Need help?
description

MyCo Documentation & Help Center

List all resources / Looking for something?
1. Purpose and Scope
This Code of Practice defines MyCo’s approach to cybersecurity governance, ensuring protection of all IT systems, personal data processed on behalf of clients, and compliance with applicable laws and standards including GDPR, ICO guidance, and Cyber Essentials.

This policy applies to all employees, contractors, and third parties with access to MyCo systems or data.

2. Roles and Responsibilities
  • Cybersecurity Lead: Oversees cybersecurity strategy, incident management, and risk assessments.
  • Data Protection Lead: Ensures compliance with data protection laws and acts as liaison with data controllers and ICO.
  • All Staff: Required to follow policies, attend training, and report security concerns.

3. Risk Management
  • Conduct annual risk assessments identifying cyber threats and vulnerabilities.
  • Maintain a risk register with mitigation plans.
  • Review risks after incidents or major changes.

4. Access Control
  • Grant system access based on “least privilege” principle.
  • Require strong, unique passwords; enforce password changes every 90 days.
  • Use Multi-Factor Authentication (MFA) on critical systems.
  • Disable or remove access promptly upon staff departure or role change.

5. Data Protection and Privacy
  • Process personal data strictly according to data controller instructions.
  • Encrypt sensitive data in transit (using TLS) and at rest.
  • Maintain regular backups and test restore procedures quarterly.
  • Secure physical and digital storage of data.

6. Incident Management
  • Maintain an Incident Response Plan (see attached template).
  • All staff must report suspected incidents to the Cybersecurity Lead immediately.
  • Investigate and contain incidents swiftly to limit damage.
  • Document incident details, actions taken, and lessons learned.

7. System Security and Maintenance
  • Keep all software, firmware, and operating systems patched and up to date.
  • Use endpoint protection and regularly scan for malware.
  • Configure firewalls and network security per Cyber Essentials.
  • Limit use of removable media and scan devices before connection.

8. Staff Awareness and Training
  • Provide mandatory cybersecurity training at onboarding and annually thereafter.
  • Include phishing awareness and secure data handling best practices.
  • Conduct periodic simulated phishing exercises.

9. Third-Party and Supplier Management
  • Ensure all subprocessors and suppliers sign contracts including cybersecurity requirements and DPAs.
  • Conduct due diligence on suppliers’ security posture.
  • Monitor third-party compliance annually.

10. Monitoring and Auditing
  • Monitor network and systems logs for anomalies.
  • Conduct regular internal audits of cybersecurity controls and practices.
  • Implement penetration testing annually or after major system changes.

11. Compliance and Continuous Improvement
  • Regularly review all policies and update in response to legislative or operational changes.
  • Prepare for ICO audits or Cyber Essentials recertification.
  • Foster a culture of continuous improvement and security awareness.
Getting help / Contacting Support

Our service center will always be available to help should you have any issues. 

You can always chat with one of our support representatives while you are logged onto MyCo, alternatively you can hit the button below to leave us a message.

MyCo Service Desk
.