ThoughtMetric Data Security Policy

1. Purpose

The company must restrict access to confidential and sensitive data to protect it from being lost or compromised in order to avoid adversely impacting our customers, incurring penalties for non-compliance and suffering damage to our reputation. At the same time, we must ensure users can access data as required for them to work effectively.

2. Scope

2.1 In Scope

This data security policy applies all customer data, personal data, or other company data considered sensitive. Therefore, it applies to every server, database and IT system that handles such data, including any device that is regularly used for email, web access or other work-related tasks. Every user who interacts with company IT services is also subject to this policy.

2.2 Out of Scope

Information that is classified as Public is not subject to this policy.

3. Policy

3.1 Principles

Customer data is not sold, transmitted, or otherwise shared with any third party company or partner. The company does not contract with any third party technical support, or development teams. The only persons with access to customer data are employees of the company.

The company shall provide all employees access to only the information they need to carry out their responsibilities as effectively and efficiently as possible. Unredacted customer data is never permitted outside of its secure cloud storage location. Specifically, unredacted data is not allowed on employee computers, laptops, thumb drives, or likewise.

3.2 General

a. Each employee shall be identified by a unique user ID so that individuals can be held accountable for their actions.

b. The use of shared identities is permitted only where they are suitable, such as training accounts or service accounts.

c. Each user shall read this data security policy and the login and logoff guidelines, and sign a statement that they understand the conditions of access.

d. Records of user access may be used to provide evidence for security incident investigations.

e. Access shall be granted based on the principle of least privilege, which means that each program and user will be granted the fewest privileges necessary to complete their tasks.

3.3 Access Control Authorization

Access to company IT resources and services will be given through the provision of a unique user account and complex password. Accounts are provided by the IT department based on records in the HR department.

Passwords are managed by the IT Service Desk. Requirements for password length, complexity and expiration are stated in the company password policy.

3.4 Network Access

a. All employees shall be given network access in accordance with business access control procedures and the least-privilege principle.

3.5 User Responsibilities

a. All users must lock their screens whenever they leave their desks to reduce the risk of unauthorized access.

b. All users must keep their workplace clear of any sensitive or confidential information when they leave.

c. All users must keep their passwords confidential and not share them.

3.6 Application and Information Access

a. All company staff shall be granted access to only the data and applications required for their job roles.

b. All company staff shall access sensitive data and systems only if there is a business need to do so and they have approval from higher management.

c. Sensitive systems shall be physically or logically isolated in order to restrict access to authorized personnel only.

3.7 Access to Confidential, Restricted information

a. Access to data classified as ‘Confidential’ or ‘Restricted’ shall be limited to authorized persons whose job responsibilities require it, as determined by the Data Security Policy or higher management.

b. The responsibility to implement access restrictions lies with the IT Security department.

4. Technical Guidelines

Access control methods to be used shall include:

Access control applies to all networks, servers, workstations, laptops, mobile devices, web applications and websites, cloud storages, and services.

5. Reporting Requirements

a. Daily incident reports shall be produced and handled within the IT Security department or the incident response team.

b. Weekly reports detailing all incidents shall be produced by the IT Security department and sent to the IT manager or director.

c. High-priority incidents discovered by the IT Security department shall be immediately escalated; the IT manager should be contacted as soon as possible.

6. Ownership and Responsibilities

7. Enforcement          

Any user found in violation of this policy is subject to disciplinary action, up to and including termination of employment. Any third-party partner or contractor found in violation may have their network connection terminated.               

8. Definitions  

This paragraph defines any technical terms used in this policy.