+44 207 183 3221  ·  info@etindex.com   

Level 39, One Canada Square, Canary Wharf, London E14 5AB

Engaged Tracking (ET) Index Ltd (trading as 'Engaged Tracking') ©2019. Company registration number: 08876852.

  • LinkedIn Social Icon
  • Twitter

LEGAL

SECURITY POLICY

Security Policy

  1. Introduction

Our IT security policy is to helps us:

    1. Reduce the risk of IT problems  

    2. Plan for problems and deal with them when they happen

    3. Keep working if something does go wrong

    4. Protect company, client and employee data

    5. Keep valuable company information, such as plans and designs, secret

    6. Meet our legal obligations under the General Data Protection Regulation and other laws

    7. Meet our professional obligations towards our clients and customers

 

Under the GDPR, where a data breach is likely to result in a ‘risk for the rights and freedoms of individuals’ we must notify the customers and data controllers ‘without undue delay’. We will ensure we inform them within 72 hours.

 

  1. Responsibilities

    1. Our senior management holds overall responsibility for our IT security strategy.

    2. Greg Fonai is the data protection officer to advise on data protection best practices and has day-to-day operational responsibility for implementing this policy.

 

  1. Review process

    1. We will review this policy annually.

    2. In the meantime, if you have any questions, suggestions or feedback, please contact Greg Fonai at greg.fonai@etindex.com.

 

  1. Information classification

We will only classify information which is necessary for the completion of our duties. We will also limit access to personal data to only those that need it for processing. We classify information into different categories so that we can ensure that it is protected properly and that we allocate security resources appropriately:

    1. Unclassified. This is information that can be made public without any implications for the company, such as information that is already in the public domain.

    2. Company confidential. Such as contracts, source code, business plans, passwords for critical IT systems, client contact records, accounts etc.

    3. Client confidential. This includes personally identifiable information such as name or address, passwords to client systems, client business plans, new product information, market sensitive information etc.

The deliberate or accidental disclosure of any confidential information has the potential to harm the business. This policy is designed to minimise that risk.

 

  1. Access Controls

Internally, as far as possible, we operate on a ‘need to share’ rather than a ‘need to know’ basis with respect to company confidential information. This means that our bias and intention is to share information to help people do their jobs rather than raise barriers to access needlessly.

As for client information, we operate in compliance with the GDPR ‘Right to Access’. This is the right of data subjects to obtain confirmation as to whether we are processing their data, where we are processing it and for what purpose. Further, we shall provide, upon request, a copy of their personal data, free of charge in an electronic format.

 

However, in general, to protect confidential information we implement the following access controls:

    1. Company confidential information:

      • source codes and technical data are only accessible by our Technical team,

      • client contact records are accessible by our Engagement and Account Managers,

      • other company confidential information (see above) is accessible by the senior management.

    2. Client confidential information:

      • identifiable personal information is available to our Account and Engagement Managers; our third-party CRM host and data processor is HubSpot.

      • The senior management has access to business sensitive information

      • The product team control over product related information

    3. In addition, admin privileges to company systems will be restricted to specific, authorised individuals for the proper performance of their duties as follows:

      • Sam Gill (CEO), Greg Fonai (DPO).

 

  1. Employees

    1. Joiners – When a new employee joins the company, we give them access to our Google Drive; all employees’ access is limited, according to the Job Description (see examples above).

    2. Leavers – When people leave a project or leave the company, we will promptly revoke their access privileges to company systems.

    3. General Training – We will provide training to new staff and support for existing staff to implement this policy. This includes:

      • An initial introduction to IT security, covering the risks, basic security measures, company policies and where to get help

      • Training on how to use company systems and security software properly

      • On request, a security health check on their computer, tablet or phone

    4. Training – security risks

While technology can prevent many security incidents, our actions and habits are also important. With this in mind we train our staff to

      • Take time to learn about IT security and keep ourselves informed. Get Safe Online is a good source for general awareness

      • Use extreme caution when opening email attachments from unknown senders or unexpected attachments from any sender.

      • Be on guard against social engineering, such as attempts by outsiders to persuade you to disclose confidential information, including employee, client or company confidential information. Fraudsters and hackers can be extremely persuasive and manipulative.

      • Be wary of fake websites and phishing emails. Don’t click on links in emails or social media.

      • Do not disclose passwords and other confidential information unless we are sure you are on a legitimate website.

      • Use social media, including personal blogs, in a professional and responsible way, without violating company policies or disclosing confidential information.

      • Take particular care of our computers and mobile devices when we are away from home or out of the office.

      • If anyone is to leave the company, they will return any company property, transfer any company work-related files back to the company and delete all confidential information from systems as soon as is practicable.

      • Ensure where confidential information is stored on paper, it should be kept in a secure place where unauthorised people cannot see it and shredded when no longer required.

 

The following things (among others) are, in general, prohibited on company systems and while carrying out your duties for the company and may result in disciplinary action:

      • Anything that contradicts our equality and diversity policy, including harassment.

      • Circumventing user authentication or security of any system, network or account.

      • Downloading or installing pirated software.

      • Disclosure of confidential information at any time

 

    1. Employee (Our) responsibilities

We are personally responsible for the secure handling of confidential information that is entrusted to us. We may access, use or share confidential information only to the extent it is authorised and necessary for the proper performance of our duties. Employees are to promptly report any theft, loss or unauthorised disclosure of protected information or any breach of this policy to Greg Fonai (DPO) and Sam Gill (CEO).

Device control – It is also our employee’s responsibility to use their devices (computer, phone, tablet etc.) in a secure way. However, we will provide training and support to enable them to do so (see below). At a minimum:

      • Remove software that they do not use or need

      • Update operating system and applications regularly  

      • Keep computer firewall switched on

      • For Windows users to install anti-malware software (or use the built-in Windows Defender) and keep it up to date. For Mac users, consider getting anti-malware software.

      • Store files in official company storage locations so that it is backed up properly and available in an emergency.

      • Understand the privacy and security settings on your phone and social media accounts

      • Have separate user accounts for other people, including other family members, if they use your computer. Ideally, keep your work computer separate from any family or shared computers.

      • Don’t use an administrator account on your computer for everyday use

      • Make sure your computer and phone logs out automatically after 15 minutes and requires a password to log back in.

      • Only the nominated member of staff has access to their own laptops and only they keep their passwords

      • Any data transferred must be in password protected encrypted files with passwords sent in separate communications

Password guidelines

 

      • Change default passwords and PINs on computers, phones and all network devices

      • Consider using password management software

      • Don’t share your password with other people or disclose it to anyone else

      • Don’t write down PINs and passwords next to computers and phones

      • Use strong passwords

      • Change them regularly

      • Don’t use the same password for multiple critical systems