This policy applies to all employees, contractors, vendors, and third parties who access Holden Knight Group's information systems. It covers all business units and client engagements across Holden Knight Education and Holden Knight Healthcare.

Client-specific security requirements may be addressed through separate security addendums, contractual agreements, or additional controls as required.

• Protect the confidentiality, integrity, and availability of information.
• Prevent unauthorised access, disclosure, modification, or destruction of information.
• Ensure compliance with legal, regulatory, and contractual obligations.
• Promote a culture of security awareness within the organisation.
• Ensure the proper handling of information security incidents.

Management

Senior management is responsible for establishing and maintaining an effective information security programme. They will ensure that security policies are implemented, resources are allocated, and employees are trained.

Information Security Officer (ISO)

The ISO, currently fulfilled by the Chief Technology Officer, is responsible for overseeing security policies, conducting regular security audits, risk assessments, and ensuring compliance with this policy.

Employees

All employees must adhere to the company's security policies, report security breaches, and complete mandatory security awareness training.

Third-Party IT Security Management

Holden Knight Group engages a third-party IT support provider to manage and oversee IT security, ensuring compliance with this policy and security best practices.

Confidentiality

Access to sensitive information is restricted to authorised personnel only. Data is classified based on sensitivity and handled in accordance with access control policies.

Integrity

Measures are in place to prevent unauthorised alteration or corruption of data, including encryption, access controls, and regular integrity checks.

Availability

Information and systems are maintained to be accessible when required. This includes reliable backup and recovery systems and protection against threats such as denial of service (DoS) attacks.

Holden Knight Group classifies information according to its sensitivity and the impact of unauthorised disclosure. All data is categorised into the following levels:

• Public — Information intended for public access, such as marketing materials and published policies.
• Internal — Information for internal use that is not intended for public disclosure, such as internal communications and operational procedures.
• Confidential — Sensitive business information including client data, financial records, employee personal data, and contractual information. Access is restricted to authorised personnel on a need-to-know basis.
• Restricted — Highly sensitive information where unauthorised disclosure could cause significant harm, including safeguarding records, medical data, and security credentials.

All employees are responsible for handling information in accordance with its classification level and applying appropriate security controls.

• Access is granted based on the principle of least privilege.
• Strong authentication measures, including multi-factor authentication (MFA), are enforced.
• Regular access reviews are conducted to ensure appropriateness.
• User accounts are promptly disabled upon termination of employment or contract.
• Privileged access is restricted to authorised administrators and subject to enhanced monitoring.

All users of Holden Knight Group systems must adhere to the following password requirements:

• Passwords must be a minimum of 12 characters in length and include a combination of uppercase letters, lowercase letters, numbers, and special characters.
• Passwords must not be reused across different systems or services.
• Default or vendor-supplied passwords must be changed immediately upon first use.
• Passwords must not be shared with any other person, written down, or stored in plain text.
• Where available, password managers approved by the Information Security Officer should be used to generate and store complex passwords securely.
• Multi-factor authentication (MFA) is required on all systems that support it, providing an additional layer of security beyond passwords alone.
• Account lockout policies are enforced to protect against brute-force attacks.

All employees, contractors, and third parties with access to Holden Knight Group's information systems are expected to use them responsibly and in accordance with the following principles:

• Company IT systems, including computers, email, internet access, and cloud services, are provided for business purposes. Limited personal use is permitted provided it does not interfere with work duties or compromise security.
• Users must not attempt to access, store, or transmit any material that is illegal, offensive, or in breach of company policies.
• Downloading or installing unauthorised software on company devices is prohibited.
• Users must not share login credentials or allow others to use their accounts.
• Internet usage is monitored to ensure compliance with this policy. Accessing websites that pose a security risk or contain inappropriate content is prohibited.
• Use of personal cloud storage services (e.g. personal Dropbox, Google Drive) for company data is not permitted. All company data must be stored within approved Microsoft 365 and Azure services.

• Emails and files containing sensitive data are encrypted using Microsoft 365 Message Encryption (OME).
• Employees must exercise caution when opening attachments or clicking links in emails, particularly from unknown senders.
• Company email must not be used to send confidential information to personal email accounts.
• Automatic email forwarding to external addresses is prohibited.
• Suspected phishing emails must be reported immediately to the Information Security Officer.

