Effective Date: 15 August 2025
Last Review Date: 15 August 2025
1. Introduction and Purpose
This Cyber Security Policy outlines the commitment of ForaCare Suisse AG (“ForaCare”) to protecting information assets, ensuring compliance with Cyber Essentials (CE) scheme under PPN 014, and mitigating cyber threats in our operations. We handle sensitive data (e.g., patient records, recruitment info) and must safeguard against risks like ransomware or data breaches.
Our goal: Zero major incidents annually, with 100% compliance.
2. Scope
This policy applies to:
– All employees, contractors, and temporary staff.
– All IT systems, data (e.g., patient EHRs), and supply chains (cloud providers).
3.Commitments
ForaCare commits to:
– Protecting confidentiality, integrity, and availability of data (e.g., no unauthorized access to digital patient records).
– Reporting incidents to ICO/NCSC within 72 hours (GDPR breach) or immediately (CE requirement).
– Annual training for all staff (e.g., phishing awareness).
4. Responsibilities
– CEO: Oversee policy and approve annual reviews
– IT/Security Lead: Implement controls (e.g., firewalls on clinic networks); conduct quarterly scans.
– Employees/Contractors: Follow secure practices (e.g., strong passwords for remote access; report suspicious emails).
– Suppliers/Partners: Maintain Firewalls and Network Security, subject to audits (e.g., ForaCare device vendors).
5. Cyber Security Measures (Aligned with Cyber Essentials)
– Firewalls and Network Security: All devices behind firewalls; no unauthorized ports open.
– Secure Configuration: Devices hardened (e.g., no default passwords).
– Access Control: Role-based access.
– Malware Protection: Antivirus on all endpoints.
– Incident Response: Plan includes isolation, reporting to relevant Competent Authority and Notified Body.
6. Training and Awareness
All staff receive annual training on Cyber Awareness.
7. Monitoring, Reporting, and Review
– KPIs: Zero major breaches.
– Reporting: Incidents logged and reported (e.g., to ICO if >72 hours). Annual review by CEO.
– Review: Update yearly or post-incident.