psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
870a576aa41f4352748d27ff98463e52fb324d9a
ISMS/01-policies/information-transfer-policy.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.5 KiB
Raw Blame History

Title: Information Transfer Policy Document ID: [POL-TRANSFER-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CEO (Paul Hague) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Information Transfer Policy

Purpose

This policy defines BlackDice's requirements for transferring information securely between internal teams, customers, suppliers, and other authorised parties.

Scope

This policy applies to electronic and physical information transfer involving in-scope information, including customer communications, support processes, supplier exchanges, and operational data sharing.

Objectives

  • protect information during transfer against unauthorised access or loss
  • ensure transfers are appropriate to classification and business need
  • reduce risk in cross-organisational and multi-jurisdiction exchanges

Principles / Policy Statements

Information must only be transferred where there is a legitimate business need and an approved transfer method appropriate to the information's sensitivity.

Transfer mechanisms for sensitive information must include suitable protections such as access restriction, encryption, integrity assurance, and recipient validation where appropriate.

Operational data shared with suppliers, customers, or operator-hosted environments must be limited to what is necessary and handled according to agreed requirements.

Transfers that may involve legal, regulatory, or contractual obligations must be assessed and approved through the relevant process.

Unauthorised use of personal email, consumer file-sharing, or other unapproved channels for sensitive business information must be prohibited.

Roles and Responsibilities

  • [Role] must define information transfer expectations.
  • Information owners must approve transfer arrangements where required.
  • Users must use approved methods and verify recipients before sharing sensitive information.

Compliance / Exceptions

Exceptions to standard transfer controls must be documented, justified, and approved based on risk and business need.

Monitoring and Review

This policy should be reviewed through incident analysis, supplier review, privacy review, and audit.

Related Documents

  • Information Security Policy
  • Data Classification and Handling Policy
  • Privacy and Data Protection Policy
  • Supplier Security Policy

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink