This policy provides guidelines to ensure the confidentiality, integrity, and availability of all company systems and data, and to ensure compliance with applicable data protection regulations.
This policy encompasses all data, systems, networks, applications, and devices used to collect, process, transmit, and store company and client information. It applies to all employees, contractors, and third-party vendors. The policy also extends to systems hosted on AWS and Azure cloud platforms.
- Adherence to the core principles of information security: confidentiality, integrity, and availability.
- Implementation of multi-layered technical, physical, and administrative controls to safeguard data.
- Categorization of data based on its sensitivity and potential impact if compromised.
- Strict authorization, restriction, and logging mechanisms for data access.
- Ensuring compliance with privacy laws when processing personal data.
- Transparent communication with data subjects about their data processing and rights.
- Continual assessment of privacy risks, especially when introducing new data-handling processes.
- Mandatory annual information security and privacy training for all personnel.
- Periodic audits, vulnerability assessments, and risk evaluations to ensure policy adherence.
Information Security Controls
- Implementation of robust access controls, end-to-end encryption, scheduled backups, detailed access logging, and real-time anomaly detection.
- Mapped controls to specific data classification levels: public, internal, confidential, and restricted.
- Conducting penetration testing, vulnerability scanning, and forensic audits on an annual basis.
- Prompt deployment of the latest security patches, antivirus definitions, and optimized firewall rules.
Physical Security Controls
- Facilities protected with controlled access points, alarm systems, and 24/7 CCTV surveillance.
- Enforcement of clean desk policies and mandatory workstation/device locking when unattended.
- Strict prohibition against sharing of user IDs, passwords, smart cards, or authentication tokens.
- Immediate reporting mechanism for suspicious individuals or activities within the premises.
Identity and Access Management
- Adherence to the principles of least privilege and need-to-know access.
- Biannual review of user roles, permissions, and authorizations.
- Requirement of multi-factor authentication for remote system access and elevated privilege tasks.
- Immediate revocation of system access upon employment termination.
- Enforcement of unique user IDs, strong password policies, and periodic password changes.
- Comprehensive security risk assessments during the vendor selection phase.
- Contracts enhanced with clauses ensuring vendor adherence to security and privacy requirements.
- Encryption requirements for any transmission of confidential or sensitive data.
- Strict limitations on vendor access to company systems and data.
- Regular audits to monitor vendor compliance with our security standards.
Incident Response Plan
- Detailed procedures for incident detection, containment, eradication, and system recovery.
- A well-defined communication plan for liaising with authorities and potentially affected data subjects.
- Established mechanisms for incident investigation and evidence preservation.
- Post-incident evaluations to refine and bolster security defenses.
- Incorporation of privacy by design and by default principles for all new systems, applications, and processes.
- Assurance of individuals' rights to access, modify, or delete their personal data.
- Mandate for explicit consent when processing sensitive personal information.
- Provision of clear privacy notices detailing our data processing activities, purposes, and retention periods.
Training and Awareness
- Annual mandatory training on information security best practices and privacy regulations.
- Detailed training on acceptable data handling, use policies, and system etiquette.
- Regular updates on evolving privacy regulations and company-specific procedures.
- Periodic testing of employee awareness through simulated phishing attacks and other exercises.
Monitoring and Auditing
- Maintenance of detailed information asset inventories, data flow diagrams, and risk registers.
- Continuous system monitoring, log analysis, and real-time anomaly detection.
- Regular audits of both technical and administrative controls coupled with risk assessments.
- Mechanisms to track, report, and swiftly remediate any identified control deficiencies.
Through diligent application of these guidelines, we aim to earn the ongoing trust of our customers, partners, and employees in securely handling sensitive data. By making data protection intrinsic to our operations, we uphold our commitment to ethical information stewardship, regulatory adherence, and business excellence.