Cyber Rebels

  • Mon - Fri : 9:00 -17:00
Neotech-icon-facebook-f Neotech-icon-twitter Neotech-icon-linkedin-in Neotech-icon-instagram
Cyber Rebels logo with padlock design.
Menu
0 £0.00

Have Any Questions?

Book A Call

Get In Touch
breacumb linear4
breacumb linear5
Information Security Policy

Information Security Policy

Version: 1.2  |  Last reviewed: April 2026  |  Next review: April 2027

Introduction

At Cyber Rebels, protecting information is not just part of what we teach. It is part of how we work.

We believe strong security practices build trust. Every client, learner, partner, and contact who shares information with us has the right to know that their data is handled safely, respectfully, and responsibly.

This policy explains how Cyber Rebels protects the information we hold, manages information security risks, and models the same secure behaviours we promote through our training and consultancy work.

Purpose

The purpose of this policy is to set out how Cyber Rebels keeps personal, business, learner, client, and operational information secure across all areas of our work.

It supports our compliance with UK GDPR, the Data Protection Act 2018, and our wider commitment to responsible information security, professional integrity, and trust-based working.

Scope

This policy applies to all Cyber Rebels staff, trainers, contractors, consultants, partners, and third parties who access, process, store, or handle information on behalf of Cyber Rebels.

It covers both digital and physical information, including information held in cloud systems, email accounts, business systems, training records, client documents, project files, devices, backups, and any paper-based records used during training or consultancy work.

Our Commitment

Cyber Rebels is committed to protecting the confidentiality, integrity, and availability of the information we hold.

This means we work to ensure that information is only accessed by the right people, remains accurate and complete, and is available when needed for legitimate business, training, client, or legal purposes.

We are also committed to using secure technologies, clear procedures, responsible suppliers, and trained people to reduce the risk of accidental loss, unauthorised access, misuse, disclosure, or disruption.

Information security at Cyber Rebels is not treated as a separate technical task. It is part of everyday decision-making.

Responsibilities

The Cyber Rebels leadership team is responsible for ensuring this policy is implemented, reviewed, and supported by appropriate systems, processes, and supplier arrangements.

The Information Security Lead is Andy Longhurst, Director of Training & Development. Andy is responsible for overseeing information security risk, incident response, access control, policy review, and day-to-day security decision-making.

All staff, trainers, contractors, and partners are responsible for following this policy, completing relevant cybersecurity and data protection training, protecting information in their care, and reporting any concerns, suspected incidents, or weaknesses promptly.

Clients and partners are expected to handle any information shared by Cyber Rebels responsibly and in line with agreed confidentiality, contractual, and data protection requirements.

Information We Protect

Cyber Rebels may handle different types of information depending on the nature of the relationship or project. This may include client contact details, learner information, business records, training attendance information, questionnaire responses, consultancy notes, supplier information, financial records, and communications.

We apply proportionate controls based on the sensitivity, purpose, and risk associated with the information.

Information may be treated as public, internal, confidential, or sensitive. Confidential and sensitive information receives additional protection, including restricted access, secure storage, encryption where appropriate, and careful sharing controls.

Access Control

Access to Cyber Rebels systems and information is granted on a least-privilege basis. People are only given access to the information and systems they need to carry out their role.

Accounts are protected using strong passwords and multi-factor authentication wherever available. Access rights are reviewed regularly and updated when roles, responsibilities, or working arrangements change.

When a staff member, contractor, or partner no longer requires access, their permissions are removed promptly.

Data Storage and Encryption

Cyber Rebels uses secure, GDPR-compliant cloud services with encryption in transit and at rest. Data is hosted within the UK or EEA wherever possible.

Files containing personally identifiable information that must be stored locally on company devices are encrypted using 256-bit AES encryption. This provides an additional layer of protection if a device is lost, stolen, or accessed without permission.

Sensitive information is not stored locally unless there is a clear operational reason to do so.