The use of removable media (USB drives, external hard drives, SD cards, CDs/DVDs) presents a risk of data loss and malware introduction. The following controls apply:

• The use of personal removable media devices on company systems is prohibited.
• Where business use of removable media is necessary, only company-approved encrypted devices may be used, with prior authorisation from the Information Security Officer.
• All removable media must be scanned for malware before use.
• Confidential or restricted data must not be stored on removable media unless encrypted and specifically authorised.
• Removable media containing sensitive data must be securely erased or physically destroyed when no longer required.

To reduce the risk of unauthorised access to or loss of information, Holden Knight Group operates a clear desk and clear screen policy:

• Sensitive or confidential documents must not be left unattended on desks and should be stored securely when not in use.
• Computers and devices must be locked when unattended (using screen lock or logging off).
• Printed materials containing sensitive information must be collected promptly from printers and securely disposed of when no longer needed.
• Whiteboards and shared displays must be cleared of sensitive information after use.

Holden Knight Group primarily utilises Microsoft 365 and Microsoft Azure for cloud services, ensuring security through industry-standard encryption and identity management.

• Data at rest is encrypted using Azure Storage Service Encryption (SSE).
• Data in transit is protected using TLS 1.2 or higher.
• Emails and files containing sensitive data are encrypted using Microsoft 365 Message Encryption (OME).
• Full disk encryption is enabled on all company-issued devices.

Holden Knight Group operates a cloud-first infrastructure using Microsoft 365 and Microsoft Azure. Security of cloud services is managed under a shared responsibility model:

• Microsoft is responsible for the security of the cloud infrastructure, including physical data centres, network, and host operating systems.
• Holden Knight Group is responsible for the security of data, identities, access management, and application configuration within the cloud environment.
• Cloud security configurations are reviewed regularly to ensure alignment with Microsoft security best practices and recommendations.
• Conditional access policies are enforced to control how and from where company data can be accessed.
• All cloud-stored data remains within UK-based data centres to comply with data residency requirements.
• Shadow IT (use of unapproved cloud services) is prohibited. All cloud services must be approved by the Information Security Officer before use.

• Firewalls and intrusion detection systems (IDS) are in place to protect against unauthorised access.
• Regular security patches and updates are applied to all systems.
• Remote access to company data is restricted to authorised users via Microsoft 365 cloud services, ensuring secure authentication and compliance with access policies.
• Network segmentation is applied where appropriate to limit the impact of any security breach.

Holden Knight Group does not operate on-premise data centres. All company data is stored within UK-based Microsoft Azure data centres which maintain ISO 27001, SOC 2, and relevant industry compliance certifications.

Office premises are protected through the following measures:

• Access to office premises is controlled and restricted to authorised personnel and visitors.
• Visitors are signed in and accompanied while on-site.
• Company-issued devices must be stored securely when not in use, particularly when working remotely or travelling.
• Loss or theft of any device containing company data must be reported immediately to the Information Security Officer so that remote wipe procedures can be initiated.

• Company-issued devices have endpoint protection, including antivirus software and encryption.
• Mobile Device Management (MDM) policies are enforced for company devices through Microsoft security policies.
• Bring Your Own Device (BYOD) policies ensure that personal devices used for work meet security standards.
• All mobile devices accessing company data must have screen locks, encryption, and remote wipe capability enabled.

Remote maintenance of Holden Knight Group's IT systems is performed by the appointed managed IT security provider under contractual obligations to adhere to this policy and security best practices.

• All remote maintenance sessions are authenticated and conducted over encrypted connections.
• Remote access for maintenance purposes is granted on a time-limited basis and revoked upon completion.
• Activities performed during remote maintenance sessions are logged for audit purposes.
• No third-party maintenance provider is granted persistent unsupervised access to company systems.

Where software development is part of client engagements, Holden Knight Group ensures secure source code management, vulnerability scanning, and industry best practices in software security.

• Secure coding practices are followed in accordance with industry standards such as the OWASP Top 10.
• All applications are subject to security testing prior to deployment.
• Third-party libraries and dependencies are regularly reviewed for known vulnerabilities.
• Access to source code repositories is restricted to authorised personnel with appropriate access controls.

Holden Knight Group uses secure, cloud-based IT systems for finance, recruitment, HR, and operations management. These systems are protected through access controls, encryption, and compliance with regulatory security standards.

• All critical company data is backed up regularly and securely stored within UK-based Microsoft data centres.
• A disaster recovery plan is in place to ensure business continuity.
• Backup integrity is tested periodically to ensure data can be restored successfully.

