Information Security Policy

LOPEX UNICONS LTD (trading as UNICONS) processes significant quantities of sensitive personal data — including student identity documents, financial records, immigration information, and correspondence — as well as commercially sensitive business data. The protection of this information is fundamental to UNICONS' legal obligations, its contractual commitments, and the trust placed in it by students, partners, and regulators.

This Information Security Policy establishes the framework within which UNICONS protects its information assets against unauthorised access, disclosure, modification, destruction, and loss. It applies to:

• All employees, contractors, agents, and counsellors who access UNICONS systems, platforms, or data;
• All devices — whether owned by UNICONS or personally owned — used to access UNICONS systems or data;
• All data processed by or on behalf of UNICONS, in digital or physical form;
• All third-party services and cloud platforms used to store, process, or transmit UNICONS data.

Objectives: This policy seeks to ensure: - Confidentiality: Information is accessible only to those who are authorised to access it; - Integrity: Information is accurate, complete, and protected against unauthorised modification; - Availability: Information is accessible to authorised users when needed, with systems resilient to disruption; - Accountability: All access to and handling of information is attributable to identified individuals and subject to audit.

This policy is aligned with the principles of ISO/IEC 27001, the UK GDPR, and the NCSC Cyber Essentials framework. UNICONS aims to achieve and maintain Cyber Essentials certification.

All information assets held or processed by UNICONS are classified into one of four tiers. The classification determines the security controls that must be applied when the information is stored, transmitted, accessed, or disposed of.

Public: Information that has been approved for unrestricted distribution outside UNICONS, such as marketing materials, published policies, and website content. No special controls are required beyond standard integrity protections (preventing unauthorised modification of public content).

Internal: Information that is not approved for external distribution but that is not particularly sensitive if disclosed, such as internal process documentation, meeting notes, and general business communications. Accessible to all UNICONS staff. Must not be shared externally without approval.

Confidential: Sensitive business information or personal data that could cause significant harm if disclosed or modified without authorisation, including student personal data, application documents, HR records, financial data, and contractual information. Access is restricted to authorised personnel with a legitimate business need. Must be encrypted in transit and at rest. Must not be shared externally without a data processing agreement or equivalent legal mechanism in place.

Restricted: The highest classification, covering information whose unauthorised disclosure could cause severe harm — including safeguarding records, DBS check information, visa and immigration case files, legal proceedings, and information subject to regulatory confidentiality obligations. Access is restricted to named individuals on a strict need-to-know basis. Storage, transmission, and disposal are subject to the most stringent controls available. Remote access to Restricted data is only permitted through a UNICONS-managed device with MFA and VPN.

All staff must be familiar with these classifications and apply them when creating, handling, or sharing information. Where the appropriate classification is unclear, the default is to treat the information as Confidential until the DPO or Information Security Officer confirms otherwise.

Access to UNICONS systems and data is granted on the principle of least privilege: each person is given only the access necessary to perform their defined role and no more.

Role-based access control (RBAC): Access permissions are assigned by role, not individually. Role definitions and associated permissions are maintained by the Information Security Officer and reviewed at least annually. Requests for access outside a defined role must be approved by a manager and the Information Security Officer.

Onboarding: Access is provisioned on the first day of employment or engagement, following completion of a data protection and security briefing. Temporary access may be granted for a defined period in exceptional circumstances.

Offboarding: Access to all UNICONS systems must be revoked on the day an employee or contractor leaves, or earlier where a notice period involves restricted or reduced duties. The HR and IT functions will coordinate to ensure timely deprovisioning. Shared credentials or service accounts associated with the departing individual must be changed immediately.

Access reviews: Access rights for all active users are reviewed on a quarterly basis by the Information Security Officer. Any access that is no longer justified by the user's current role is revoked within 5 working days of identification.

Privileged access: Administrative or superuser access to production systems and databases is restricted to named senior technical staff. Privileged access sessions are logged and audited. Privileged accounts must not be used for routine day-to-day tasks.

Separation of duties: Where possible, critical processes (such as commission approval and payment processing) require authorisation by more than one individual to reduce the risk of fraud or error.

Strong authentication is one of the most effective defences against unauthorised access to UNICONS systems. The following standards are mandatory for all platform accounts.

Password standards:

• Minimum password length: 12 characters;
• Passwords must contain a mix of upper and lowercase letters, numbers, and special characters;
• Common passwords (as defined by NCSC guidance), dictionary words, and passwords containing the user's name or username are prohibited;
• Passwords must be unique across different systems and must not be reused from previous passwords;
• Passwords must be changed immediately if there is any reason to believe they have been compromised;
• Password sharing is strictly prohibited. Each user must have their own individual account and credentials.