Device and Network Security

Company devices are protected with encryption, up-to-date security software, firewalls, and automatic updates.

Cyber Rebels uses secure networks and appropriate safeguards for remote work. Public Wi-Fi is not used to access client or sensitive information unless suitable protection, such as a trusted VPN or secure connection, is in place.

Devices must be locked when unattended, protected from unauthorised use, and reported immediately if lost or stolen.

Email and Communication Security

All Cyber Rebels email accounts use multi-factor authentication and are protected by SPF, DKIM, and DMARC controls to reduce the risk of spoofing and impersonation.

Outgoing emails are digitally signed with an S/MIME certificate where supported, helping recipients verify authenticity and message integrity.

Sensitive or confidential information is shared only through appropriate secure methods, such as encrypted channels, protected links, password-protected documents, or agreed secure transfer routes.

Data Retention and Disposal

Cyber Rebels only keeps information for as long as it is needed for the purpose it was collected, or where there is a legal, contractual, accounting, safeguarding, or legitimate business reason to retain it.

When information is no longer required, it is securely deleted, anonymised, archived, or destroyed depending on the type of record and the reason it was held.

Paper records, where used, are stored securely and shredded or securely destroyed when no longer needed.

Backups and Recovery

Cyber Rebels takes reasonable steps to protect against accidental loss, corruption, deletion, or system failure.

Where appropriate, important business information is backed up using secure systems. Backup arrangements are reviewed periodically to ensure information can be recovered if needed.

Physical and On-Site Security

When working from client premises, hired venues, shared spaces, or events, Cyber Rebels staff follow local access control, health and safety, confidentiality, and security procedures.

Information must not be left unattended in public or shared areas. Screens should be protected from unauthorised viewing, and paper notes or records must be kept secure at all times.

Supplier and Third-Party Security

Cyber Rebels works only with suppliers and third-party providers who can demonstrate appropriate data protection and information security standards.

Before using third-party systems or tools, we consider their suitability, security controls, data handling practices, and relevance to the work being carried out.

Contracts and supplier arrangements include appropriate confidentiality, data protection, and information security expectations.

Incident Reporting and Response

Any suspected data breach, loss, unauthorised access, phishing attempt, device loss, accidental disclosure, or security weakness must be reported immediately to the Information Security Lead.

Incidents are logged, assessed, contained, investigated, and addressed in line with Cyber Rebels’ internal incident response procedure.

Where a personal data breach meets the threshold for reporting, Cyber Rebels will notify the Information Commissioner’s Office without undue delay and, where required, within 72 hours of becoming aware of the breach. Affected individuals will also be informed where required under UK GDPR.

Training and Awareness

Every member of the Cyber Rebels team completes regular cybersecurity and data protection training.

Training covers phishing, social engineering, password security, device protection, safe data handling, incident reporting, and secure decision-making under pressure.

This reflects the same human-first approach we teach to our clients: security depends not only on systems, but on the decisions people make during everyday work.

Monitoring, Review, and Improvement

Cyber Rebels regularly reviews its systems, suppliers, procedures, and security controls to ensure they remain appropriate and effective.

This policy is reviewed at least annually, or sooner if there are significant changes to Cyber Rebels’ services, systems, suppliers, legal requirements, or risk environment.

Where improvements are identified, they are recorded and acted upon.

Data Protection and Information Security Contact

Cyber Rebels Ltd has appointed a Data Protection Lead responsible for overseeing compliance with UK GDPR and the Data Protection Act 2018, monitoring information security controls, and advising on data protection impact assessments where required.

Questions relating to data protection, information security, or the handling of personal data can be directed to:

Andy Longhurst
Director of Training & Development
[email protected]

Our Promise

At Cyber Rebels, information security is not just compliance. It is part of how trust is protected.

We practise what we teach by handling information carefully, questioning routine decisions when needed, protecting privacy, and maintaining the trust that underpins every client, learner, and partnership relationship.

Search

account

cart

  • Cyber Rebels
All category
Shopping cart close