Copy of Texthelp_Master_Logo_RGB.png

Information Security Policy

ISMS 1.2 Information Security Policy : Issue 1  Rev8 : Auth MMcK : Last reviewed 06-10-2017

Policy Summary

Texthelp will:

Texthelp  recognizes that its first priority regarding data security and privacy is to avoid causing harm to individuals.  Predominantly  this means keeping information securely, on a need to know basis, in the right hands.

This is the top-level policy and, as well as outlining the company’s information security objectives and how to meet them, it also includes a requirement for all security related documents to be reviewed periodically to ensure conformity and applicability.

It is the responsibility of all employees to comply with the requirements of this and all policies.

Objectives

Texthelp will:

Key Risks & Mitigations

Texthelp has identified the following potential key risks, which this policy, in conjunction with the Risk Treatment Plan, is designed to address:

Risk

Mitigation

Breach of security by an external entity

The development and implementation of Data Security Standards to minimize the risk of data being obtained by hacking or interception. Network security controls and physical perimeter security devices prevent the physical theft of the company’s information assets by on-site contractors.

Release of data by a staff member

Staff Awareness Training will be delivered to help staff understand their responsibilities when handling personal data in order to prevent accidental disclosure of sensitive information.

Access controls are in place to prevent unauthorised access to the company’s information assets.

Regular Audits will be conducted to ensure that staff are complying with this policy

Exposure of sensitive information through hacking of Texthelp products or services

Secure development/coding practices will be employed and development staff training delivered. Testing of our products prior and after release will include, but not be limited to, the OWASP top-ten online vulnerabilities.

Not being able to respond to a security breach effectively

Texthelp will develop and manage a data security management system to maximize data security and manage security incidents. A Security Incident Reporting Policy exists outlining steps to be taken subsequent to a security breach.

Responsibilities

Data Security Committee

The role and responsibilities of this committee will be to provide:

Data Protection Officer

The Data Protection Officer is currently Martin McKay, with the following responsibilities:

Specific other staff

IT & Network Administrator:

CRM And Customer Data Manager:

Staff

All staff are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.

Enforcement

Significant breaches of this policy will be handled under Texthelp’s disciplinary procedures.

Confidentiality

Because confidentiality applies to a much wider range of information than Data Protection, Texthelp has a separate Data Privacy Policy.

Scope

This Policy applies to all employees and third-party agents of Texthelp as well as any other Company affiliate who is authorized to access customer Data. Third party agents of Texthelp will be required to have a Data Security Policy at least as stringent as this policy.

Third party agents will also be contractually required, where this is possible, to return or destroy information assets belonging to Texthelp upon termination of a contract with a third party. This will apply to both virtual and physical information assets.

Texthelp will comply with requests under the Regulation of Investigatory Powers Act 2000 (RIPA) from UK authorities and under the USA Patriots Act from US authorities and Freedom of Information and Protection of Privacy Act (FOIPPA)(British Columbia) if requested to do so.

The full list of regulatory and legislative requirements with which Texthelp complies are given in this table of Legislative & Regulatory bodies

What we do with customer data

Texthelp has a privacy policy for Users, setting out how their information will be used.

Texthelp Staff Responsibilities

All Texthelp Staff are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities.  (See Appendix A)

Data Security Standards

All data that that is stored by Texthelp is classified as one of the following data types:

All data that is classified as ‘Customer Information’ or ‘Company IP’

 must be stored in compliance with the following standards.

Physical Media Transfer : no customer or private data will be transported using physical media

In order to comply with relevant legislation:

Texthelp must operate a Business Continuity Plan to deliver continuity of service in the event of a disaster.  This plan should cover situations such as:

Information Security Management System

A system must be maintained to manage and control the security of all data stored by Texthelp.

The system must:

Staff training & acceptance of responsibilities

Documentation

Information for staff and temporary workers is contained in the staff handbook.

Induction

All staff who have access to any kind of personal data will have their responsibilities outlined during their induction procedures.

Data Protection will be included in foundation training for all staff.

Continuing training

Texthelp  will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.

Procedure for staff signifying acceptance of policy

All staff are required to sign an electronic form signifying that they have read, understood and accept this policy.

Specific Focus Training for Key Handling Roles

Software Developers

Software Developers at Texthelp will be trained to ensure that the architecture  of any system that stores personal data is in compliance with the Data Security Standards above.

Prior to release the software will be tested to ensure that it is in compliance.

All Product Owners, Scrum-masters or Project leaders should ensure that an Information Security Risk Assessment is carried out for each sprint, and when needed,  a risk treatment plan is created and followed.

 

Marketing Staff

Marketing Staff who have access to personal customer information will receive specific training regarding the secure transit and storage of personal data for the purposes of outbound marketing. 

Policy review

Responsibility

David Hankin (Quality Manager) will be responsible for reviewing this policy. This Data Security Policy will be audited as a part of the company’s scheduled ISO 27001 audits. Audits of all processes within the company will take into account this Data Security Policy at all times.

Procedure

An annual review will be carried on the policy  to ensure continuing relevance. The results of this review will be available on request.

Timing

An audit of this policy will be carried out once per year. However, the requirements of this policy, with regard to data privacy/security, will form a part of the company’s regular ISO 9001 internal audits. The ISO 9001:2015 audits are performed twice annually.

Data Security Incidents

All Data Security incidents will be logged in the Downtime/Security Events Register in Sugar. Data security incidents will be classified according to severity.  Incidents such as unsuccessful exploit attempts that do not involve data loss will be classified as Level 1 - Non Critical Incidents. Level 1 incidents should not trigger a customer notification since there has been no impact to privacy.

Incidents that do involve data loss will be classified as Level 2 - Critical Incidents & should trigger a notification to all customers that are impacted by the data loss. The Information Commissioner's Office should also be notified within 72 hours of the breach being discovered 

Appendix A:  Confidentiality statement for staff

When working for Texthelp , you will often need to have access to confidential information which may include, for example:

Personal information about individuals who are customers or users of Texthelp software.

Information about the internal business of Texthelp.

Personal information about colleagues working for Texthelp.

Texthelp  is committed to keeping this information confidential, in order to protect people and Texthelp.  ‘Confidential’ means that all access to information must be on a need to know and properly authorized basis.  You must use only the information you have been authorized to use, and for purposes that have been authorized.  You should also be aware that under the Data Protection Act, unauthorized access to data about individuals is a criminal offence.

You must assume that information is confidential unless you know that it is intended by Texthelp  to be made public.  Passing information between staff members in our international office, or between Texthelp  and a 3rd party marketing partner who is in compliance with our policy, or vice versa does not count as making it public, but passing information to another organization does count.

You must also be particularly careful not to disclose confidential information to unauthorized people or cause a breach of security.  In particular you must:

not compromise or seek to evade security measures (including computer passwords);

be particularly careful when sending information between our international offices;

not discuss confidential information, either with colleagues or people outside Texthelp;

not disclose information — especially over the telephone — unless you are sure that you know who you are disclosing it to, and that they are authorized to have it.

If you are in doubt about whether to disclose information or not, do not guess.  Withhold the information while you check with an appropriate person whether the disclosure is appropriate.

Your confidentiality obligations continue to apply indefinitely after you have stopped working for Texthelp .

Company IP - Confidential and Proprietary