Dead Simple Computing Ltd
This policy establishes the information security requirements for Dead Simple Computing Ltd, trading as Dead Simple Computing and DSC - Cyber And Managed Services. It defines our commitment to protecting information assets and sets out the security principles, responsibilities, and controls that govern our operations.
This policy is aligned to guidance published by the National Cyber Security Centre (NCSC) and reflects current UK cyber security best practice.
This policy applies to all DSC employees, contractors, and third parties; all information assets owned by or entrusted to DSC; all systems, networks, and services operated by DSC; all customer environments and data; and all physical locations from which DSC operates.
| Level | Description | Examples |
|---|---|---|
| Public | Information intended for public disclosure | Website content, marketing materials |
| Internal | Information for internal DSC use | Internal procedures, staff communications |
| Confidential | Sensitive business information | Customer contracts, pricing, HR records |
| Restricted | Highly sensitive, need-to-know only | Customer credentials, security reports, defence data |
| Government Classification | DSC Handling |
|---|---|
| OFFICIAL | Handle as Confidential minimum |
| OFFICIAL-SENSITIVE | Handle as Restricted with additional controls |
| SECRET / TOP SECRET | DSC does not handle |
MFA required for: all DSC cloud services, all customer tenant access, remote access to DSC systems, and password manager access.
| Purpose | Approved |
|---|---|
| Symmetric encryption | AES-128, AES-256 |
| Asymmetric encryption | RSA-2048 minimum (RSA-3072/4096 preferred) |
| Hashing | SHA-256, SHA-384 |
| Transport security | TLS 1.2, TLS 1.3 |
Not permitted: MD5, SHA-1, DES, 3DES, RC4, RSA-1024, TLS 1.0/1.1, SSL
| Sector | Key Requirements |
|---|---|
| Financial Services | FCA outsourcing requirements, PCI-DSS support, client confidentiality |
| Education | KCSIE safeguarding, enhanced DBS, pupil data protection, content filtering |
| Public Sector | PSN requirements, FOI awareness, NHS DSPT support where applicable |
| Construction and Engineering | IP/CAD/BIM protection, project data security, export controls |
| Severity | Remediation |
|---|---|
| Critical/High | Within 14 days (Cyber Essentials requirement) |
| Medium | Within 30 days |
| Low | Within 90 days |
| NCSC Step | Policy Coverage |
|---|---|
| Risk management | Risk Management section |
| Engagement and training | Personnel Security section |
| Asset management | Asset Management section |
| Architecture and configuration | Network and Endpoint Security sections |
| Vulnerability management | Vulnerability Management section |
| Identity and access management | Access Control section |
| Data security | Classification, Credentials, Cryptography sections |
| Logging and monitoring | Remote Access, Incident Management sections |
| Incident management | Incident Management section |
| Supply chain security | Supplier Security section |
| Control | Implementation |
|---|---|
| Firewalls | Boundary firewalls with restrictive rule sets |
| Secure configuration | Standard secure configurations and hardening |
| User access control | Least privilege, unique accounts, access reviews |
| Malware protection | EDR/antimalware on all endpoints |
| Patch management | 14-day critical/high, 30-day medium |
Cyber Essentials Plus
Certificate: 0e54f576-13f7-426b-a4a6-d2994fd8b66a
Valid until: 17 November 2026
| Metric | Target | Frequency |
|---|---|---|
| Cyber Essentials Plus certification | Maintained | Annual |
| Security incidents affecting customers | Zero | Ongoing |
| Leaver access revocation | Within 24 hours | Per event |
| High-privilege credential review | 100% reviewed | Quarterly |
| Security awareness training | 100% completion | Annual |
| Critical vulnerability remediation | Within 14 days | Per event |
| Access reviews completed | 100% | Quarterly |
Approved by
Daniel McClure Fisher
Director, Dead Simple Computing Ltd
December 2025