Holden Knight Group maintains a disaster recovery and business continuity plan to ensure the organisation can continue to operate in the event of a significant disruption. This includes:

• Regular backups of all critical data stored within UK-based Microsoft Azure data centres with geographic redundancy.
• Defined recovery time objectives (RTO) and recovery point objectives (RPO) for critical systems.
• Cloud-based infrastructure ensuring that key business systems remain accessible from any location in the event of office disruption.
• The disaster recovery plan is reviewed and tested annually to ensure its effectiveness.
• Key personnel are identified with clear roles and responsibilities for managing business continuity incidents.

Changes to Holden Knight Group's IT systems, infrastructure, and security configurations are managed through a structured change control process to minimise risk and maintain system integrity.

• All significant changes to IT systems are assessed for security impact prior to implementation.
• Changes to cloud infrastructure managed through Microsoft 365 and Azure are governed by Microsoft's service management processes and change advisory procedures.
• Internal changes to configurations, user access, and security policies are managed by the Information Security Officer in conjunction with the third-party IT support provider.
• Emergency changes are documented retrospectively and reviewed to ensure they meet security requirements.

• All company systems and software are maintained with regular security patches and updates.
• Security patches are applied based on risk-based prioritisation to mitigate vulnerabilities.
• Critical patches are applied within 14 days of release; high-priority patches within 30 days.

Holden Knight Group maintains a vulnerability management programme to identify, assess, and remediate security vulnerabilities across its systems and infrastructure.

• Vulnerability assessments are conducted using Microsoft security tools, including Microsoft Defender and Microsoft Secure Score, to identify and prioritise security weaknesses.
• Identified vulnerabilities are triaged based on severity and potential business impact.
• Critical vulnerabilities are remediated promptly, with high-severity vulnerabilities addressed in a timely manner in line with risk-based prioritisation.
• The third-party IT support provider assists in monitoring for and remediating known vulnerabilities across the estate.
• Findings from vulnerability assessments are documented, tracked to resolution, and reported to senior management.

• All security incidents must be reported to the Information Security Officer.
• An incident response plan is followed to contain, investigate, and mitigate security breaches.
• Lessons learned from incidents are used to improve security measures.
• Where required, security incidents affecting personal data are reported to the Information Commissioner's Office (ICO) within 72 hours in compliance with GDPR.

Holden Knight Group adopts a risk-based approach to information security. The Information Security Officer is responsible for maintaining a risk register and conducting regular risk assessments.

• Risk assessments are conducted at least annually, or when significant changes to systems or business operations occur.
• Identified risks are evaluated based on their likelihood and potential impact, and appropriate mitigation measures are implemented.
• Risk treatment decisions are documented and reviewed by senior management.
• Third-party risks are assessed as part of the supplier and vendor management process.

All employees receive mandatory security awareness training covering:

• Phishing and social engineering threats
• Secure password management
• Data handling best practices
• Incident reporting procedures
• Clear desk and clear screen responsibilities
• Acceptable use of IT systems

Training is provided during onboarding and refreshed annually. Additional targeted training is delivered in response to emerging threats or following security incidents.

All employees are accountable for their actions in relation to information security. This includes:

• Compliance with this policy and all related security procedures.
• Prompt reporting of security incidents, vulnerabilities, or suspected breaches.
• Protecting credentials, devices, and access entrusted to them.
• Completing mandatory security awareness training within required timeframes.

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment, in accordance with Holden Knight Group's disciplinary procedures. Where a breach constitutes a criminal offence, the matter may be referred to the relevant authorities.

Holden Knight Group follows a structured data retention policy aligned with legal, regulatory, and contractual obligations.

• Personal and business data is only retained for as long as necessary to fulfil operational and compliance requirements.
• Secure disposal measures are in place for data no longer required, ensuring compliance with the Data Protection Act 2018 and GDPR.
• Electronic data is securely erased using industry-standard methods that prevent recovery.
• Physical documents containing sensitive information are disposed of via cross-cut shredding.
• IT equipment reaching end-of-life is sanitised or securely destroyed before disposal.

Holden Knight Group complies with applicable UK and international laws, including:

• Data Protection Act 2018
• General Data Protection Regulation (GDPR)
• Computer Misuse Act 1990
• Where applicable, industry standards for healthcare and education security frameworks, such as the NHS Digital DSP Toolkit.

Holden Knight Group processes all client and employee data within its own IT environment, utilising Microsoft Azure and Microsoft 365 services for secure storage. No external third-party data processors are engaged unless explicitly stated in a client contract or agreement.

Holden Knight Group also provides mechanisms for individuals to request access, correction, or deletion of their personal data under GDPR subject access request (SAR) provisions.

