing Your Information Management and Security Policy

A register of relevant information assets of both the practice and clients

This control requires you to create and maintain an asset register, which details information held about both the practice and clients of the practice, such as client engagement materials and legal documents.  Ideally, your asset register needs to include:

• Asset type
• Asset owner
• Asset classification
• Asset location
• Impact levels of threats to the asset in relation to confidentiality, integrity and availability (CIA).

To maximise efficiency, you should also include software used by your practice in this register.  This will enable you to simultaneously adhere to Control j, which requires ‘a register of all software used by the practice’, without the need for an additional document.

Procedures for the protection and security of the information assets

This requirement is fairly vague, as it does not define which procedures you are expected to implement. However, it does note that these procedures need to be focused on maintaining CIA and accessibility.  Typically, they would cover areas such as:

• Data encryption
• Access controls
• Data backup and recovery
• Supplier risk management
• Risk assessment and treatment
• Incident management
• Other procedures noted below (e.g., firewalls).

Procedures for the retention and disposal of information

To meet the requirements of this control, your firm will need to have a procedure in place that defines how information, in both electronic and physical forms, is retained in compliance with relevant regulations and legislation (e.g., the General Data Protection Regulation or ‘GDPR’), and how it is disposed of effectively.  As part of this procedure, your practice needs to identify any legislative or regulatory requirements around retention and disposal that must be met, for example in relation to client due diligence records.  It is also beneficial to ensure that disposal of hardware is Waste Electrical and Electronic Equipment (WEEE) certified, and that devices are wiped before being sent for disposal.

The use of firewalls

The use of firewalls simply refers to the implementation of firewalls, whether software or hardware-based, in the corporate environment.  URM recommends that as part of this implementation, your practice ensures that firewalls used are not approaching end-of-life (EOL), and that firewall rules are configured and regularly reviewed to ensure that no unnecessary ports are open.  Procedures need to clearly define how passwords are changed on the firewall, and system-generated passwords always need to be changed as soon as the firewalls are first used.

Procedures for the secure configuration of network devices

The procedures your practice defines for this control are required to cover a number of areas; you will need to implement procedures that require default passwords on network devices to be changed, and ensure configurations are checked and confirmed to be correct and applicable.  There will also need to be procedures that address the regular update of firmware and software, the network’s isolation of any sensitive data, and the use of secure protocols.

These procedures, along with guidance for firewalls, need to be formally documented to ensure they are carried out consistently.

Procedures to manage user accounts

Here, you will need to consider how user accounts within your practice are created, modified and deleted, as well as how appropriate permissions are applied and maintained.  As part of this, you need to formally define a joiners, movers and leavers process (if your firm does not already have one) that ensures permissions are correctly applied, adapted and revoked when relevant.

You will also need to apply the principle of least privilege and implement role-based access control (RBAC), access control matrixes and separate administrative and daily user accounts.

Procedures to detect and remove malicious software

This control requires you to have an established method of both detecting and subsequently removing malicious software.  You can achieve this by ensuring that anti-malware software is installed on all devices, and that the anti-malware you install has a function which allows for the removal of such malware.

Training for personnel on information security

Lexcel states that training needs to be delivered at least annually and be appropriate to the roles performed. Key topics such as cyber hygiene and phishing awareness must be covered by this training, and your information management and security policy needs to specify how often training is delivered.

A plan for the updating and monitoring of software

The focus of this control is ensuring software does not become out of date and therefore vulnerable to exploitation.  The software asset register mentioned previously allows your firm to track the software in use, and apply updates when necessary or remove software that is no longer supported.  You may find it beneficial to align with Cyber Essentials’ requirements for ensuring high and critical-risk patches are applied within a 14-day period.

‍

Lexcel requires you to create and implement an email policy, which can be included within your overarching information management and security policy.  Whilst the email policy is a separate requirement and, therefore, does not need to be part of the information management and security policy, combining the two will streamline reviews and updates.  The email policy must include the following mandatory content:

1. The scope of permitted and prohibited use
2. Procedures for monitoring personnel using email
3. Procedures for the storage and destruction of emails.

The storage and destruction of emails needs to feature as part of the procedure for retention.

In addition to the controls themselves, Lexcel also requires you to maintain a register of each plan, policy and procedure that is contained within the Standard.  For each, you will also need to:

• Appoint a named person who is responsible for the document (i.e., a document owner)
• Establish a procedure for review.