Information Security Policy

ISMS 1.2 Information Security Policy : Issue 1  Rev 24 : Last reviewed 27-02-2023

Policy Summary

Texthelp will:

The Texthelp group of companies  recognizes that its first priority regarding information security and privacy is to avoid causing harm to individuals.  Predominantly  this means keeping information securely, on a need to know basis, in the right hands.

This is the top-level policy and, as well as outlining the company’s information security objectives and how to meet them, it also includes a requirement for all security related documents to be reviewed periodically to ensure conformity and applicability.

It is the responsibility of all employees to comply with the requirements of this and all policies.

Although Texthelp’s ISO 27001 scope of certification, at this time, includes:

This information security policy is a description of best practice and is applicable across the Texthelp group of companies.

Objectives

Texthelp will:

Key Risks & Mitigations

Texthelp has identified potential key risks, which this policy, in conjunction with the Risk Treatment Plan, is designed to address. These risks are logged and monitored in the company's Risk Register.

Responsibilities

Information Security Committee

The role and responsibilities of this committee will be to provide:

Data Protection Responsible Person

The person with responsibility for data protection is the Head of Operational Compliance who deals with both the day to day management of the Information Security Management System as well as continuous communication of the importance and value of security measures. with the following responsibilities:

Specific other staff

IT & Network Administrator:

Chief Technical Officer:

Chief Data Officer:

Staff

All staff are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.

Enforcement

Significant breaches of this policy will be handled under Texthelp’s disciplinary procedures.

Confidentiality

Because confidentiality applies to a much wider range of information than Data Protection, Texthelp has a separate Data Privacy Policy.

Scope

This Policy applies to all employees and third-party agents of Texthelp as well as any other Company affiliate who is authorized to access customer Data. Third party agents of Texthelp will be required to have an Information Security Policy at least as stringent as this policy.

Third party agents will also be contractually required, where this is possible, to return or destroy information assets belonging to Texthelp upon termination of a contract with a third party. This will apply to both virtual and physical information assets.

Texthelp will comply with requests under the General Data Protection Regulation (GDPR, EU), Data Protection Act (2018)(UK), Regulation of Investigatory Powers Act 2000 (RIPA) from UK authorities and under the USA Patriots Act from US authorities and Freedom of Information and Protection of Privacy Act (FOIPPA)(British Columbia), Danish Data Protection Act, Norwegian Personal Data Act, Swedish Data Protection Act (2018:218) and other agencies where obliged to do so if requested.

The full list of regulatory and legislative requirements with which Texthelp complies are given in this table of Legislative & Regulatory bodies

What we do with customer data

Texthelp has a privacy policy for Users, setting out how their information will be used.

Texthelp Group  Staff Responsibilities

All Texthelp group staff are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities.  (See Appendix A)

Information Security Standards

All information that is stored by the Texthelp group companies is classified as one of the following data types:

All data that is classified as ‘Customer Information’ or ‘Company IP’

 must be stored in compliance with the following standards.

Physical Media Transfer : no customer or private data will be transported using physical media

In order to comply with relevant legislation:

Texthelp must operate a Business Continuity Plan to deliver continuity of service in the event of a disaster.  This plan should cover situations such as:

Information Security Management System

A system must be maintained to manage and control the security of all data stored by Texthelp.

The system must:

Staff training & acceptance of responsibilities

Documentation

Information for all staff and temporary workers is contained in the staff handbook.

Induction

All staff who have access to any kind of personal data will have their responsibilities outlined during their induction procedures.

Data Protection will be included in foundation training for all staff.

Continuing training

Texthelp  will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.

Procedure for staff signifying acceptance of policy

All staff are required to sign an electronic form signifying that they have read, understood and accept this policy.

Specific Focus Training for Key Handling Roles

Software Developers

Software Developers at Texthelp will be trained to ensure that the architecture  of any system that stores personal data is in compliance with the information security Standards above.

Prior to release the software will be tested to ensure that it is in compliance.

All Product Owners, Scrum-masters or Project leaders should ensure that an Information Security Risk Assessment is carried out for each sprint, and when needed,  a risk treatment plan is created and followed.

 

Marketing Staff

Marketing Staff who have access to personal customer information will receive specific training regarding the secure transit and storage of personal data for the purposes of outbound marketing. 

Policy review

Responsibility

Ryan Graham (CTO) will be responsible for reviewing this policy. This Information Security Policy will be audited as a part of the company’s scheduled ISO 27001 audits. Audits of all processes within the company will take into account this Information Security Policy at all times.

Procedure

An annual review of  the policy will be performed  to ensure continuing relevance. The results of this review will be available on request.

Timing

An audit of this policy will be carried out once per year. However, the requirements of this policy, with regard to data privacy/security, will form a part of the company’s regular ISO 27001 internal audits. The ISO 27001:2013 audits are performed at least annually.

information security Incidents

All information security incidents will be logged in the Downtime/Security Events Register in Sugar. information security incidents will be classified according to severity.  Incidents such as unsuccessful exploit attempts that do not involve data loss will be classified as Level 1 - Non Critical Incidents. Level 1 incidents should not trigger a customer notification since there has been no impact to privacy.

Incidents that do involve data loss will be classified as Level 2 - Critical Incidents & should trigger a notification to all customers that are impacted by the data loss. Where required, the relevant local data protection authority will also be contacted.


Appendix A:  Confidentiality statement for staff

When working for Texthelp , you will often need to have access to confidential information which may include, for example:

Personal information about individuals who are customers or users of Texthelp software.

Information about the internal business of Texthelp.

Personal information about colleagues working for Texthelp.

Texthelp  is committed to keeping this information confidential, in order to protect people and Texthelp.  ‘Confidential’ means that all access to information must be on a need to know and properly authorized basis.  You must use only the information you have been authorized to use, and for purposes that have been authorized.  You should also be aware that under the Data Protection Act, unauthorized access to data about individuals is a criminal offence.

You must assume that information is confidential unless you know that it is intended by Texthelp  to be made public.  Passing information between staff members in our international office, or between Texthelp  and a 3rd party marketing partner who is in compliance with our policy, or vice versa does not count as making it public, but passing information to another organization does count.

You must also be particularly careful not to disclose confidential information to unauthorized people or cause a breach of security.  In particular you must:

not compromise or seek to evade security measures (including computer passwords);

be particularly careful when sending information between our international offices;

not discuss confidential information, either with colleagues or people outside Texthelp;

not disclose information — especially over the telephone — unless you are sure that you know who you are disclosing it to, and that they are authorized to have it.

If you are in doubt about whether to disclose information or not, do not guess.  Withhold the information while you check with an appropriate person whether the disclosure is appropriate.

Your confidentiality obligations continue to apply indefinitely after you have stopped working for Texthelp .

Signed: Martin McKay  (CEO)

Signed:      Ryan Graham (CTO)

Public Information