Holden Knight Group maintains logging and monitoring controls to detect, investigate, and respond to security events.

• Audit logs are enabled across all critical systems, including Microsoft 365, Azure, and endpoint devices.
• Logs capture user authentication events, access to sensitive data, administrative actions, and system changes.
• Log data is retained in accordance with Microsoft 365 and Azure default retention settings to support incident investigation and compliance requirements.
• Logs are protected against tampering and unauthorised access.
• Monitoring alerts are configured for suspicious activities, including failed login attempts, unusual access patterns, and data exfiltration indicators.

Holden Knight Group implements data loss prevention (DLP) controls to prevent the unauthorised transfer, sharing, or leakage of sensitive information.

• DLP controls are applied across email, SharePoint, OneDrive, and Teams to detect and prevent the unauthorised sharing of sensitive data such as personal information, financial records, and safeguarding data.
• Employees are alerted when they attempt to share information that may violate data protection policies, with actions blocked or flagged for review where appropriate.
• External sharing of files and documents is restricted to approved recipients and methods.
• DLP policies are reviewed and updated regularly to reflect changes in data handling requirements and emerging risks.

Holden Knight Group works with a number of third-party suppliers in the delivery of its healthcare and recruitment services, including DBS check providers, compliance platforms, payroll processors, and IT service providers. The security of these relationships is managed as follows:

• All third-party suppliers who access, process, or store Holden Knight Group data are subject to a security assessment prior to engagement.
• Written contracts are in place with all suppliers who process personal data, specifying data protection obligations, security requirements, and breach notification procedures.
• Suppliers are required to demonstrate appropriate technical and organisational security measures, proportionate to the sensitivity of the data they handle.
• Third-party access to Holden Knight Group systems is granted on a least-privilege basis and subject to regular review.
• Supplier security arrangements are reviewed periodically and upon contract renewal to ensure continued adequacy.
• No personal data is transferred outside the European Economic Area (EEA) by any supplier without appropriate safeguards in place.

Holden Knight Group will conduct periodic security audits to assess compliance with this policy.

• Security audits will be performed at regular intervals.
• Any identified gaps will be addressed through risk mitigation measures.
• System and user activity logs are monitored to detect anomalous or unauthorised behaviour.

This policy provides a general security framework for all Holden Knight Group clients. Where specific security requirements exist, these will be addressed through client-specific security addendums, contractual agreements, or additional security controls as required.

As a provider of healthcare and recruitment services, Holden Knight Group recognises the heightened sensitivity of the data it processes and the regulatory frameworks applicable to its operations. In addition to general data protection and information security obligations, the following sector-specific requirements apply:

• Caldicott Principles — Where Holden Knight Healthcare handles patient-identifiable or service user information, the Caldicott Principles are observed to ensure that personal confidential data is only shared where there is a justified purpose and on a need-to-know basis.
• NHS Data Security and Protection Toolkit (DSPT) — Holden Knight Healthcare aligns its data security practices with the requirements of the NHS DSPT to support compliance with the National Data Guardian's data security standards.
• Care Quality Commission (CQC) — Information security controls are designed to support CQC expectations relating to the safe management of records and confidential information.
• Safer Recruitment — Holden Knight Group's recruitment processes include robust identity verification, DBS checks, right-to-work verification, and reference checks, all managed through secure systems with appropriate access controls and audit trails.
• Information Sharing Agreements — Where information is shared with NHS trusts, local authorities, care providers, or other partner organisations, formal information sharing agreements are established to define the purpose, scope, and security requirements of the data exchange.

Holden Knight Group recognises that the use of artificial intelligence (AI) and emerging technologies presents both opportunities and risks. The following principles govern the use of such technologies:

• AI tools and services must not be used to process personal data, confidential client information, or restricted data unless explicitly approved by the Information Security Officer and assessed for data protection compliance.
• The use of public or consumer AI services (e.g. ChatGPT, Google Gemini) for processing company or client data is prohibited unless a compliant enterprise agreement is in place.
• Where AI tools are considered for use within business operations, an assessment of data protection risks is carried out before adoption.
• Holden Knight Group does not use automated decision-making that produces legal or similarly significant effects on individuals without human oversight.
• Emerging technologies are assessed for security risks prior to adoption, including consideration of data residency, third-party access, and compliance with applicable regulations.

This policy will be reviewed annually or in response to significant changes in legislation, business operations, or emerging threats. The Information Security Officer is responsible for ensuring that this policy remains current and effective.