Skylite Associates Limited – Cyber Security Policy
- Policy ID: SYS-SEC-001 Version: 1.0 Effective Date: 2025-11-11 Review Date: Annually
- Introduction and Commitment
Skylite Associates is committed to protecting its information systems, data, and the privacy of its clients and employees from cyber threats. This policy formally documents the mandatory technical security controls adopted by the organisation, which are aligned with the UK government-backed Cyber Essentials Scheme. Compliance with this policy is mandatory for all employees, contractors, and third parties who access Skylite Associates’ information assets.
- Scope
This policy applies to all Skylite Associates’ staff, and all digital devices (including company-owned and personally-owned devices used for business purposes), software, and network components that connect to the Skylite Associates’ corporate network or process corporate data.
- Core Cyber Essentials Control Areas
Skylite Associates maintains robust security controls across the five core technical areas defined by Cyber Essentials:
3.1. Boundary Firewalls and Internet Gateways
All incoming and outgoing traffic to the Skylite Associates network is monitored and controlled.
- Requirement: Approved and securely configured firewalls shall be implemented at all points where the internal network connects to the public internet.
- Configuration: Firewall rules must explicitly deny all inbound connections by default. Any exceptions must be documented, approved by the IT Manager, and strictly limited to essential services.
3.2. Secure Configuration
All network devices, end-user devices, and software are configured to minimise vulnerabilities.
- Requirement: All default passwords and generic administrative accounts must be changed immediately upon installation or deployment.
- Device Hardening: Unnecessary user accounts, services, applications, and ports will be disabled or removed from all devices, including servers, workstations, and network equipment.
3.3. Access Control (User Accounts)
Access to corporate data and services is controlled and managed based on the principle of least privilege.
- Requirement: All users must be provisioned with unique, named accounts. Shared accounts are prohibited.
- Password Policy: Users must comply with the current Strong Password Policy which requires passwords to meet minimum length, complexity, and unique character requirements. Multi-Factor Authentication (MFA) shall be deployed wherever possible, especially for remote and administrative access.
- Administrative Access: Privileged access is strictly limited to necessary IT personnel and is only used when performing administrative tasks.
3.4. Malware Protection
Measures are in place to prevent the execution of known malicious software (malware) and to detect and respond to threats.
- Requirement: Approved anti-malware software must be installed and actively running on all in-scope devices (including desktop computers, laptops, and servers).
- Updates: Anti-malware signatures and definitions must be updated automatically, at a minimum of daily.
- Application Control: As per established policy, users are only permitted to install applications that have been explicitly approved by the IT Manager. The installation of unsigned or digitally invalid software is strictly prohibited.
3.5. Patch Management
Software vulnerabilities are addressed promptly to prevent exploitation.
- Requirement: All operating systems (OS), applications, and firmware on in-scope devices must be kept up-to-date.
- Timeliness: High-risk (critical) security patches for OS and software must be applied within 14 calendar days of release. All other updates must be applied within the defined maintenance schedule.
- Policy Compliance
Adherence to this Cyber Security Policy Statement is the responsibility of all personnel. Any policy non-compliance or suspected security incidents must be reported immediately to the IT Manager or a designated security contact.
