Information Security Policy
ISMS 1.2 Information Security Policy : Issue 1 Rev 19 : Last reviewed 08-02-2022
Texthelp Billing & Contact Data and Customer/User data (name only) is stored in Amazon Web Services (AWS). The Texthelp Group have entered into Standard Contractual Clauses with AWS to ensure we comply with the GDPR rules on international transfers. We have also included Standard Contractual Clauses in our End User License Agreements to cover the transfer of personal data from end users in the EU to AWS data centers based in the United States. This complies with data protection requirements and GDPR legislation when transferring data belonging to EU citizens outside the EU.
Texthelp has identified the following potential key risks, which this policy, in conjunction with the Risk Treatment Plan, is designed to address:
Breach of security by an external party of an information asset
The development and implementation of information security Standards to minimize the risk of data being obtained by hacking or interception. Network security controls and physical perimeter security devices prevent the physical theft of the company’s information assets by on-site contractors.
Release of data by a staff member
Staff Awareness Training will be delivered to help staff understand their responsibilities when handling personal data in order to prevent accidental disclosure of sensitive information.
Access controls are in place to prevent unauthorised access to the company’s information assets.
Regular Audits will be conducted to ensure staff are complying with this policy
Secure development/coding practices will be employed and development staff training delivered. Testing of our products prior and after release will include, but not be limited to, the OWASP top-ten online vulnerabilities.
Not being able to respond to a security breach effectively
Texthelp will develop and manage an information security management system to maximize information security and manage security incidents. A Security Incident Response Policy exists outlining steps to be taken in the event of a security breach.
The role and responsibilities of this committee will be to provide:
The Data Protection Officer is currently David Hankin who deals with both the day to day management of the Information Security Management System as well as continuous communication of the importance and value of security measures. with the following responsibilities:
IT & Network Administrator:
Chief Technical Officer:
Chief Data Officer:
Significant breaches of this policy will be handled under Texthelp’s disciplinary procedures.
Third party agents will also be contractually required, where this is possible, to return or destroy information assets belonging to Texthelp upon termination of a contract with a third party. This will apply to both virtual and physical information assets.
Texthelp will comply with requests under the General Data Protection Regulation (GDPR, EU), Data Protection Act (2018)(UK), Regulation of Investigatory Powers Act 2000 (RIPA) from UK authorities and under the USA Patriots Act from US authorities and Freedom of Information and Protection of Privacy Act (FOIPPA)(British Columbia) and other agencies where obliged to do so if requested.
The full list of regulatory and legislative requirements with which Texthelp complies are given in this table of Legislative & Regulatory bodies
All Texthelp Staff are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities. (See Appendix A)
All information that is stored by Texthelp is classified as one of the following data types:
All data that is classified as ‘Customer Information’ or ‘Company IP’
must be stored in compliance with the following standards.
Physical Media Transfer : no customer or private data will be transported using physical media
In order to comply with relevant legislation:
Texthelp must operate a Business Continuity Plan to deliver continuity of service in the event of a disaster. This plan should cover situations such as:
A system must be maintained to manage and control the security of all data stored by Texthelp.
The system must:
Information for staff and temporary workers is contained in the staff handbook.
All staff who have access to any kind of personal data will have their responsibilities outlined during their induction procedures.
Data Protection will be included in foundation training for all staff.
Texthelp will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.
All staff are required to sign an electronic form signifying that they have read, understood and accept this policy.
Software Developers at Texthelp will be trained to ensure that the architecture of any system that stores personal data is in compliance with the information security Standards above.
Prior to release the software will be tested to ensure that it is in compliance.
All Product Owners, Scrum-masters or Project leaders should ensure that an Information Security Risk Assessment is carried out for each sprint, and when needed, a risk treatment plan is created and followed.
Marketing Staff who have access to personal customer information will receive specific training regarding the secure transit and storage of personal data for the purposes of outbound marketing.
Ryan Graham (CTO) will be responsible for reviewing this policy. This Information Security Policy will be audited as a part of the company’s scheduled ISO 27001 audits. Audits of all processes within the company will take into account this Information Security Policy at all times.
An annual review of the policy will be performed to ensure continuing relevance. The results of this review will be available on request.
An audit of this policy will be carried out once per year. However, the requirements of this policy, with regard to data privacy/security, will form a part of the company’s regular ISO 27001 internal audits. The ISO 27001:2013 audits are performed at least annually.
All information security incidents will be logged in the Downtime/Security Events Register in Sugar. information security incidents will be classified according to severity. Incidents such as unsuccessful exploit attempts that do not involve data loss will be classified as Level 1 - Non Critical Incidents. Level 1 incidents should not trigger a customer notification since there has been no impact to privacy.
Incidents that do involve data loss will be classified as Level 2 - Critical Incidents & should trigger a notification to all customers that are impacted by the data loss. The Information Commissioner's Office should also be notified within 72 hours of the breach being discovered
When working for Texthelp , you will often need to have access to confidential information which may include, for example:
Personal information about individuals who are customers or users of Texthelp software.
Information about the internal business of Texthelp.
Personal information about colleagues working for Texthelp.
Texthelp is committed to keeping this information confidential, in order to protect people and Texthelp. ‘Confidential’ means that all access to information must be on a need to know and properly authorized basis. You must use only the information you have been authorized to use, and for purposes that have been authorized. You should also be aware that under the Data Protection Act, unauthorized access to data about individuals is a criminal offence.
You must assume that information is confidential unless you know that it is intended by Texthelp to be made public. Passing information between staff members in our international office, or between Texthelp and a 3rd party marketing partner who is in compliance with our policy, or vice versa does not count as making it public, but passing information to another organization does count.
You must also be particularly careful not to disclose confidential information to unauthorized people or cause a breach of security. In particular you must:
not compromise or seek to evade security measures (including computer passwords);
be particularly careful when sending information between our international offices;
not discuss confidential information, either with colleagues or people outside Texthelp;
not disclose information — especially over the telephone — unless you are sure that you know who you are disclosing it to, and that they are authorized to have it.
If you are in doubt about whether to disclose information or not, do not guess. Withhold the information while you check with an appropriate person whether the disclosure is appropriate.
Your confidentiality obligations continue to apply indefinitely after you have stopped working for Texthelp .
Signed: Martin McKay (CEO)
Signed: Ryan Graham (CTO)