Information Security Policy
ISMS 1.2 Information Security Policy : Issue 1 Rev8 : Auth MMcK : Last reviewed 06-10-2017
Texthelp has identified the following potential key risks, which this policy, in conjunction with the Risk Treatment Plan, is designed to address:
Breach of security by an external entity
The development and implementation of Data Security Standards to minimize the risk of data being obtained by hacking or interception. Network security controls and physical perimeter security devices prevent the physical theft of the company’s information assets by on-site contractors.
Release of data by a staff member
Staff Awareness Training will be delivered to help staff understand their responsibilities when handling personal data in order to prevent accidental disclosure of sensitive information.
Access controls are in place to prevent unauthorised access to the company’s information assets.
Regular Audits will be conducted to ensure that staff are complying with this policy
Exposure of sensitive information through hacking of Texthelp products or services
Secure development/coding practices will be employed and development staff training delivered. Testing of our products prior and after release will include, but not be limited to, the OWASP top-ten online vulnerabilities.
Not being able to respond to a security breach effectively
Texthelp will develop and manage a data security management system to maximize data security and manage security incidents. A Security Incident Reporting Policy exists outlining steps to be taken subsequent to a security breach.
The role and responsibilities of this committee will be to provide:
The Data Protection Officer is currently Martin McKay, with the following responsibilities:
IT & Network Administrator:
CRM And Customer Data Manager:
Significant breaches of this policy will be handled under Texthelp’s disciplinary procedures.
Third party agents will also be contractually required, where this is possible, to return or destroy information assets belonging to Texthelp upon termination of a contract with a third party. This will apply to both virtual and physical information assets.
Texthelp will comply with requests under the Regulation of Investigatory Powers Act 2000 (RIPA) from UK authorities and under the USA Patriots Act from US authorities and Freedom of Information and Protection of Privacy Act (FOIPPA)(British Columbia) if requested to do so.
The full list of regulatory and legislative requirements with which Texthelp complies are given in this table of Legislative & Regulatory bodies
All Texthelp Staff are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities. (See Appendix A)
All data that that is stored by Texthelp is classified as one of the following data types:
All data that is classified as ‘Customer Information’ or ‘Company IP’
must be stored in compliance with the following standards.
Physical Media Transfer : no customer or private data will be transported using physical media
In order to comply with relevant legislation:
Texthelp must operate a Business Continuity Plan to deliver continuity of service in the event of a disaster. This plan should cover situations such as:
A system must be maintained to manage and control the security of all data stored by Texthelp.
The system must:
Information for staff and temporary workers is contained in the staff handbook.
All staff who have access to any kind of personal data will have their responsibilities outlined during their induction procedures.
Data Protection will be included in foundation training for all staff.
Texthelp will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.
All staff are required to sign an electronic form signifying that they have read, understood and accept this policy.
Software Developers at Texthelp will be trained to ensure that the architecture of any system that stores personal data is in compliance with the Data Security Standards above.
Prior to release the software will be tested to ensure that it is in compliance.
All Product Owners, Scrum-masters or Project leaders should ensure that an Information Security Risk Assessment is carried out for each sprint, and when needed, a risk treatment plan is created and followed.
Marketing Staff who have access to personal customer information will receive specific training regarding the secure transit and storage of personal data for the purposes of outbound marketing.
David Hankin (Quality Manager) will be responsible for reviewing this policy. This Data Security Policy will be audited as a part of the company’s scheduled ISO 27001 audits. Audits of all processes within the company will take into account this Data Security Policy at all times.
An annual review will be carried on the policy to ensure continuing relevance. The results of this review will be available on request.
An audit of this policy will be carried out once per year. However, the requirements of this policy, with regard to data privacy/security, will form a part of the company’s regular ISO 9001 internal audits. The ISO 9001:2015 audits are performed twice annually.
All Data Security incidents will be logged in the Downtime/Security Events Register in Sugar. Data security incidents will be classified according to severity. Incidents such as unsuccessful exploit attempts that do not involve data loss will be classified as Level 1 - Non Critical Incidents. Level 1 incidents should not trigger a customer notification since there has been no impact to privacy.
Incidents that do involve data loss will be classified as Level 2 - Critical Incidents & should trigger a notification to all customers that are impacted by the data loss. The Information Commissioner's Office should also be notified within 72 hours of the breach being discovered
When working for Texthelp , you will often need to have access to confidential information which may include, for example:
Personal information about individuals who are customers or users of Texthelp software.
Information about the internal business of Texthelp.
Personal information about colleagues working for Texthelp.
Texthelp is committed to keeping this information confidential, in order to protect people and Texthelp. ‘Confidential’ means that all access to information must be on a need to know and properly authorized basis. You must use only the information you have been authorized to use, and for purposes that have been authorized. You should also be aware that under the Data Protection Act, unauthorized access to data about individuals is a criminal offence.
You must assume that information is confidential unless you know that it is intended by Texthelp to be made public. Passing information between staff members in our international office, or between Texthelp and a 3rd party marketing partner who is in compliance with our policy, or vice versa does not count as making it public, but passing information to another organization does count.
You must also be particularly careful not to disclose confidential information to unauthorized people or cause a breach of security. In particular you must:
not compromise or seek to evade security measures (including computer passwords);
be particularly careful when sending information between our international offices;
not discuss confidential information, either with colleagues or people outside Texthelp;
not disclose information — especially over the telephone — unless you are sure that you know who you are disclosing it to, and that they are authorized to have it.
If you are in doubt about whether to disclose information or not, do not guess. Withhold the information while you check with an appropriate person whether the disclosure is appropriate.
Your confidentiality obligations continue to apply indefinitely after you have stopped working for Texthelp .
Company IP - Confidential and Proprietary