Password management:

Staff are encouraged to use a UNICONS-approved password manager for generating and storing strong, unique passwords. The use of browser-based password storage on shared or unmanaged devices is prohibited for Confidential and Restricted data systems.

Multi-Factor Authentication (MFA):

MFA is mandatory for: - All UNICONS platform accounts (student portal, agent portal, staff dashboard, administrative systems); - All email and productivity suite accounts; - All cloud service accounts used by UNICONS; - All VPN and remote access connections.

MFA must use an authenticator app (TOTP) or hardware security key. SMS-based OTP is accepted as a fallback where authenticator app use is not possible, but is not preferred due to SIM-swap risk. MFA must not be disabled or bypassed without written approval from the Information Security Officer.

Encryption is a fundamental control for protecting the confidentiality and integrity of UNICONS data, both during transmission and while at rest.

Data in transit:

• All data transmitted between UNICONS systems, between UNICONS and users, and between UNICONS and third-party services must be encrypted using TLS 1.2 or higher;
• TLS 1.0 and TLS 1.1 are deprecated and must not be used;
• Email containing Confidential or Restricted information must be transmitted using TLS-enforced connections or, where the recipient's mail server does not support TLS, using an alternative secure transfer mechanism (such as a password-protected file shared via a secure link);
• VPN connections must use industry-standard encryption (AES-256 or equivalent).

Data at rest:

• All Confidential and Restricted data stored on UNICONS servers and cloud services must be encrypted at rest using AES-256 or equivalent;
• Full-disk encryption is required on all UNICONS-managed laptops and workstations, and on any personal device used to access Confidential or Restricted data under an approved mobile device management (MDM) arrangement;
• Encryption keys must be stored separately from the encrypted data and must be managed in accordance with a documented key management procedure maintained by the Information Security Officer.

Backup encryption:

All backup copies of UNICONS data must be encrypted to the same standard as the primary data. Unencrypted backups are prohibited.

All devices used to access UNICONS systems or data — whether owned by UNICONS or personally owned — must meet the following minimum security standards.

UNICONS-managed devices:

• Full-disk encryption enabled (BitLocker on Windows, FileVault on macOS);
• Screen lock activating after a maximum of 5 minutes of inactivity;
• Latest operating system and application security patches applied within 14 days of release;
• Endpoint protection software (antivirus/EDR) installed, enabled, and up to date;
• Enrolled in UNICONS' mobile device management (MDM) platform.

Personally owned (BYOD) devices:

• Use of personally owned devices to access UNICONS systems is permitted for Internal-classified data only, unless the device is enrolled in UNICONS MDM;
• Access to Confidential or Restricted data from a personally owned device is only permitted where the device is enrolled in UNICONS MDM, has full-disk encryption enabled, and complies with UNICONS endpoint security requirements;
• Users must not store UNICONS Confidential or Restricted data in personal cloud storage accounts (iCloud, Google Drive, Dropbox) that are not covered by a UNICONS data processing agreement.

Physical device security:

• Devices must not be left unattended without a screen lock;
• UNICONS devices must not be lent to family members or other non-authorised persons;
• Loss or theft of any device used to access UNICONS data must be reported to the Information Security Officer within 4 hours of discovery, to enable remote wipe if required.

VPN for remote access: All remote access to UNICONS internal systems and to Confidential or Restricted data must be conducted over a UNICONS-approved VPN connection. VPN credentials are subject to the password and MFA requirements in section 4.

Public Wi-Fi: Personnel must not access UNICONS systems containing Confidential or Restricted data over public or uncontrolled Wi-Fi networks (including café, hotel, airport, or conference Wi-Fi) without an active VPN connection. Where VPN is not available, a personal mobile data connection (4G/5G hotspot) should be used.

Network segmentation: UNICONS' internal network is segmented to isolate systems processing Restricted data from general business systems. Production database servers and administrative systems are not directly accessible from the general corporate network.

Firewall and perimeter security: UNICONS maintains firewall rules that restrict inbound and outbound network traffic to the minimum required for business operations. Firewall rules are reviewed quarterly by the Information Security Officer.

Wireless networks: UNICONS office Wi-Fi networks are protected by WPA3 (or WPA2-Enterprise where WPA3 is not available). Guest Wi-Fi is provided on a separate network segment with no access to UNICONS internal systems.

Domain and email security: UNICONS implements SPF, DKIM, and DMARC records for its email domain to protect against spoofing and phishing. Inbound email is scanned for malicious attachments and links.

