Version 1.1 - May 2021
Unless otherwise provided herein, this "(Information) Security Policy" capitalised terms will have the meaning specified in the "Terms and Conditions for the use of https://capitan.website" and "Saas Terms and Conditions".
The Supplier reserves the right to change the terms of this "(Information) Security Policy".
This Information Security Policy helps us:
- Reduce the risk of IT problems
- Plan for problems and deal with them when they happen
- Keep working if something does go wrong
- Protect company, employee and Customer Data
- Keep valuable company information, such as plans and designs, secret
- Meet our legal obligations under the General Data Protection Regulation and other laws
- Meet our professional obligations towards our clients and customers
- The DPO has overall responsibility for IT security strategy
- The DPO has day-to-day operational responsibility for implementing this policy
- The DPO has responsibility to advise on data protection laws and best practices
We will review this policy annually. In the meantime, if you have any questions, suggestions or feedback, please contact us in Writing.
We will only classify information which is necessary for the completion of our duties. We will also limit access to personal data to only those that need it for processing. We classify information into different categories so that we can ensure that it is protected properly and that we allocate security resources appropriately:
- Unclassified: This is information that can be made public without any implications for the company, such as information that is already in the public domain.
- Employee confidential: This may include information such as medical records, salary and so on.
- Company confidential: Such as contracts, source code, business plans, passwords for critical IT systems, client contact records, accounts etc.
- Client confidential This includes personally identifiable information such as name or address, passwords to client systems, client business plans, new product information, market sensitive information etc
The deliberate or accidental disclosure of any confidential information has the potential to harm the business. This policy is designed to minimise that risk.
We do not protectively mark documents and systems. Therefore, you should assume information is confidential unless you are sure it is not and act accordingly.
Internally, as far as possible, we operate on a ‘need to share’ rather than a ‘need to know’ basis with respect to company confidential information. This means that our bias and intention is to share information to help people do their jobs rather than raise barriers to access needlessly.
As for client information, we operate in compliance with the GDPR ‘Right to Access’. This is the right of data subjects to obtain confirmation as to whether we are processing their data, where we are processing it and for what purpose. Further, we shall provide, upon request, a copy of their personal data, free of charge in an electronic format.
We also allow data subjects to transmit their own personal data to another controller.
However, in general, to protect confidential information we implement the following access controls:
- Company confidential: Internal documents are stored in a manner which is not available to all staff through user/password access restrictions
- Client confidential: Access is limited by user/password. Where information is deemed sensitive and should be accessible by named users only, permissions are limited to those users only
- Employee confidential: Internal documents are stored in a manner which is not available to all staff through user/password access restrictions
In addition, admin privileges to company systems will be restricted to specific, authorised individuals for the proper performance of their duties.
We use security systems to protect our data, systems, users and customers. Please contact us in Writing for information on the systems used.
Employees Joining and Leaving
When a new employee joins the company, we will add them to the following systems:
- Email Platform: with appropriate password provided
- Private File System: to access data appropriate to the role, with appropriate password provided
- L2DP VPN: to access data appropriate to the role, with appropriate password provided
- Customer Capitan Installations: to access data appropriate to the role, with appropriate password provided
We will provide training to new staff and support for existing staff to implement this policy. This includes:
- An initial introduction to IT security, covering the risks, basic security measures, company policies and where to get help
- Training on how to use company systems and security software properly
- On request, a security health check on their computer, tablet or phone
When leaving a project or the company, we will promptly revoke access privileges to company systems.
Effective security is a team effort requiring the participation and support of every employee and associate. It is your responsibility to know and follow these guidelines.
You are personally responsible for the secure handling of confidential information that is entrusted to you. You may access, use or share confidential information only to the extent it is authorised and necessary for the proper performance of your duties. Promptly report any theft, loss or unauthorised disclosure of protected information or any breach of this policy to the DPO.
Protecting your own device(s)
It is also your responsibility to use your devices (computer, phone, tablet etc.) in a secure way.