UNICONS uses cloud services and third-party providers to host, process, and support its platform. The security of these services is integral to UNICONS' overall security posture.

Before onboarding a new cloud or third-party service:

• A security assessment must be completed by the Information Security Officer, reviewing the provider's security posture, certifications (ISO 27001, SOC 2, Cyber Essentials), and breach history;
• A Data Processing Agreement (DPA) compliant with UK GDPR Article 28 must be in place before any personal data is shared with or processed by the provider;
• The provider's sub-processor list must be reviewed and approved;
• Access credentials for the service must be provisioned in accordance with section 3 and 4 of this policy.

Ongoing management of third-party services:

• Provider security certifications and DPAs are reviewed annually as part of the supplier review process;
• Any material security incident at a third-party provider that may affect UNICONS data must be reported to the Information Security Officer immediately on notification;
• UNICONS reserves the right to audit or request assurance evidence from any third-party provider processing Confidential or Restricted data.

Shadow IT: Personnel must not use unauthorised cloud services, apps, or tools to store or process UNICONS data. All cloud services used for business purposes must be reviewed and approved by the Information Security Officer.

A security incident is any event that compromises, or that may compromise, the confidentiality, integrity, or availability of UNICONS information or systems. This includes data breaches, ransomware attacks, phishing compromises, device loss, and unauthorised access.

Reporting incidents:

All suspected or confirmed security incidents must be reported to the Information Security Officer immediately upon discovery, and in any event within 4 hours. Reports may be made by email to enquiry@unicons.co.uk (subject: SECURITY INCIDENT — URGENT) or by telephone to the UNICONS office.

Response phases:

1. Identification and triage: The Information Security Officer confirms the nature and scope of the incident and invokes the incident response plan; 2. Containment: Immediate steps are taken to contain the incident and prevent further data loss or system compromise (for example, isolating affected systems, revoking compromised credentials, blocking attacker IP addresses); 3. Assessment: The nature, scope, and severity of the incident are assessed, including identifying what data has been affected and whether data subjects are at risk; 4. Notification: Where the incident constitutes a personal data breach reportable under UK GDPR Article 33, the ICO is notified within 72 hours of becoming aware of the breach. The DPO is notified within 24 hours of identification. Where data subjects face a high risk, they are notified without undue delay under Article 34; 5. Recovery: Systems are restored to normal operation and evidence is preserved for post-incident review; 6. Post-incident review: A lessons-learned review is conducted within 10 working days of containment, producing an action plan to reduce the risk of recurrence.

A record of all incidents, their assessment, and the actions taken is maintained by the Information Security Officer.

UNICONS maintains a Business Continuity Plan (BCP) and a Disaster Recovery (DR) plan to ensure that critical services — including the student portal, agent platform, and core administrative systems — can be restored following a significant disruption.

Key DR principles:

• Critical UNICONS data is backed up daily, with backups encrypted and stored in a geographically separate location from primary systems;
• Backup integrity is tested quarterly through a restoration exercise;
• Recovery Time Objective (RTO): Critical systems are targeted for restoration within 4 working hours of a confirmed disaster event;
• Recovery Point Objective (RPO): Data loss is targeted at no more than 24 hours (the period since the last successful backup).

BCP testing:

The BCP and DR plan are tested at least annually through a tabletop exercise involving key staff. Results of the test and any identified gaps are reviewed by senior management and remedial actions are assigned and tracked.

Personnel are required to familiarise themselves with the aspects of the BCP relevant to their role. The full BCP and DR plan is maintained by the Information Security Officer and is available to relevant staff on request.

Training and awareness:

All staff and contractors with access to UNICONS systems must complete: - Information security awareness training at induction; - Annual refresher training, covering current threats, policy updates, and phishing simulation exercises; - Additional role-specific training where their duties involve elevated access to Confidential or Restricted data.

Training completion is tracked by the Information Security Officer. Personnel who do not complete required training within the specified timeframe may have system access suspended pending completion.

UNICONS will conduct periodic phishing simulation exercises to test staff awareness. Personnel who fail phishing simulations will receive targeted training and are not subject to disciplinary action for the first failure, unless a pattern of failures is established.

Policy review:

This policy is reviewed at least annually by the Information Security Officer, in consultation with senior management and external security advisers where appropriate. It may be updated between scheduled reviews in response to material changes to UNICONS' systems, threat landscape, or regulatory requirements.

Contacts and escalation:

Approved by: Director, LOPEX UNICONS LTD Effective date: 1 September 2025 Next review date: 1 September 2026