At a minimum:
- Remove software that you do not use or need from your computer
- Update your operating system and applications regularly
- Keep your computer firewall switched on
- For Windows users, make sure you install anti-malware software (or use the built-in Windows Defender) and keep it up to date.
- For Mac users, keep the operating system up to date and consider getting anti-malware software.
- Store files in official company storage locations so that it is backed up properly and available in an emergency.
- Switch on whole disk encryption
- Understand the privacy and security settings on your phone and social media accounts
- Have separate user accounts for other people, including other family members, if they use your computer. Ideally, keep your work computer separate from any family or shared computers.
- Don’t use an administrator account on your computer for everyday use
- Make sure your computer and phone logs out automatically after 15 minutes and requires a password to log back in.
- Change default passwords and PINs on computers, phones and all network devices
- Consider using password management software
- Don’t share your password with other people or disclose it to anyone else
- Don’t write down PINs and passwords next to computers and phones
- Use strong passwords
- Change them regularly
- Don’t use the same password for multiple critical systems
Be alert to other security risks
While technology can prevent many security incidents, your actions and habits are also important. With this in mind:
- Take time to learn about IT security and keep yourself informed. Get Safe Online is a good source for general awareness
- Use extreme caution when opening email attachments from unknown senders or unexpected attachments from any sender.
- Be on guard against social engineering, such as attempts by outsiders to persuade you to disclose confidential information, including employee, client or company confidential information. Fraudsters and hackers can be extremely persuasive and manipulative.
- Be wary of fake websites and phishing emails. Don’t click on links in emails or social media. Don’t disclose passwords and other confidential information unless you are sure you are on a legitimate website.
- Use social media, including personal blogs, in a professional and responsible way, without violating company policies or disclosing confidential information.
- Take particular care of your computer and mobile devices when you are away from home or out of the office.
- If you leave the company, you will return any company property, transfer any company work-related files back to the company and delete all confidential information from your systems as soon as is practicable.
- Where confidential information is stored on paper, it should be kept in a secure place where unauthorised people cannot see it and shredded when no longer required.
The following things (among others) are, in general, prohibited on company systems and while carrying out your duties for the company and may result in disciplinary action:
- Any form of harassment.
- Circumventing user authentication or security of any system, network or account.
- Downloading or installing pirated software.
- Disclosure of confidential information at any time.
Archiving procedure and disaster recovery
This is how we back-up our business-critical systems:
- System data stored on laptops is encrypted and backed up using Time Machine. This provides cover for version control (the ability to recover an historic version of data) and business continuity for a total recovery in the event of a failure of local system(s). Daily monitoring of the back-up process ensures that the process is verified.
- Customer Data and systems operating through the Services are encrypted and backed up on RAID-10. Standard Back-ups are performed monthly and retained for 2 months. Premium Daily back-ups are retained for 30 days. Premium Hourly back-ups retained for 24 hours. Monitoring of the back-up process ensures that the process is verified.
This is how we will respond to potential interruptions to our business:
- Service failure: Contact DPO for initial investigation, contact Hosting Company or Server Management/Monitoring Company for any required further investigation. The relevant party will respond to fault accordingly. Notifiy Customers of issues and course of action.
- Unable to access office because of flood, fire, civil disorder, terrorist incident etc: DPO is alerted; staff members are able to operate from a remote location, accessing systems via VPN. No client interruptions are anticipated.
- Loss of internet and/or phone connection: Contact the relevant ISP; staff members are able to operate using mobile data.
- Loss or theft of critical systems: Contact DPO to ensure any relevant system passwords and remote access is changed as a matter of urgency.
We will test these contingency plans at least once a year.
This is how we will respond to IT security issues:
Under the GDPR, where a data breach may result in a ‘risk for the rights and freedoms of individuals’ we must notify the Customer ‘without undue delay’ and within 72 hours of the breach being identified.